Windows Autopilot is the deployment method that made zero-touch device provisioning a reality for enterprise IT. A device ships from the manufacturer directly to the end user — the user powers it on, signs in, and Autopilot configures it with the right apps, settings, and identity without anyone in IT ever touching the physical device. This guide covers the full fundamentals: what Autopilot is, how it works under the hood, the three deployment types, the components involved, profile types, registration methods, and the URLs you need to allow in your firewall.
1. What is Windows Autopilot?
Windows Autopilot is a collection of cloud-based technologies that pre-configure new Windows devices during the out-of-box experience (OOBE) and repurpose existing devices without re-imaging them. It integrates with Microsoft Intune for MDM enrollment and Microsoft Entra ID for identity.
2. How Windows Autopilot Works
3. Types of Windows Autopilot
| Deployment type | Who initiates? | Use case | Key requirements |
|---|---|---|---|
| User-Driven | End user signs in during OOBE | New corporate devices for regular users — most common deployment type | Azure AD joined or Hybrid Azure AD joined; Intune enrollment |
| Self-Deploying (Pre-provisioning) | IT pre-stages device; user gets ready-to-use device | Kiosks, shared devices, or devices that need no user affinity | TPM 2.0 required; device must support device attestation |
| Hybrid Autopilot (with on-prem AD) | User signs in during OOBE, device joins on-prem AD during process | Environments still requiring on-prem domain join (Group Policy, on-prem resources) | Azure AD Connect 1.6.3.0+; Intune Connector for AD; VPN or line-of-sight to DC |
4. Hybrid Autopilot — Architecture and Requirements
Hybrid Autopilot is needed when devices must join on-premises Active Directory during deployment — for example, when your environment has on-prem Group Policy requirements or legacy apps that do not work with Entra-only join.
Hybrid Autopilot Requirements
- Windows 10 1809+ or Windows 11
- Microsoft Entra Connect 1.6.3.0 or later (Hybrid Azure AD Join configured)
- Intune Connector for Active Directory installed on a domain-joined server with line-of-sight to a DC
- Device must be domain-joinable during setup — either VPN, ExpressRoute, or on-site provisioning
- Intune + Configuration Manager (co-management) recommended for transition scenarios
5. Windows Autopilot Components
| Component | Role in Autopilot |
|---|---|
| Microsoft Entra ID | Stores the device's hardware hash registration. Provides the identity the device joins during OOBE. |
| Microsoft Intune | Applies the Autopilot deployment profile. Enrolls the device via MDM. Runs the Enrollment Status Page. |
| Windows Autopilot Service | The cloud service that matches hardware hashes to profiles and orchestrates the deployment sequence. |
| Intune Connector for AD | On-prem component for Hybrid Autopilot — creates the computer object in on-prem AD. |
| Company Portal / IME | Intune Management Extension deploys Win32 apps and PowerShell scripts during ESP. |
6. Autopilot Deployment Profiles
| Profile type | Use case | Key settings |
|---|---|---|
| User-Driven (Azure AD join) | Standard corporate device for a named user | Deployment mode: User-Driven; Join type: Azure AD; Hide privacy settings; Skip keyboard |
| User-Driven (Hybrid Azure AD join) | Device must join on-prem AD during OOBE | Deployment mode: User-Driven; Join type: Hybrid Azure AD; Requires Intune Connector for AD |
| Self-Deploying | Kiosk or shared device — no user interaction during OOBE | Deployment mode: Self-Deploying; TPM attestation required; Device name template recommended |
| Pre-provisioning (White Glove) | IT pre-stages device-level ESP, user completes user phase | Enable White Glove: Yes; TPM 2.0 required; Physical button sequence starts technician flow |
7. Device Registration Methods
| Method | How it works | Best for |
|---|---|---|
| By Device Serial Number (CSV) | Export CSV with serial numbers from device (or OEM) and upload to Intune | Small to medium batches; devices already in-house |
| By CSV file upload (PowerShell) | Run Get-WindowsAutoPilotInfo script on devices to generate hash CSV | Existing in-use devices being converted to Autopilot |
| Via OEM Partner Portal | OEM uploads device hashes automatically at the time of manufacture | Large OEM orders — hashes registered before the device ships |
8. Important Prerequisites
- Devices must be running Windows 10 1809 or later (Windows 11 recommended)
- Internet connection required during setup — devices call the Autopilot deployment service, Windows Update, and Intune
- OEM lock-in is not required — any Windows device can be Autopilot-registered
- Autopilot only works with Entra-joined or Hybrid Entra-joined devices — not domain-only joined
- TPM 2.0 required for Self-Deploying and Pre-Provisioning profiles (not required for User-Driven)
9. Benefits of Windows Autopilot
10. Required URLs and Network Ports
Autopilot devices must be able to reach the following endpoints during OOBE. Block any of these in your firewall or proxy and the deployment will fail or stall at ESP.
| URL / Endpoint | Purpose |
|---|---|
https://enterpriseregistration.windows.net | Device registration and Entra join |
https://login.microsoftonline.com | User authentication (Entra ID sign-in) |
https://device.login.microsoftonline.com | Device authentication during Autopilot |
https://*.manage.microsoft.com | Intune MDM enrollment and policy download |
https://activation.sls.microsoft.com | Windows activation |
https://ekop.intel.com / ekcert.spserv.microsoft.com | TPM endorsement key certificate (Self-Deploying only) |
*.manage.microsoft.com and login.microsoftonline.com endpoints.- Deployment Profiles in detail — every setting explained
- Enrollment Status Page (ESP) — blocking rules, troubleshooting
- White Glove / Pre-Provisioning — step by step
- Autopilot Reset — wipe and re-provision without IT
- Existing Device Deployment — convert to modern management
- Autopilot Troubleshooting — error codes, logs, diagnostic steps
- Real-world interview questions and answers
Official References
- Windows Autopilot overview — Microsoft Learn
- User-driven mode for Windows Autopilot
- Self-deploying mode for Windows Autopilot
- Pre-provisioning (White Glove) — Windows Autopilot
- Hybrid Azure AD join — Windows Autopilot
- Enrollment Status Page — Microsoft Learn
This guide was inspired by Anuradha Kumari's LinkedIn post on Windows Autopilot – Complete Overview Part 1 — excellent structured learning content for Intune and Azure professionals. Follow Anuradha on LinkedIn for more handwritten study notes at CloudEngineerHub.Com.