EPC Group - Enterprise Microsoft AI, SharePoint, Power BI, and Azure Consulting
Clutch Top Power BI & Data Solutions Company 2026, G2 High Performer, Momentum Leader, Leader Awards
BlogContact
Ready to transform your Microsoft environment?Get started today
(888) 381-9725Get Free Consultation
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌

EPC Group

Enterprise Microsoft consulting with 28+ years serving Fortune 500 companies.

(888) 381-9725
contact@epcgroup.net
4900 Woodway Drive - Suite 830
Houston, TX 77056

Follow Us

Solutions

  • All Services
  • Microsoft 365 Consulting
  • AI Governance
  • Azure AI Consulting
  • Cloud Migration
  • Microsoft Copilot
  • Data Governance
  • Microsoft Fabric
  • vCIO / vCAIO Services
  • Large-Scale Migrations
  • SharePoint Development

Industries

  • All Industries
  • Healthcare IT
  • Financial Services
  • Government
  • Education
  • Teams vs Slack

Power BI

  • Case Studies
  • 24/7 Emergency Support
  • Dashboard Guide
  • Gateway Setup
  • Premium Features
  • Lookup Functions
  • Power Pivot vs BI
  • Treemaps Guide
  • Dataverse
  • Power BI Consulting

Company

  • About Us
  • Our History
  • Microsoft Gold Partner
  • Case Studies
  • Testimonials
  • Blog
  • Resources
  • Contact

Microsoft Teams

  • Teams Questions
  • Teams Healthcare
  • Task Management
  • PSTN Calling
  • Enable Dial Pad

Azure & SharePoint

  • Azure Databricks
  • Azure DevOps
  • Azure Synapse
  • SharePoint MySites
  • SharePoint ECM
  • SharePoint vs M-Files

Comparisons

  • M365 vs Google
  • Databricks vs Dataproc
  • Dynamics vs SAP
  • Intune vs SCCM
  • Power BI vs MicroStrategy

Legal

  • Sitemap
  • Privacy Policy
  • Terms
  • Cookies

© 2026 EPC Group. All rights reserved.

Back to Blog

How To Set Up Microsoft Intune For Autopilot Deployment

Errin O\'Connor
December 2025
8 min read

Windows Autopilot combined with Microsoft Intune delivers zero-touch device provisioning that eliminates the need for IT to physically touch, image, or configure new laptops and desktops. An employee can receive a new device, power it on, sign in with their corporate credentials, and have a fully configured workstation -- complete with all applications, policies, and security settings -- within 30 to 60 minutes without any IT intervention.

What Is Windows Autopilot?

Windows Autopilot is a collection of technologies within the Microsoft ecosystem that simplify the lifecycle of Windows devices from initial deployment through retirement. Unlike traditional imaging approaches where IT builds a custom Windows image, loads it onto a device, and then configures settings, Autopilot uses the factory-installed Windows installation and transforms it into a business-ready device through cloud-based policies delivered by Intune.

The key scenarios supported by Autopilot include:

  • User-driven mode -- The employee unboxes the device, connects to the internet, enters their corporate email, authenticates, and Intune handles the rest. This is the most common scenario for knowledge workers.
  • Self-deploying mode -- The device automatically provisions itself without any user interaction, ideal for kiosks, shared devices, and digital signage.
  • Pre-provisioning (white glove) -- IT or a hardware partner pre-provisions the device in advance so the employee experiences an even faster setup. The device is partially configured before shipping.
  • Autopilot Reset -- Repurpose an existing device by resetting it to a business-ready state without re-imaging, useful when reassigning devices between employees.

Prerequisites for Autopilot Deployment

Before configuring Autopilot, ensure the following prerequisites are met:

  • Licensing -- Users need Microsoft 365 Business Premium, E3, E5, or Enterprise Mobility + Security E3/E5 licenses. Intune standalone licenses also work. Windows 10/11 Pro, Enterprise, or Education is required on the devices.
  • Azure AD Premium -- Autopilot requires Azure AD (Entra ID) for device registration and automatic MDM enrollment. Azure AD Premium P1 or P2 is required for dynamic device groups and Conditional Access.
  • Intune configured as MDM authority -- Intune must be set as the MDM authority in your tenant, with automatic enrollment configured for Azure AD-joined devices.
  • Network requirements -- Devices need outbound HTTPS access to several Microsoft services during provisioning. Ensure your firewall allows traffic to login.microsoftonline.com, enrollment.manage.microsoft.com, and the other Autopilot-required endpoints documented by Microsoft.
  • Hardware vendor support -- Your hardware vendor (Dell, HP, Lenovo, etc.) must register devices with the Autopilot service by uploading their hardware hashes. Most major OEMs offer this as part of their ordering process.

