Browse all topics
All guidesGlossary

Intune Windows Autopilot

Windows Autopilot provisions new PCs straight to the end user with zero IT touch. Here's how it works.

Windows Autopilot is Microsoft's zero-touch provisioning service for new Windows devices. A user opens a sealed box, signs in with their work account on a wifi network, and a few minutes later the device is fully configured — joined to Entra ID, enrolled in Intune, with policies, apps, and security in place. No imaging server, no IT desk, no engineer-built golden image.

How it works

  1. The device manufacturer (or your IT) registers the device's hardware hash with your tenant during procurement or initial setup.
  2. The user powers on the device for the first time.
  3. Windows OOBE (Out Of Box Experience) launches.
  4. The device looks up its hardware hash against the Autopilot service.
  5. Autopilot pulls down the deployment profile for that device (or device group).
  6. The OOBE is automatically customised — corporate branding, no end-user privacy prompts, no consumer account creation.
  7. The user signs in with their Entra ID account.
  8. The device auto-enrols in Intune, joins Entra ID, and starts pulling configuration profiles, apps, and security baselines.
  9. Enrolment Status Page (ESP) shows progress; the user waits at this screen until provisioning completes.

A typical first sign-in takes 15–45 minutes depending on profile complexity and network speed.

Autopilot deployment scenarios

  • User-Driven — the most common; user signs in and the device joins their identity.
  • Self-Deploying — kiosk and shared-device scenarios; no user sign-in during provisioning.
  • Pre-Provisioning ("White Glove") — IT provisions the device through ESP, then ships sealed. The user just signs in.
  • Existing device — re-deploy an existing device through Autopilot without re-imaging.

Hardware registration

OEMs (Dell, HP, Lenovo, Surface, others) can pre-register devices at purchase. They upload the hardware hash directly to your tenant — the user opens the box and the device is already known.

For existing devices, the Get-WindowsAutoPilotInfo PowerShell script extracts the hash from a running machine and uploads it.

What Autopilot replaces

Autopilot replaces traditional imaging (WIM, MDT, Configuration Manager OS Deployment). Instead of building a custom Windows image with apps and settings baked in, you start from the OEM-provided Windows installation and configure on top via Intune. This is cheaper to maintain, faster to update, and easier to vary by user type.

Edge cases and gotchas

  • Hardware hash mismatches — common on devices flashed with a non-standard BIOS or modified firmware.
  • Network requirements — Autopilot needs internet during OOBE. Captive portals and proxies require care.
  • Hybrid Entra Join scenarios add complexity (an on-prem network line of sight requirement); cloud-only Entra Join is much simpler and is Microsoft's recommended path.
  • ESP timing — Big profiles (many apps, many policies) can take long enough that users get frustrated. Tune the must-install list.

Autopilot is a transformative shift in device provisioning for Microsoft 365 customers. Once you've stood it up, you'll wonder how you ever shipped imaged laptops.