Windows Autopilot is the closest thing IT has to magic. A device ships directly from the manufacturer to an employee's desk. The employee powers it on, signs in with their corporate credentials, and within 20 minutes they have a fully configured, compliant, policy-enforced machine — without a single IT engineer touching the hardware. No custom image. No USB key. No imaging infrastructure. That is the Autopilot promise. This guide explains how it actually works, what each deployment mode does, and how to operate it reliably at scale.
What Is Windows Autopilot?
Windows Autopilot is a collection of cloud-based technologies that configure new Windows devices during their Out-of-Box Experience (OOBE) — the setup screens a user sees when they first power on a new machine. Instead of running through a manual setup or booting from a custom image, the device connects to the internet, contacts the Windows Autopilot cloud service, downloads its assigned profile, joins Entra ID (formerly Azure AD), enrolls in Intune, and receives all policies, apps, and configurations — automatically, in the background, while the user simply watches a progress screen.
The 4 Deployment Modes
Autopilot is not a single workflow — it has four distinct deployment modes, each suited to a different scenario:
| Mode | Who configures it | Best for | Requires admin presence |
|---|---|---|---|
| User-Driven | End user at first boot | Direct-shipped new devices to remote employees | No |
| Self-Deploying | No user interaction at all | Kiosks, shared devices, meeting room PCs | No |
| Pre-provisioning (White Glove) | IT or partner pre-stages the device, user completes it | Large deployments where IT wants to pre-install heavy apps | Yes (for pre-stage) |
| Existing Devices | ConfigMgr or re-imaging triggers | Upgrading existing machines to Autopilot management | Varies |
The 5 Autopilot Steps — In Detail
Step 1 — Device Registration
Before Autopilot can work, the device's hardware identity must be registered in your tenant. The hardware identity is called a hardware hash — a unique fingerprint generated from the device's hardware components. Registration can happen three ways: via your hardware vendor (Dell, HP, Lenovo, Microsoft Surface all support direct OEM upload), via a CSV import in the Intune portal, or via PowerShell on the device itself.
# Run on the target device to harvest its hardware hash
# Requires running as Administrator
# Install the Get-WindowsAutoPilotInfo module if not present
if (-not (Get-Module -ListAvailable -Name "Get-WindowsAutoPilotInfo")) {
Install-Script -Name "Get-WindowsAutoPilotInfo" -Force
}
# Export hardware hash to CSV for manual import
Get-WindowsAutoPilotInfo -OutputFile "C:\Temp\AutopilotHash.csv"
# OR: Upload directly to Intune (requires MgGraph auth)
Get-WindowsAutoPilotInfo -OnlineStep 2 — Profile Assignment
An Autopilot Deployment Profile defines what happens during OOBE — which steps to skip (EULA, privacy settings, Cortana), whether the device joins Entra ID as user-driven or self-deploying, whether the user can access the desktop during Enrollment Status Page (ESP), and which ESP configuration applies. Profiles are assigned to device groups in Intune based on Autopilot group tags.
device.enrollmentProfileName -eq "Corp-Laptop-London" and assign the correct Autopilot profile to that group. This makes large multi-profile deployments completely automated.
Step 3 — Shipping to User
Once registered and a profile is assigned, the device can ship directly from your hardware vendor to the employee. The IT department never needs to physically touch it. The vendor ships based on your purchase order; Autopilot handles the rest at first boot. This is the step that eliminates the traditional "staging area" and associated logistics overhead.
Step 4 — OOBE & Autopilot Enrollment
The user powers on the device, connects to Wi-Fi or ethernet, and enters their corporate credentials. Windows contacts the Autopilot cloud service, recognises the hardware hash, downloads the assigned profile, and begins the automated setup. The Enrollment Status Page (ESP) appears — a progress screen that shows device and user policy application in real time. Critical apps and policies must complete before the user can reach the desktop.
Step 5 — Full MDM Configuration
With enrollment complete, Intune takes over. Device compliance policies, security baselines, configuration profiles, Win32 apps, and certificates all deploy in the background. The Enrollment Status Page tracks progress. When all required items are installed, the desktop unlocks and the user is productive — on a fully managed, policy-compliant machine, from a factory-sealed box.
The Deployment Architecture Pyramid
Understanding the layered build-up during Autopilot helps IT admins sequence dependencies correctly:
| Layer | What happens | Admin control point |
|---|---|---|
| 1. Physical Hardware | Hardware hash registered in Autopilot; device identity established | OEM portal or PowerShell upload |
| 2. Azure AD / Entra Join | Device registers its identity in Entra ID; Conditional Access scope begins | Entra ID join type in Autopilot profile |
| 3. MDM Enrollment | Device enrolls in Intune; management agent activates; IME installs | MDM authority, enrollment restrictions |
| 4. Autopilot Config | Profiles, policies, compliance rules, security baselines applied; Required apps install | ESP configuration, device and user policy targeting |
| 5. Device Readiness | All required policies and apps confirmed installed; desktop unlocked | ESP blocking apps list, compliance policies |
Enrollment Status Page — The Gatekeeper
The Enrollment Status Page (ESP) is what controls whether a user can access the desktop before the device is fully configured. Without ESP configured, the user reaches the desktop immediately after Entra join — before any apps or policies have applied. This is dangerous for corporate devices. A user on an unconfigured device can access corporate data without DLP policies, without compliance status, and without required security software.
