Microsoftadvanced

How to Set Up Microsoft Autopilot for Windows Device Deployment

Learn how to set up Microsoft Autopilot for zero-touch Windows deployment. IT admin guide covering hardware hash collection, Intune configuration, deployment profiles, and user experience.

10 min readUpdated January 2025

Microsoft Autopilot enables zero-touch deployment of Windows devices. Instead of creating and maintaining custom images, IT can ship factory-sealed devices directly to employees. When powered on, the device automatically configures itself with your organization's settings, apps, and security policies.

Prerequisites

Before setting up Autopilot, ensure your environment meets these requirements:

RequirementDetails
Windows EditionWindows 10/11 Pro, Enterprise, or Education (Home not supported)
IdentityMicrosoft Entra ID (Azure AD) - Cloud-only or Hybrid Join
MDMMicrosoft Intune or compatible MDM service
NetworkInternet access to Microsoft services
LicensingM365 Business Premium, F1/F3, E3/E5, or A1/A3/A5

Step 1: Collect Hardware Hashes

Autopilot identifies devices by their unique hardware hash. There are two ways to collect these:

When purchasing from Dell, HP, Lenovo, or CDW:

  1. Provide your Entra ID Tenant ID to the vendor
  2. Request they upload hardware hashes directly to your tenant
  3. Devices will appear in Intune automatically

Option B: Manual Collection (PowerShell)

For existing devices or testing:

  1. Open PowerShell as Administrator on the target device
  2. Run these commands: 
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo -OutputFile C:\Autopilot.csv
  3. Import to Intune:
    • Go to Intune Admin Center > Devices > Enrollment
    • Under Windows Autopilot, select Devices
    • Click Import and upload the CSV
    • Allow up to 15 minutes for sync

Step 2: Configure Intune Settings

Enable Automatic Enrollment

  1. Go to Intune Admin Center > Devices > Enrollment > Automatic Enrollment
  2. Set MDM User Scope to All (or a specific group)
  3. Leave MAM User Scope as None

Configure Company Branding (Required)

Autopilot requires company branding or users see a generic Microsoft login:

  1. Go to Entra Admin Center > Company Branding
  2. Upload your company logo
  3. Configure sign-in page text

Step 3: Create a Dynamic Device Group

Create a group that automatically includes Autopilot devices:

  1. Go to Intune Admin Center > Groups > New Group
  2. Group Type: Security
  3. Membership Type: Dynamic Device
  4. Dynamic Query: 
    (device.devicePhysicalIds -any _ -contains "[ZTDId]")
  5. Save the group

This query automatically captures any device imported into Autopilot.

Step 4: Create a Deployment Profile

  1. Go to Devices > Enrollment > Windows Autopilot > Deployment Profiles
  2. Click Create Profile > Windows PC
  3. Name: e.g., "Standard User-Driven"
  4. Configure OOBE settings:
    Deployment ModeUser-Driven (recommended)
    Join to Entra ID asEntra ID Joined (or Hybrid)
    Microsoft License TermsHide
    Privacy SettingsHide
    User account typeStandard (security best practice)
  5. Assignments: Assign to the Dynamic Group created in Step 3

Step 5: Configure Enrollment Status Page

The ESP shows deployment progress and can block use until critical apps install:

  1. Go to Devices > Enrollment > Windows Autopilot > Enrollment Status Page
  2. Edit the Default profile
  3. Recommended settings:
    • Show app and profile progress: Yes
    • Block device use until apps installed: Yes
    • Required apps: Select only critical apps (Office, VPN, security agent)

Tip: Don't select all apps or deployment will take hours.

The User Experience

When an employee receives and powers on their device:

  1. User selects region, keyboard, and connects to Wi-Fi
  2. Device contacts Microsoft and identifies the tenant
  3. User sees "Welcome to [Your Company]" with your logo
  4. User signs in with their work email and password (+ MFA)
  5. Enrollment Status Page shows "Setting up your device"
  6. User lands on desktop with apps pre-installed

Troubleshooting

Profile not applying

  • Check Profile Status shows "Assigned" in Autopilot Devices
  • Wait for dynamic group to update
  • Verify company branding is configured

Setup stuck or hanging

  • Press Shift + F10 during OOBE to open Command Prompt
  • Type eventvwr to check logs

Need to reset a device

Delete from all three locations:

  1. Intune Devices (managed object)
  2. Entra ID Devices (identity object)
  3. Autopilot Devices (hash reservation)

Frequently Asked Questions

Find answers to common questions

Microsoft Autopilot is a cloud-based Windows deployment technology that lets IT provision new devices without creating custom images. When users power on a new PC and connect to the internet, Autopilot automatically configures it with corporate settings, apps, and security policies based on their profile.

Need Professional Help?

Our team of experts can help you implement and configure these solutions for your organization.

Contact Our TeamView Our Services

Related Articles

How to Cancel Microsoft 365 Subscription (Personal, Family & Business)

Learn how to cancel Microsoft 365 subscription for Personal, Family, and Business plans. Understand refund policies, data retention, and what happens after cancellation.

Read More →

How to Check Microsoft Surface Warranty Status

Learn how to check your Microsoft Surface warranty status online. Find your device serial number, view coverage details, and understand warranty options for repair and replacement.

Read More →

How to Delete a Microsoft Account Permanently (Complete Guide)

Learn how to permanently delete a Microsoft account. Step-by-step guide covering prerequisites, data backup, account closure, and the waiting period for Outlook, Xbox, and OneDrive.

Read More →
Back to Microsoft