Windows Autopilot

How Autopilot Works

Windows Autopilot is Microsoft's zero-touch device deployment system. When a new Windows PC powers on for the first time and connects to the internet, it queries Microsoft's servers, finds its provisioning profile, and configures itself — joining your directory, enrolling in Intune, installing required apps, and applying security policies — with no IT staff handling the machine.

What happens during provisioning:

1. Device connects to internet (during Windows out-of-box experience)
2. Autopilot profile downloads
3. Device joins Entra ID (and optionally on-premises AD in hybrid scenarios)
4. Intune enrollment occurs
5. Required applications install
6. Security policies apply
7. User signs in to a fully configured, compliant device

Hardware Registration

Devices need their hardware hash registered in your tenant before Autopilot works.

Pre-registration through your hardware vendor: Dell, Lenovo, Microsoft Surface, and most major OEMs can register devices in your tenant at time of purchase. This is the clean path for new deployments — order laptops with your tenant ID, they arrive pre-registered.

Post-purchase registration: Run a PowerShell script on the device to extract and upload the hardware hash. Requires physical access and takes a few minutes per machine.

Enrollment Modes

• User-driven: Employee powers on, signs in with work credentials, device provisions itself. Standard mode for most employee deployments.
• Self-deploying: Device configures with no user interaction. Used for shared devices, kiosks, conference room hardware.
• White glove: IT runs initial provisioning before handing the device to the user. Useful for verifying device health first.
• Hybrid join: Device joins both Entra ID and on-premises AD. Required in environments not yet fully migrated to cloud-only identity.

Requirements

• Microsoft Intune (for policy and app delivery)
• Entra ID (for identity)
• Applications packaged for Intune delivery
• Internet connectivity at first boot
• Hardware pre-registered in your tenant

Autopilot is not an imaging solution. It provisions from a factory-state Windows installation, not a custom image. Applications must be deliverable through Intune — legacy software requiring complex local installation scripts may need packaging work before it's Autopilot-compatible.

The Economics

For an organization deploying 5 laptops per year, the upfront configuration investment may not pay off. For an organization deploying 50+ devices annually, the time savings are significant: an IT staff member spending 2 hours per device on traditional imaging versus 30 minutes per Autopilot device (mostly unattended) — at scale, that's a material reduction in IT labor cost per device.