| ESP setting | What it controls | Recommended |
|---|---|---|
| Show app and profile configuration progress | Whether the user sees the ESP screen at all | Yes |
| Block device use until all required apps are installed | Prevents desktop access until Required apps complete | Yes (for corporate devices) |
| Allow users to reset device if installation error occurs | User can self-recover from a failed ESP | Yes |
| Allow users to use device if installation error occurs | Falls through to desktop on failure | Situational |
| ESP timeout (minutes) | How long before ESP gives up waiting | 60 min minimum; 120 for complex deployments |
Autopilot Goals — What You're Actually Achieving
| Goal | Traditional approach | Autopilot approach |
|---|---|---|
| Device provisioning time | 1–4 hours (imaging, staging) | 20–60 minutes (unattended) |
| IT engineer involvement | Required on-site | Zero touch for user-driven mode |
| Imaging infrastructure | WDS, MDT, SCCM required | Not required |
| Remote/hybrid workers | Device shipped to IT, configured, re-shipped | Device ships direct from OEM to employee |
| Security compliance at first login | Policies apply gradually after imaging | Device is compliant before desktop unlocks |
Checking Autopilot Registration Status via PowerShell
# Check Autopilot registration status for all devices in your tenant
# Requires Microsoft Graph PowerShell SDK
Connect-MgGraph -Scopes "DeviceManagementServiceConfig.Read.All"
$autopilotDevices = Get-MgDeviceManagementWindowsAutopilotDeviceIdentity -All
$autopilotDevices | Select-Object `
SerialNumber,
Model,
GroupTag,
@{n="EnrollmentState";e={$_.EnrollmentState}},
@{n="LastContactedDateTime";e={$_.LastContactedDateTime}} |
Sort-Object LastContactedDateTime -Descending |
Format-Table -AutoSize
Write-Host "Total registered: $($autopilotDevices.Count)"# List all Autopilot deployment profiles and their group assignments
Connect-MgGraph -Scopes "DeviceManagementServiceConfig.Read.All","Group.Read.All"
$profiles = Get-MgDeviceManagementWindowsAutopilotDeploymentProfile -All
foreach ($profile in $profiles) {
Write-Host "`n Profile: $($profile.DisplayName)" -ForegroundColor Cyan
Write-Host " Mode: $($profile.DeviceType)"
$assignments = Get-MgDeviceManagementWindowsAutopilotDeploymentProfileAssignment -WindowsAutopilotDeploymentProfileId $profile.Id
foreach ($a in $assignments) {
$group = Get-MgGroup -GroupId $a.Target.GroupId -ErrorAction SilentlyContinue
Write-Host " Assigned to: $($group.DisplayName ?? $a.Target.GroupId)"
}
}# Bulk upload hardware hashes from CSV to Intune Autopilot
# CSV must have columns: Device Serial Number, Windows Product ID, Hardware Hash, Group Tag (optional)
Connect-MgGraph -Scopes "DeviceManagementServiceConfig.ReadWrite.All"
$csvPath = "C:\Temp\AutopilotDevices.csv"
$devices = Import-Csv $csvPath
foreach ($device in $devices) {
$body = @{
"@odata.type" = "#microsoft.graph.importedWindowsAutopilotDeviceIdentity"
serialNumber = $device."Device Serial Number"
productKey = $device."Windows Product ID"
hardwareIdentifier = $device."Hardware Hash"
groupTag = $device."Group Tag"
}
New-MgDeviceManagementImportedWindowsAutopilotDeviceIdentity -BodyParameter $body
Write-Host "Uploaded: $($device.'Device Serial Number')"
}Common Autopilot Failures and Fixes
| Failure | Root cause | Fix |
|---|---|---|
| ESP stuck at "Identifying" | Device not registered in Autopilot, or profile not assigned | Verify hardware hash was uploaded; check group tag and dynamic group membership |
| ESP stuck at "Securing your hardware" | TPM attestation timeout or firmware issue | Check BIOS TPM settings; update firmware; verify TPM 2.0 is enabled |
| ESP stuck on app installation | Required Win32 app failing; IME error | Check IME log on device; verify app detection rule; check network access to Azure CDN |
| ESP times out (default 60 min) | Too many/too large Required apps in ESP | Increase timeout to 120 min; reduce blocking app count; move optional apps to Available |
| "Something went wrong" error 0x800705b4 | MDM Terms of Use policy conflict | Remove duplicate MDM enrollment restrictions; check Intune Terms of Use configuration |
Community Perspective
Get-WindowsAutoPilotInfo is the standard tool for hardware hash harvesting used by IT teams worldwide.
Country-Role-DeviceType (e.g., UK-Corp-Laptop). Once you have thousands of devices and multiple Autopilot profiles, a consistent tag convention is the only thing that prevents assignment chaos.