Microsoftadvanced

How to Set Up Microsoft Autopilot for Windows Device Deployment

Learn how to set up Microsoft Autopilot for zero-touch Windows deployment. IT admin guide covering hardware hash collection, Intune configuration, deployment profiles, and user experience.

10 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

Microsoft Autopilot enables zero-touch deployment of Windows devices. Instead of creating and maintaining custom images, IT can ship factory-sealed devices directly to employees. When powered on, the device automatically configures itself with your organization's settings, apps, and security policies.

Prerequisites

Before setting up Autopilot, ensure your environment meets these requirements:

RequirementDetails
Windows EditionWindows 10/11 Pro, Enterprise, or Education (Home not supported)
IdentityMicrosoft Entra ID (Azure AD) - Cloud-only or Hybrid Join
MDMMicrosoft Intune or compatible MDM service
NetworkInternet access to Microsoft services
LicensingM365 Business Premium, F1/F3, E3/E5, or A1/A3/A5

Step 1: Collect Hardware Hashes

Autopilot identifies devices by their unique hardware hash. There are two ways to collect these:

When purchasing from Dell, HP, Lenovo, or CDW:

  1. Provide your Entra ID Tenant ID to the vendor
  2. Request they upload hardware hashes directly to your tenant
  3. Devices will appear in Intune automatically

Option B: Manual Collection (PowerShell)

For existing devices or testing:

  1. Open PowerShell as Administrator on the target device
  2. Run these commands:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo -OutputFile C:\Autopilot.csv

  1. Import to Intune:

  2. Go to Intune Admin Center > Devices > Enrollment

  3. Under Windows Autopilot, select Devices

  4. Click Import and upload the CSV

  5. Allow up to 15 minutes for sync

Step 2: Configure Intune Settings

Enable Automatic Enrollment

  1. Go to Intune Admin Center > Devices > Enrollment > Automatic Enrollment
  2. Set MDM User Scope to All (or a specific group)
  3. Leave MAM User Scope as None

Configure Company Branding (Required)

Autopilot requires company branding or users see a generic Microsoft login:

  1. Go to Entra Admin Center > Company Branding
  2. Upload your company logo
  3. Configure sign-in page text

Step 3: Create a Dynamic Device Group

Create a group that automatically includes Autopilot devices:

  1. Go to Intune Admin Center > Groups > New Group
  2. Group Type: Security
  3. Membership Type: Dynamic Device
  4. Dynamic Query:
(device.devicePhysicalIds -any _ -contains "[ZTDId]")
  1. Save the group

This query automatically captures any device imported into Autopilot.

Step 4: Create a Deployment Profile

  1. Go to Devices > Enrollment > Windows Autopilot > Deployment Profiles
  2. Click Create Profile > Windows PC
  3. Name: e.g., "Standard User-Driven"
  4. Configure OOBE settings:
SettingValue
Deployment ModeUser-Driven (recommended)
Join to Entra ID asEntra ID Joined (or Hybrid)
Microsoft License TermsHide
Privacy SettingsHide
User account typeStandard (security best practice)
  1. Assignments: Assign to the Dynamic Group created in Step 3

Step 5: Configure Enrollment Status Page

The ESP shows deployment progress and can block use until critical apps install:

  1. Go to Devices > Enrollment > Windows Autopilot > Enrollment Status Page

  2. Edit the Default profile

  3. Recommended settings:

  4. Show app and profile progress: Yes

  5. Block device use until apps installed: Yes

  6. Required apps: Select only critical apps (Office, VPN, security agent)

Tip: Don't select all apps or deployment will take hours.

The User Experience

When an employee receives and powers on their device:

  1. User selects region, keyboard, and connects to Wi-Fi
  2. Device contacts Microsoft and identifies the tenant
  3. User sees "Welcome to [Your Company]" with your logo
  4. User signs in with their work email and password (+ MFA)
  5. Enrollment Status Page shows "Setting up your device"
  6. User lands on desktop with apps pre-installed

Troubleshooting

Profile not applying

  • Check Profile Status shows "Assigned" in Autopilot Devices
  • Wait for dynamic group to update
  • Verify company branding is configured

Setup stuck or hanging

  • Press Shift + F10 during OOBE to open Command Prompt
  • Type eventvwr to check logs

Need to reset a device

Delete from all three locations:

  1. Intune Devices (managed object)
  2. Entra ID Devices (identity object)
  3. Autopilot Devices (hash reservation)

Frequently Asked Questions

Find answers to common questions

Microsoft Autopilot is a cloud-based Windows deployment technology that lets IT provision new devices without creating custom images. When users power on a new PC and connect to the internet, Autopilot automatically configures it with corporate settings, apps, and security policies based on their profile.

Autopilot requires Windows 10/11 Pro, Enterprise, or Education (not Home), Microsoft Entra ID (Azure AD), Microsoft Intune or compatible MDM, internet connectivity, and appropriate licensing such as Microsoft 365 Business Premium, F1/F3, or Enterprise E3/E5.

The preferred method is having your OEM/reseller (Dell, HP, Lenovo) upload hardware hashes directly to your tenant when purchasing devices. For existing devices, use the Get-WindowsAutopilotInfo PowerShell script to generate a CSV file, then import it into Intune.

User-Driven mode requires a user to sign in during OOBE and associates the device with that user. Self-Deploying mode requires no user interaction and is ideal for shared devices or kiosks. User-Driven is more common for standard employee laptops.

Initial device setup typically takes 15-45 minutes depending on internet speed, number of apps in the Enrollment Status Page, and policies applied. Complex deployments with many required apps can take longer. Pre-provisioning (White Glove) reduces end-user wait time by doing setup in advance.

Check that the device's hardware hash is imported and the Profile Status shows 'Assigned' in Intune. The dynamic group may need time to update. Ensure company branding is configured in Entra ID, as Autopilot requires it. Delete and re-import the device if issues persist.

Struggling with Microsoft Updates?

Let our team handle Windows patching, updates, and system management so you can focus on your business.

Learn About Patch ManagementExplore Infrastructure Monitoring

Related Articles

How to Cancel Microsoft 365 Subscription (Personal, Family & Business)

Learn how to cancel Microsoft 365 subscription for Personal, Family, and Business plans. Understand refund policies, data retention, and what happens after cancellation.

Read More →

How to Check Microsoft Surface Warranty Status

Learn how to check your Microsoft Surface warranty status online. Find your device serial number, view coverage details, and understand warranty options for repair and replacement.

Read More →

How to Delete a Microsoft Account Permanently (Complete Guide)

Learn how to permanently delete a Microsoft account. Step-by-step guide covering prerequisites, data backup, account closure, and the waiting period for Outlook, Xbox, and OneDrive.

Read More →
Back to Microsoft