HomeNewsletterCommunityToolsArchiveBlogToday's NewsAboutQuick Links Subscribe free
← Back to Blog
Intune Windows AutopilotIntuneDevice EnrollmentOOBEHybrid JoinMD-102Zero Touch

Windows Autopilot Complete Overview: Deployment Types, Components and Registration (Part 1)

IA
Imran Awan
1 July 2026

Windows Autopilot is the deployment method that made zero-touch device provisioning a reality for enterprise IT. A device ships from the manufacturer directly to the end user — the user powers it on, signs in, and Autopilot configures it with the right apps, settings, and identity without anyone in IT ever touching the physical device. This guide covers the full fundamentals: what Autopilot is, how it works under the hood, the three deployment types, the components involved, profile types, registration methods, and the URLs you need to allow in your firewall.

1. What is Windows Autopilot?

Windows Autopilot is a collection of cloud-based technologies that pre-configure new Windows devices during the out-of-box experience (OOBE) and repurpose existing devices without re-imaging them. It integrates with Microsoft Intune for MDM enrollment and Microsoft Entra ID for identity.

Zero-touch deployment
New devices go directly from OEM to end user — IT never handles the box
No re-imaging
Reset and repurpose existing devices without wiping and reloading an OS image
Seamless OOBE
User signs in with their corporate credentials — Autopilot does the rest
Intune-integrated
All device management, app deployment, and policy application happens through Intune

2. How Windows Autopilot Works

Autopilot deployment sequence
1
Device registered in Entra ID (via hardware hash)
The device's hardware hash is uploaded to the Autopilot service — this is what ties the physical device to your tenant before it ever powers on.
2
User turns on device and connects to the internet
OOBE starts. Windows contacts Windows Update and the Autopilot deployment service.
3
Autopilot identifies the device
The deployment service matches the hardware hash to the registered device and retrieves the Autopilot profile assigned to it.
4
OOBE runs with corporate branding and policy
The Autopilot profile suppresses privacy screens, adds corporate branding, and forces Azure AD join.
5
Device enrolls in Intune
After the user signs in (User-Driven) or automatically (Self-Deploying), the device enrolls in Intune and the Enrollment Status Page (ESP) begins applying policies and apps.
6
Device is ready to use
ESP completes. Desktop appears. Device is fully managed and compliant.

3. Types of Windows Autopilot

Deployment typeWho initiates?Use caseKey requirements
User-DrivenEnd user signs in during OOBENew corporate devices for regular users — most common deployment typeAzure AD joined or Hybrid Azure AD joined; Intune enrollment
Self-Deploying (Pre-provisioning)IT pre-stages device; user gets ready-to-use deviceKiosks, shared devices, or devices that need no user affinityTPM 2.0 required; device must support device attestation
Hybrid Autopilot (with on-prem AD)User signs in during OOBE, device joins on-prem AD during processEnvironments still requiring on-prem domain join (Group Policy, on-prem resources)Azure AD Connect 1.6.3.0+; Intune Connector for AD; VPN or line-of-sight to DC
Pre-Provisioning (White Glove): A variant of Self-Deploying where IT runs the first phase (device-level ESP) in the office, then ships to the user. The user completes only the user-level phase — dramatically reducing the time they wait at OOBE. Requires TPM 2.0 and a direct internet connection during the technician phase.

4. Hybrid Autopilot — Architecture and Requirements

Hybrid Autopilot is needed when devices must join on-premises Active Directory during deployment — for example, when your environment has on-prem Group Policy requirements or legacy apps that do not work with Entra-only join.

Hybrid Autopilot Flow
User turns on device
Connects to internet
Enrolls in Autopilot/Intune
Intune Connector contacts on-prem DC
Device joins on-prem AD
Entra Hybrid Join completes
Desktop ready

Hybrid Autopilot Requirements

5. Windows Autopilot Components

ComponentRole in Autopilot
Microsoft Entra IDStores the device's hardware hash registration. Provides the identity the device joins during OOBE.
Microsoft IntuneApplies the Autopilot deployment profile. Enrolls the device via MDM. Runs the Enrollment Status Page.
Windows Autopilot ServiceThe cloud service that matches hardware hashes to profiles and orchestrates the deployment sequence.
Intune Connector for ADOn-prem component for Hybrid Autopilot — creates the computer object in on-prem AD.
Company Portal / IMEIntune Management Extension deploys Win32 apps and PowerShell scripts during ESP.

