Autopilot / Intune · Modern Endpoint Guides

🚀 Windows Autopilot

Windows Autopilot with Intune

Zero-touch Windows device provisioning — from out-of-box experience to fully configured corporate device, without IT touching the hardware. Covers all 4 deployment modes, ESP configuration, and hybrid join.

📅 Updated: May 2026 ⏱️ Setup time: 2–4 hours 🎯 Audience: Intune Admins, Desktop Engineers 📋 License: Intune P1 + Entra ID P1

📋 Overview & Requirements

Windows Autopilot uses cloud-based provisioning to configure new or reset Windows devices. The device is registered in the Autopilot service before it reaches the user — when powered on, it joins Entra ID and enrolls in Intune automatically.

✅ Prerequisites

Windows 10 1903+ or Windows 11
Entra ID (Azure AD) with P1 license
Microsoft Intune license
Device hardware hash registered in Intune
Internet connectivity during OOBE
DNS resolution for Microsoft endpoints

🌐 Required Network Endpoints

*.microsoft.com / *.microsoftonline.com
*.windows.net / *.manage.microsoft.com
*.windowsupdate.com (Windows Update)
devicedirectory.azure.com (device registration)
enterpriseregistration.windows.net

Proxy / firewall must allow these endpoints BEFORE the device joins the domain or receives any GPO.

Mode	Join Type	Use Case	Internet Required
User-Driven (Entra Join)	Entra ID Join	Cloud-only organizations	Yes (OOBE)
Hybrid Entra Join	On-prem AD + Entra ID	Hybrid/on-prem environments	Yes + VPN/LoS
Self-Deploying	Entra ID (no user)	Kiosks, shared devices	Yes (TPM required)
Pre-Provisioning	Entra ID / Hybrid	Technician prep + user receive	Yes (both phases)

📝 Device Registration

🔑 Hardware Hash Collection

Method 1: OEM Direct (Recommended)

Purchase devices from an Autopilot-capable OEM (Dell, HP, Lenovo, Microsoft). OEM uploads hardware hash to Windows Autopilot via PKID.

Method 2: PowerShell Script

Run Get-WindowsAutoPilotInfo.ps1 on the device to export the hardware hash CSV and upload to Intune.

Method 3: Microsoft 365 admin center

Upload CSV directly via Intune admin center → Devices → Windows → Enrollment → Windows Autopilot → Import.

💻 PowerShell Hash Collection

# Install and run on target device
Install-Script -Name Get-WindowsAutoPilotInfo

# Export hash to CSV
Get-WindowsAutoPilotInfo -OutputFile "C:\autopilot.csv"

# Upload directly to Intune tenant
Get-WindowsAutoPilotInfo `
  -Online `
  -TenantId "your-tenant-id"

# Bulk collect from multiple devices via network
Get-WindowsAutoPilotInfo `
  -ComputerName PC01, PC02, PC03 `
  -OutputFile "C:\bulk_hashes.csv"

After uploading the hardware hash, device sync may take up to 15 minutes. The device must be connected to the internet during OOBE so it can check the Autopilot service for its profile.

⏳ Enrollment Status Page (ESP)

📊 What ESP Does

Shows progress during OOBE and device setup
Blocks user access until critical apps/policies apply
Two phases: Device Setup and Account Setup
Tracks: security policies, certificates, apps, scripts
Blocks desktop until all tracked items complete

⚙️ ESP Configuration Tips

Error timeout: Set to 60–120 minutes (default 60)
Allow users to reset: Enable for pilot; disable for production
Block device use until installed: Enable for critical security apps
Only track apps that are Required and assigned to the device
Avoid tracking large apps (1GB+) — they slow first login significantly

🔄 ESP Phases Explained

Device Preparation

→

Device Setup (MDM enrollment, policies, apps)

→

Account Setup (user policies, apps)

→

Desktop

👤 User-Driven Mode (Entra Join)

☁️ Cloud-Native User-Driven

Device joins Entra ID directly (no on-prem AD)
User authenticates during OOBE with corporate credentials
Intune enrollment happens automatically after join
Ideal for fully cloud-native organizations
No VPN or line-of-sight to DC required
Supports Hello for Business at first sign-in

🔄 Enrollment Flow

1. Device powers on → detects Autopilot profile

2. OOBE → user enters corporate email

3. Entra ID join + Intune auto-enrollment

4. ESP: policies, certs, apps installed

5. User reaches desktop

🏢 Hybrid Entra Join

Hybrid Entra Join requires a Domain Controller in line-of-sight during enrollment (or an established VPN). An on-premises Intune Connector for Active Directory must be installed.

