How To Set Up Microsoft Intune For Autopilot Deployment

How to Set Up Microsoft Intune for Windows Autopilot Deployment

Windows Autopilot lets a new employee power on a device, sign in with their corporate credentials, and receive a fully configured workstation in 30–60 minutes — with no IT imaging required. This guide covers device registration, Autopilot profile creation, Enrollment Status Page setup, and the deployment flow end-to-end in Microsoft Intune.

Key facts

• Autopilot uses the factory-installed Windows instance. There is no custom image to build or maintain.
• Autopilot profiles define the out-of-box experience (OOBE): language, privacy settings, and whether IT joins the device to Azure AD or Entra ID.
• Device registration requires the device's hardware hash — captured by the OEM, a vendor, or a PowerShell script run on the device.
• Enrollment Status Page (ESP) tracks app and policy installation progress and blocks the user from logging in until deployment completes.
• Supported scenarios: Azure AD Join (cloud-only), Hybrid Azure AD Join (on-premises + cloud), and Pre-provisioning (technician sets up device before shipping to employee).
• EPC Group: 29 years of Microsoft consulting, Microsoft Solutions Partner (core designations), 10,000+ enterprise deployments.

How Windows Autopilot works

Traditional device imaging requires IT to build a custom Windows image, load it onto a device, and configure settings manually. Autopilot eliminates all three steps.

When a registered device powers on, Windows contacts Microsoft's Autopilot service using the hardware hash. Autopilot sends the Intune enrollment profile to the device. Intune then applies all policies, apps, and configuration profiles automatically. The user gets a ready-to-work device without IT touching it.

Step 1 — Register devices with Autopilot

Devices must be registered before they can receive an Autopilot profile. Three registration methods exist.

• OEM registration — order devices from a vendor (Dell, HP, Lenovo) and request that they register the hardware hashes directly to your Intune tenant. Zero effort on your side.
• Partner registration — a Microsoft Cloud Solution Provider can register devices into your tenant on your behalf.
• Manual registration — run the Get-WindowsAutoPilotInfo PowerShell script on each device. Export the hardware hash CSV and import it into Intune → Devices → Windows → Windows enrollment → Devices.

Step 2 — Create an Autopilot deployment profile

1. In Intune, go to Devices → Windows → Windows enrollment → Deployment Profiles.
2. Click Create profile → Windows PC.
3. Name the profile (e.g., "Corporate Laptops — Azure AD Join").
4. Set the deployment mode: User-driven (employee sets up their own device) or Self-deploying (kiosk or shared device, no user sign-in required).
5. Set Join to Azure AD as: Azure AD Joined (cloud-only) or Hybrid Azure AD Joined (on-premises domain).
6. Configure OOBE settings: hide privacy settings, skip EULA, hide account setup. These reduce the steps an employee sees during setup.
7. Click Next, assign the profile to a device group, and save.

Step 3 — Configure the Enrollment Status Page

The Enrollment Status Page (ESP) shows app and policy installation progress during setup and blocks login until deployment completes.

1. In Intune, go to Devices → Windows → Windows enrollment → Enrollment Status Page.
2. Click the default profile or create a new one.
3. Set Show app and profile installation progress to Yes.
4. Set Block device use until all apps and profiles are installed to Yes for compliance-sensitive environments.
5. Add your critical apps to the Block device use until these required apps are installed list (e.g., Microsoft Defender, VPN client, security agent).
6. Assign the ESP profile to the same device group as the Autopilot profile.

Step 4 — Assign apps and configuration profiles

Apps and policies assigned to the device group deploy automatically during Autopilot. Assign these before the device is handed to the employee.

• Required apps — Microsoft 365 Apps, Defender, VPN client, endpoint security agent. Set assignment type to Required, not Available.
• Configuration profiles — BitLocker encryption, Windows Update rings, Wi-Fi/VPN profiles, and Defender settings.
• Compliance policies — minimum OS version, BitLocker required, antivirus required. Pair with Conditional Access to block non-compliant devices.

Step 5 — Test the deployment

1. Use a test device registered with Autopilot but not yet set up.
2. Power it on and connect to the internet (Ethernet recommended for first-time setup speed).
3. Walk through the OOBE. It should skip most screens based on your profile settings.
4. Sign in with a test user account. The ESP should appear and show app installation progress.
5. After ESP completes, verify apps are installed, BitLocker is enabled, and compliance policies are applied in Intune.

Pre-provisioning mode (White Glove)

Pre-provisioning lets IT or an OEM complete the device-side setup before shipping to an employee. The employee only needs to sign in — setup is already done.

• Enable pre-provisioning in the Autopilot deployment profile.
• Boot the device, press the Windows key five times on the OOBE screen to enter technician flow.
• The device installs all device-assigned apps and policies. This takes 20–40 minutes.
• After completion, reseal the device. The employee powers it on, signs in, and completes the user-specific ESP phase in under 10 minutes.

Frequently asked questions

Does Autopilot replace SCCM (Microsoft Endpoint Configuration Manager)?

Autopilot handles initial device provisioning. SCCM (now Microsoft Endpoint Configuration Manager) handles ongoing software deployment, patching, and inventory for on-premises-heavy environments. Many enterprises run both in co-management mode — Intune handles Autopilot and cloud policies; SCCM handles software deployment.

Can I use Autopilot with Hybrid Azure AD Join?

Yes. Hybrid Azure AD Join connects the device to both on-premises Active Directory and Azure AD. It requires a domain controller reachable during setup (via VPN or corporate network). Configure the Intune Connector for Active Directory on a domain-joined server before deploying.

How long does an Autopilot deployment take?

A standard user-driven Azure AD Join deployment with 3–5 required apps takes 20–40 minutes. Deployments with 20+ apps or large app packages (Office 365, Visual Studio) can take 60–90 minutes. Pre-provisioning shifts most of this wait to the technician phase.

What licenses do I need for Windows Autopilot?

Autopilot requires one of: Microsoft 365 Business Premium, Microsoft 365 E3/E5, or Windows 10/11 Enterprise E3/E5. Intune must be licensed for the devices. Azure AD Premium P1 is needed for Hybrid Azure AD Join and Conditional Access policies.

What happens if Autopilot deployment fails?

The device shows an error code on the ESP screen. In Intune, go to Monitor → Enrollment failures to see the specific failure reason. Common causes: device not registered, app installation timeout, network connectivity issues. Use the Reset and retry option in Intune to re-run deployment after fixing the root cause.

Deploy Autopilot at enterprise scale

EPC Group has deployed Windows Autopilot for enterprises with thousands of devices across healthcare, financial services, and government sectors. Call (888) 381-9725 or request a 30-minute discovery call.