6. Autopilot Deployment Profiles

Profile typeUse caseKey settings
User-Driven (Azure AD join)Standard corporate device for a named userDeployment mode: User-Driven; Join type: Azure AD; Hide privacy settings; Skip keyboard
User-Driven (Hybrid Azure AD join)Device must join on-prem AD during OOBEDeployment mode: User-Driven; Join type: Hybrid Azure AD; Requires Intune Connector for AD
Self-DeployingKiosk or shared device — no user interaction during OOBEDeployment mode: Self-Deploying; TPM attestation required; Device name template recommended
Pre-provisioning (White Glove)IT pre-stages device-level ESP, user completes user phaseEnable White Glove: Yes; TPM 2.0 required; Physical button sequence starts technician flow

7. Device Registration Methods

MethodHow it worksBest for
By Device Serial Number (CSV)Export CSV with serial numbers from device (or OEM) and upload to IntuneSmall to medium batches; devices already in-house
By CSV file upload (PowerShell)Run Get-WindowsAutoPilotInfo script on devices to generate hash CSVExisting in-use devices being converted to Autopilot
Via OEM Partner PortalOEM uploads device hashes automatically at the time of manufactureLarge OEM orders — hashes registered before the device ships
Windows PowerShell — Register existing device with Autopilot
# Install script (run once)
Install-Script -Name "Get-WindowsAutoPilotInfo" -Force

# Collect hardware hash and upload directly to Intune
Get-WindowsAutoPilotInfo -Online # Opens a browser for Intune auth then uploads automatically

# Or collect to CSV for bulk upload
Get-WindowsAutoPilotInfo -OutputFile "C:\Temp\devices.csv" -Append

8. Important Prerequisites

9. Benefits of Windows Autopilot

✓ Zero-touch provisioning
New devices provisioned without IT handling the hardware
✓ Consistent, repeatable setup
Every device gets the exact same configuration, apps, and policies
✓ Reduced IT workload
No imaging, no USB keys, no physical staging — just register and ship
✓ Better user experience
Users get a personalised, ready-to-use device on first boot
✓ Seamless Intune integration
Enrolment, policy, apps, and compliance all flow from Intune automatically
✓ Works anywhere
Device can be shipped directly from OEM to remote user — geography is irrelevant

10. Required URLs and Network Ports

Autopilot devices must be able to reach the following endpoints during OOBE. Block any of these in your firewall or proxy and the deployment will fail or stall at ESP.

URL / EndpointPurpose
https://enterpriseregistration.windows.netDevice registration and Entra join
https://login.microsoftonline.comUser authentication (Entra ID sign-in)
https://device.login.microsoftonline.comDevice authentication during Autopilot
https://*.manage.microsoft.comIntune MDM enrollment and policy download
https://activation.sls.microsoft.comWindows activation
https://ekop.intel.com / ekcert.spserv.microsoft.comTPM endorsement key certificate (Self-Deploying only)
Gotcha: Proxy servers that perform SSL inspection can break Autopilot by intercepting the TPM attestation call or the Intune enrollment certificate. If Autopilot is stalling at "Setting things up", check your proxy for SSL inspection on the *.manage.microsoft.com and login.microsoftonline.com endpoints.
Coming in Part 2

Official References

This guide was inspired by Anuradha Kumari's LinkedIn post on Windows Autopilot – Complete Overview Part 1 — excellent structured learning content for Intune and Azure professionals. Follow Anuradha on LinkedIn for more handwritten study notes at CloudEngineerHub.Com.

Share this post
LinkedIn X / Twitter Reddit Bluesky

More from EndpointWeekly

Intune
Autopilot Device Preparation: App Limit Now 25, Managed…
Three key improvements: app limit raised to 25, managed installer fix (April 2026),…
Intune
Intune Certificate Profiles: SCEP, PKCS, NDES and the Full…
Certificate-based authentication in Intune — the full architecture from Root CA through…
Intune
Intune Win32 App Deployment: Complete Guide from Packaging to…
The complete Win32 app deployment guide: packaging with IntuneWinAppUtil, install and…