Microsoft Intune Autopilot Implementation Playbook (2026)

The Microsoft Intune Autopilot Implementation Playbook

Microsoft Intune Autopilot is the modern zero-touch device provisioning system that replaces image-based deployment (SCCM OSD) for Windows 10/11 endpoints. This is EPC Group's working implementation playbook from 200+ enterprise Autopilot deployments.

Phase 1 — Decide Your Enrollment Architecture

The single most important decision is Hybrid Azure AD Join (Hybrid AAD-J) vs Azure AD Join (AAD-J) vs Co-Management.

Hybrid AAD-J — Device joined to BOTH on-prem AD AND Entra ID. Required if you have applications that need on-prem Kerberos authentication, on-prem file share access via UNC paths, or legacy domain-joined-device requirements. Most enterprises in 2026 should NOT choose Hybrid AAD-J unless required.

AAD-J (cloud-only) — Device joined to Entra ID only. The right answer for 70% of 2026 enterprise scenarios. Faster provisioning (no on-prem domain controller dependency during enrollment), simpler troubleshooting, and the only path that supports Web Sign-in + FIDO2 + Windows Hello for Business cloud trust.

Co-Management — Device managed by BOTH Intune AND SCCM (now Configuration Manager). Useful only during migration from SCCM to Intune; should not be a permanent end state.

EPC Group recommendation: AAD-J for net-new device provisioning; Hybrid AAD-J only for legacy app dependency scenarios.

Phase 2 — Build Your Autopilot Profile

Standard EPC Group Autopilot profile configuration:

• Deployment mode: User-driven (most common) or Self-deploying (kiosks)
• Join type: Azure AD Joined (preferred) or Hybrid Azure AD Joined
• Skip privacy settings page: Yes (corporate devices)
• Skip OOBE EULA: Yes
• Disable local admin: Yes (use EPM from Intune Suite for elevation)
• Apply device name template: Yes (e.g., "EPC-%RAND:6%")
• Allow white-glove (pre-provisioning): Yes (recommended)

Phase 3 — Use Group Tags for Profile Assignment

Don't manually assign Autopilot profiles per device. Use Group Tags.

Standard EPC Group tag taxonomy:

• Knowledge-Worker-Laptop → standard AAD-J profile + corporate apps
• Knowledge-Worker-Desktop → standard AAD-J profile + corporate apps + desktop-specific software
• Executive-Device → AAD-J profile + executive apps + tighter compliance
• Developer-Workstation → AAD-J profile + dev tools + relaxed app installation controls
• Kiosk-Device → Self-deploying mode + locked-down kiosk profile
• Frontline-Worker → AAD-J profile + M365 F1/F3 SKU + shared device mode

Drive Group Tag assignment via OEM order metadata when devices are procured through HP, Dell, Lenovo, Microsoft, etc.

Phase 4 — Enrollment Status Page (ESP) Configuration

The ESP shows users what's installing during first sign-in. Critical configuration:

• Block device use until apps and profiles are installed: Yes
• Block device use until required apps are installed: Yes, but cap blocking apps at 10. More than 10 blocking apps creates 30+ minute first-boot experiences.
• Show error when installation takes longer than: 60 minutes
• Allow users to collect logs: Yes (essential for troubleshooting)

From the trenches: List EVERY blocking app in your ESP. Apps not on the blocking list will install AFTER the user reaches the desktop — which is fine for non-critical apps but causes confusion if users expect them pre-installed.

Phase 5 — Pre-Provisioning (White Glove)

Pre-provisioning lets IT technicians or OEM partners run the device through Autopilot enrollment BEFORE shipping to the end user. End user setup time drops from 45-60 minutes to 5-10 minutes.

Required infrastructure:

• Pre-provisioning packages enabled in Autopilot profile
• IT staging area with pre-provisioning workstations
• OR OEM partner registered for pre-provisioning (HP, Dell, Lenovo, Microsoft Surface)

EPC Group from the trenches: Pre-provisioning is the single biggest user-experience improvement in Autopilot. Worth the upfront IT investment.

Phase 6 — Pilot, Wave, Hypercare

Standard EPC Group rollout:

• Pilot (Weeks 1-2): 25-50 IT users on Ring 0
• Pilot expansion (Weeks 3-4): 100-200 early adopters on Ring 1
• Wave rollout (Weeks 5-12): All standard users by department or geo
• Frontline rollout (Weeks 13-16): Frontline workers + kiosks + specialty devices
• Hypercare: 30 days post-wave with dedicated EPC Group consultant on Teams

EPC Group Engagement

EPC Group Autopilot Implementation: $75K-$200K fixed-fee, 8-16 weeks depending on tenant size and complexity. Includes Hybrid AAD-J vs AAD-J architecture decision, Autopilot profile design, Group Tag taxonomy, ESP configuration, pre-provisioning setup, pilot + wave rollout + hypercare.

Schedule a discovery call at /contact or call (888) 381-9725.

Related Resources

• Top 10 Microsoft Intune Consulting Firms North America 2026
• Microsoft Intune Best Practices 2026: 25 Lessons
• Microsoft Intune Suite: Remote Help + EPM + Tunnel
• Microsoft Entra ID Consulting Services
• 200+ verified client reviews