🔧 Additional Requirements

On-prem AD domain with Hybrid Entra ID configured
Intune Connector for AD installed on domain member server
Connector server can reach both Intune and AD
Device must reach DC during OOBE (VPN or on-site)
Computer account created automatically in AD via connector

📋 Hybrid Enrollment Flow

1. Device OOBE → user auth with Entra ID

2. Intune connector creates AD computer account

3. Device joins on-prem AD domain

4. Entra ID hybrid join via Azure AD Connect

5. Intune enrollment + ESP

⚙️ Self-Deploying Mode

🖥️ Use Cases

Kiosk devices (single-app or multi-app)
Shared workstations (no dedicated user)
Meeting room devices
Point-of-sale terminals
Digital signage

🔐 Requirements

TPM 2.0 required (device attestation replaces user auth)
Wi-Fi or Ethernet at OOBE (no user to enter credentials)
ESP blocks device until fully configured
No user account assigned during OOBE
Autopilot profile: Device type = "Self-deploying"

🏭 Pre-Provisioning (White Glove)

🏭 Technician Phase

Technician powers on device

Press Windows key 5 times at OOBE to enter Pre-Provisioning mode.

Device Setup phase runs

ESP Device Setup phase installs all device-targeted apps, certs, and policies.

Reseal

Technician clicks "Reseal" — device is shut down and sealed for shipping.

👤 User Phase

User powers on device

Device already has all device-level apps/policies. Only user phase runs.

User authenticates

User signs in with Entra ID credentials. Account Setup phase installs user-targeted apps.

Desktop ready

Much faster than standard Autopilot — device is already mostly configured.

Pre-Provisioning (White Glove) dramatically reduces first-login time for end users since all device-targeted content is pre-installed before the user receives the device.

🎛️ Autopilot Profiles

📋 Key Profile Settings

Deployment mode: User-Driven / Self-Deploying
Join to Azure AD as: Entra joined / Hybrid Entra joined
EULA: Hide (recommended for corporate)
Privacy settings: Hide
Account change options: Hide
User account type: Standard (not Administrator)

🏷️ Profile Assignment

Assign profile to Autopilot device group
Dynamic group using device.devicePhysicalIds any _ -eq "[ZTDId]"
Or assign to static group of uploaded devices
Profile priority matters if multiple profiles exist
Profile must be assigned BEFORE device first boot

🔀 Dynamic Groups for Autopilot

# Dynamic group rule: All Autopilot-registered devices
(device.devicePhysicalIds -any _ -contains "[ZTDId]")

# Dynamic group rule: Autopilot devices with specific OrderID (group tag)
(device.devicePhysicalIds -any _ -eq "[OrderID]:Finance-2026")

# Dynamic group rule: Specific model
(device.devicePhysicalIds -any _ -eq "[ZTDID]") and
(device.deviceModel -eq "Surface Laptop 5")

# PowerShell: Add group tag to Autopilot device
$deviceId = "autopilot-device-id"
Update-MgDeviceManagementWindowsAutopilotDeviceIdentity `
  -WindowsAutopilotDeviceIdentityId $deviceId `
  -GroupTag "Finance-2026"

📊 Reports & Monitoring

📋 Autopilot Deployments

Intune → Devices → Monitor → Autopilot deployments
Success / Failure per device
Time to complete each phase
Error codes for failed deployments

📱 Device Registration

Intune → Devices → Windows → Enrollment → Devices
List of all registered Autopilot devices
Profile assignment status
Group tag / order ID

⏳ ESP Status

Enrollment Status Page report
Per-app installation progress
Policy application status
Failure reason detail

🔧 Troubleshooting

❌ Common Issues & Fixes

Issue	Likely Cause	Resolution
Device not getting Autopilot profile	Hardware hash not synced or group assignment missing	Force sync in Intune; verify dynamic group membership
ESP stuck at "Identifying"	Network connectivity issue, missing endpoints	Check firewall/proxy for required URLs
Hybrid join fails	Connector not running, DC unreachable	Check Intune Connector service; ensure DC reachable during OOBE
App installation fails in ESP	App not assigned as Required to device/user	Reassign app as Required to Autopilot device group
ESP timeout	Large app slowing provisioning	Increase timeout; exclude non-critical apps from ESP tracking
"Something went wrong" error 0x800705b4	Duplicate device hash or stale enrollment	Delete device from Autopilot, re-upload hash, retry

💻 PowerShell & Graph API

# Get all Autopilot devices
Connect-MgGraph -Scopes "DeviceManagementServiceConfig.Read.All"
Get-MgDeviceManagementWindowsAutopilotDeviceIdentity |
  Select-Object SerialNumber, Model, GroupTag, EnrollmentState

# Get Autopilot deployment report
GET https://graph.microsoft.com/beta/deviceManagement/autopilotEvents

# Assign group tag to multiple devices from CSV
$devices = Import-Csv "C:\devices.csv"  # Columns: SerialNumber, GroupTag
foreach ($device in $devices) {
    $autopilotDevice = Get-MgDeviceManagementWindowsAutopilotDeviceIdentity |
        Where-Object { $_.SerialNumber -eq $device.SerialNumber }
    if ($autopilotDevice) {
        Update-MgDeviceManagementWindowsAutopilotDeviceIdentity `
            -WindowsAutopilotDeviceIdentityId $autopilotDevice.Id `
            -GroupTag $device.GroupTag
    }
}

# Delete Autopilot device registration (for re-registration)
Remove-MgDeviceManagementWindowsAutopilotDeviceIdentity `
    -WindowsAutopilotDeviceIdentityId "device-guid-here"