What Is Windows Autopilot?
Cloud-based device provisioning with Windows Autopilot
Published: Mar 03, 2025
Windows Autopilot is a cloud-based deployment and provisioning service that simplifies setting up new devices. It ensures devices are configured with the right security policies, settings, and applications the moment the user logs in for the first time.
With Windows Autopilot, IT professionals can:
- Automate device enrollment into Microsoft Intune (or any supported Mobile Device Management (MDM) platform)
- Seamlessly configure Windows devices, such as Windows 10 and Windows 11 PCs
- Reduce manual setup efforts for end users.
The end of device imaging
For decades, device provisioning and deployment entailed an IT engineer applying a ‘gold image’ to a device, through either Microsoft Configuration Manager, Windows Deployment Services, USB media, or other methods. Whilst this ensured a consistent ‘image’ was applied to each device, this ‘point-in-time’ configuration was soon overlayed or overwritten by configurations or setting applied by Group Policy or an MDM.
In contrast, Windows Autopilot relies on a ‘vanilla’ or lightweight base image being in place before company-specific configuration is applied. This approach means that an IT engineer is no longer required to apply an image, as the lightweight (also known as OEM Optimtized) imaged device can be delivered straight to the end user.
Requirements for Windows Autopilot
To use Windows Autopilot, you need:
Supported Windows versions
- Windows 11 (Pro, Pro Education, Pro for Workstations, Enterprise, Education)
- Windows 10 (same editions as above)
Licensing requirements
Windows Autopilot is included in most Microsoft 365 plans, such as:
- Microsoft 365 Business Premium
- Microsoft 365 E3/E5
- Microsoft 365 F1/F3
- Intune for Education
- Enterprise Mobility & Security (EMS) E3/E5
- Entra ID P1/P2
Crucially, Office 365 E1/E3/E5 does not include Windows Autopilot, as it lacks Intune and device management capabilities.
Network requirements
Windows Autopilot devices must be able to access:
ztd.dds.microsoft.comcs.dds.microsoft.com- Windows activation services
Generally, unrestricted outbound Internet access is recommended for a smooth experience.
Configuration in Microsoft Intune
Before enrolling devices, ensure the following is set up in Intune:
- Automatic Enrollment enabled in Microsoft Entra ID (previously Azure Active Directory)
- The first user signing in has Entra join permissions.
- (Optional) Configure Windows edition upgrades from Pro to Enterprise.
- (Recommended) Entra custom branding for a seamless user experience.
Setting up Windows Autopilot in Microsoft Intune
1. Create an Autopilot Device Group
Windows Autopilot requires devices to be assigned to a specific group. Follow these steps:
- In Microsoft Intune, navigate to Groups.
- Create a new Dynamic Device Group.
- Use the following rule to automatically add devices:
(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))2. Import devices into Autopilot
Devices must be registered in Autopilot Devices:
- Obtain a device’s hardware hash:
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo.ps1 -Online- This will register the device in your Intune tenant.
- Manufacturers and resellers can also pre-register devices.
3. Create an Autopilot Deployment Profile
Define how the device should be configured:
- Deployment mode: User-driven (standard) or Self-deploying.
- User-driven is the standard way to use Windows Autopilot.
- Self-deploying is a special mode for Kiosk or userless devices.
- Join type: Entra ID (recommended) or Hybrid AD Join (not recommended)
- Disable OOBE screens: Hide privacy settings, license terms, and account options.
- User Account Type: Set to Standard User for better security.
- Naming convention: Example:
LC-%SERIAL%(Limit: 15 characters).
Assign the profile to your Autopilot Device Group.
4. Configure the Enrollment Status Page (Optional)
The Enrollment Status Page (ESP) controls when users can access their device:
- Enable it to block users until required apps are installed.
- Select critical apps (e.g., security software, VPN) to be installed before login.
- Disable it if you prefer a faster enrollment process.
Deploying a Windows Autopilot device
Once the device is assigned a profile, it’s ready for deployment:
- The device is reset (or begins from the Out of Box Experience) and connected to the internet.
- The Out-of-Box Experience (OOBE) shows custom branding.
- The user signs in with their Entra ID credentials.
- Windows Autopilot provisions the device.
- Required applications and security policies are installed.
This process ensures the device is fully configured before the user starts working.
Windows Autopilot device preparation
Autopilot Device Preparation, sometimes called Autopilot V2, is not a direct replacement for the original Autopilot but rather an alternative approach. Unlike traditional Autopilot, Device Preparation does not require hardware registration—instead, provisioning begins when a user signs in.
Key differences from traditional Autopilot
- Devices do not need to be pre-registered.
- Enrollment starts when the user logs in and selects “Work or School Account.”
- Users can still opt for personal setup, so strong Conditional Access policies are essential.
- Device preparation completes provisioning significantly faster than traditional Autopilot.
- Devices are added to groups after enrollment, unlike Windows Autopilot , where groups are assigned in advance.
Potential challenges
- Users can enroll a personal device under “corporate” settings unless policies prevent it.
- Device ownership and group management are handled differently, requiring a shift in approach.
- Requires creating an Entra group with a specific service principal as an owner, adding complexity to the setup.
Should You Use Autopilot V2?
If your organization needs faster deployments with less administrative overhead, Autopilot V2 is a strong option. However, traditional Windows Autopilot remains more structured and is preferable for enterprises needing strict hardware control.