Step-by-Step Setup Guide

Follow these steps to configure Intune for Autopilot deployment:

  • Step 1: Configure automatic MDM enrollment -- In Azure AD > Mobility (MDM and MAM), configure Microsoft Intune as the MDM application and set the MDM user scope to "All" or a specific Azure AD group.
  • Step 2: Register device hardware hashes -- Obtain hardware hashes from your OEM vendor or extract them from existing devices using a PowerShell script. Import them into Intune under Devices > Windows Enrollment > Devices.
  • Step 3: Create a device group -- Create a dynamic Azure AD device group using the ZTDID (Zero Touch Device ID) attribute that automatically includes all Autopilot-registered devices. Example query: (device.devicePhysicalIDs -any _ -contains "[ZTDId]").
  • Step 4: Create an Autopilot deployment profile -- In Intune, navigate to Devices > Windows Enrollment > Deployment Profiles. Create a profile specifying: deployment mode (user-driven or self-deploying), Azure AD join type, OOBE settings (privacy, EULA, account type), and naming template.
  • Step 5: Configure the Enrollment Status Page (ESP) -- The ESP shows provisioning progress to users during setup. Configure it to track app installations, policy applications, and certificate deployments. Set timeout values and determine whether to allow users to use the device before all apps are installed.
  • Step 6: Assign configuration profiles -- Create and assign Intune configuration profiles for Wi-Fi, VPN, email, certificates, and security baselines to the Autopilot device group.
  • Step 7: Assign applications -- Assign required applications to the Autopilot device group. Mark critical apps as "required" so they install during ESP, and make optional apps "available" for user self-service through the Company Portal.
  • Step 8: Assign compliance policies -- Apply compliance policies to ensure devices meet security standards (BitLocker, Defender, OS version) before gaining access to corporate resources.
  • Step 9: Test with a pilot device -- Before rolling out to the entire organization, test the complete Autopilot flow with a pilot device. Document the timing, any issues encountered, and the final device state.

Optimizing the Autopilot Experience

A smooth Autopilot experience requires careful optimization. These tips come from hundreds of enterprise deployments we have managed:

  • Minimize ESP-tracked apps -- Only mark truly critical apps as "required" during ESP. Each additional required app extends the provisioning time. Aim for 5-10 ESP-tracked apps maximum, with the rest available through Company Portal after setup.
  • Use Delivery Optimization -- Configure Delivery Optimization to enable peer-to-peer content sharing, reducing WAN bandwidth during mass deployments.
  • Set realistic ESP timeouts -- The default 60-minute ESP timeout is often insufficient for environments with many required apps. Set the timeout to 90-120 minutes to prevent false failures.
  • Pre-provision when possible -- For high-profile deployments (executives, new office openings), use pre-provisioning to complete the heavy lifting in advance so employees experience a 5-10 minute setup instead of 30-60 minutes.
  • Name devices meaningfully -- Use the Autopilot naming template (e.g., EPC-%SERIAL%) to automatically assign meaningful device names that simplify inventory management and troubleshooting.

How EPC Group Can Help

With 28+ years of enterprise Microsoft consulting, EPC Group specializes in Windows Autopilot deployments that deliver a seamless, zero-touch provisioning experience. Our services include:

  • Autopilot architecture design -- We design the complete Autopilot deployment framework including device groups, profiles, ESP configuration, app assignments, and naming conventions.
  • OEM coordination -- We work directly with Dell, HP, Lenovo, and other vendors to ensure hardware hashes are registered and devices ship Autopilot-ready.
  • App packaging and testing -- We package Win32 applications using the Intune content prep tool, configure detection rules, and test deployment in the Autopilot workflow.
  • Pre-provisioning setup -- We configure and test pre-provisioning workflows for organizations that want the fastest possible end-user experience.
  • Pilot and production rollout -- We manage the entire rollout from pilot through production, monitoring success rates, troubleshooting failures, and optimizing the experience based on real-world data.

Deploy Zero-Touch Provisioning

Ready to eliminate manual device imaging and configuration? Our Autopilot specialists can design and implement a zero-touch deployment experience that scales across your entire organization.

Schedule a ConsultationCall (888) 381-9725

Frequently Asked Questions

Can Autopilot work with hybrid Azure AD join?

Yes. Autopilot supports both Azure AD join (cloud-only) and hybrid Azure AD join (for organizations that still require on-premises Active Directory domain membership). Hybrid join requires an Intune Connector for Active Directory installed on an on-premises server and line-of-sight to a domain controller during provisioning. However, Microsoft recommends moving toward cloud-native Azure AD join where possible, as it simplifies management and eliminates the on-premises dependency.

What happens if Autopilot provisioning fails?

If provisioning fails, the Enrollment Status Page will display an error message with diagnostic information. Common failure causes include network connectivity issues, app installation timeouts, and certificate delivery problems. Users can retry the provisioning from the ESP error screen, or IT can reset the device and start over. Intune logs and Windows Event Viewer provide detailed diagnostic data for troubleshooting. EPC Group recommends configuring ESP with the "Allow users to reset device if installation error occurs" option enabled.

How do I register existing devices for Autopilot?

Existing devices can be registered by extracting their hardware hash using a PowerShell script (Get-WindowsAutopilotInfo) and uploading the CSV to Intune. For devices already enrolled in Intune, you can convert them to Autopilot devices directly from the Intune admin center. Note that the device will need to be reset and go through the Autopilot OOBE experience to fully benefit from Autopilot deployment profiles.

How long does Autopilot provisioning take?

Typical user-driven Autopilot provisioning takes 30-60 minutes depending on the number of required apps, network speed, and policy complexity. Pre-provisioned (white glove) devices complete in 5-15 minutes for the end user because the heavy lifting was done in advance. Self-deploying mode typically completes in 20-40 minutes. EPC Group optimizes provisioning times by minimizing ESP-tracked apps and using Delivery Optimization for content distribution.

Does Autopilot work for remote employees who never visit the office?

Absolutely. This is one of Autopilot's primary advantages. A device can be shipped directly from the manufacturer or warehouse to an employee's home. The employee powers it on, connects to their home Wi-Fi, signs in with their corporate credentials, and Autopilot provisions the device entirely over the internet. No VPN, no on-premises infrastructure, and no IT physical access required. This makes Autopilot ideal for distributed and remote workforces.