Windows Autopilot is Microsoft's zero-touch deployment solution. Rather than imaging devices and shipping them pre-configured, Autopilot lets you ship a factory-fresh device directly to a user - they power it on, sign in with their Microsoft 365 credentials, and Intune automatically configures it: installs apps, applies policies, joins Entra ID, and gets it ready for work. No imaging. No IT hands-on-keyboard. No shipping devices to the office first.
This guide covers the complete Autopilot setup from start to finish - registering devices, creating a deployment profile, and testing the end-to-end experience.
Prerequisites
📋 Before You Start- Microsoft Intune licence (Intune Plan 1 or included in M365 Business Premium / E3+)
- Devices must be pre-registered with Autopilot (hardware hash uploaded)
- Entra ID configured as the identity provider
- Intune set as the MDM authority
- An Autopilot deployment profile created and assigned
Step 1: Register Devices
📥 Hardware HashBefore Autopilot can configure a device, it must be registered - this means uploading the device's hardware hash to Intune. The hardware hash uniquely identifies the device and links it to your tenant.
There are three ways to get the hardware hash:
- OEM registration: if you buy from a Microsoft partner, they can register devices directly to your tenant before shipping. This is the most scalable option for large deployments.
- PowerShell script: run on the device during OOBE or after imaging to extract and upload the hash. See the guide: How to Capture Windows Autopilot Hardware Hashes: 4 Fast Methods.
- Microsoft Store for Business / Partner Center: resellers and IT partners can bulk-upload hashes on your behalf.
Verify Registration
Once uploaded, devices appear in:
It can take up to 15 minutes for a newly uploaded device to appear. You can also assign a Group Tag here, which is used to dynamically group devices for profile assignment.
Step 2: Create a Deployment Profile
⚙️ ProfileStep 3: Enrolment Status Page
📄 ESPThe Enrolment Status Page (ESP) is the progress screen users see while Autopilot configures their device. It blocks the desktop until apps and policies have applied, preventing users from accessing a partially-configured machine.
Step 4: Dynamic Device Group
👥 GroupsCreate a dynamic Entra ID group that automatically captures all Autopilot-registered devices using their Group Tag. This group is used to assign the deployment profile and the ESP.
Use a dynamic membership rule targeting the Autopilot Group Tag you assigned during device registration:
Replace CORP-WIN with your Group Tag. Devices with that tag will automatically join this group within a few minutes of registration.
Step 5: Assign the Profile
Assign your deployment profile to the dynamic device group created above. Assign the ESP to the same group.
White Glove Pre-Provisioning
🏭 White GloveWhite Glove (also called pre-provisioning) lets IT or a reseller run the device-targeted phase of Autopilot in advance - installing apps, applying policies, and enrolling the device - before the user ever touches it. The user then only has to sign in, and the user-targeted phase completes in a few minutes.
To use White Glove, enable it in the deployment profile, then on the device during OOBE press Windows key five times to enter White Glove mode. This is particularly useful for large rollouts where you want to pre-configure batches of devices before shipping to remote users.
Common Issues
🔧 Troubleshooting- Device not found during OOBE: hardware hash not yet synced. Wait 15 minutes and retry, or manually trigger a sync in Intune.
- ESP stuck on "Identifying": the device cannot reach the Intune endpoints. Check network connectivity and check that DNS resolves Microsoft URLs.
- Apps failing to install during ESP: check the app assignment is targeting the device group, not a user group. Device-context app installs are required during OOBE.
- User gets admin rights: check the deployment profile is set to Standard User, not Local Admin.