How To Set Up Microsoft Intune For Autopilot Deployment

Windows Autopilot combined with Microsoft Intune delivers zero-touch device provisioning that eliminates the need for IT to physically touch, image, or configure new laptops and desktops. An employee can receive a new device, power it on, sign in with their corporate credentials, and have a fully configured workstation -- complete with all applications, policies, and security settings -- within 30 to 60 minutes without any IT intervention.

What Is Windows Autopilot?

Windows Autopilot is a collection of technologies within the Microsoft ecosystem that simplify the lifecycle of Windows devices from initial deployment through retirement. Unlike traditional imaging approaches where IT builds a custom Windows image, loads it onto a device, and then configures settings, Autopilot uses the factory-installed Windows installation and transforms it into a business-ready device through cloud-based policies delivered by Intune.

The key scenarios supported by Autopilot include:

• User-driven mode -- The employee unboxes the device, connects to the internet, enters their corporate email, authenticates, and Intune handles the rest. This is the most common scenario for knowledge workers.
• Self-deploying mode -- The device automatically provisions itself without any user interaction, ideal for kiosks, shared devices, and digital signage.
• Pre-provisioning (white glove) -- IT or a hardware partner pre-provisions the device in advance so the employee experiences an even faster setup. The device is partially configured before shipping.
• Autopilot Reset -- Repurpose an existing device by resetting it to a business-ready state without re-imaging, useful when reassigning devices between employees.

Prerequisites for Autopilot Deployment

Before configuring Autopilot, ensure the following prerequisites are met:

• Licensing -- Users need Microsoft 365 Business Premium, E3, E5, or Enterprise Mobility + Security E3/E5 licenses. Intune standalone licenses also work. Windows 10/11 Pro, Enterprise, or Education is required on the devices.
• Azure AD Premium -- Autopilot requires Azure AD (Entra ID) for device registration and automatic MDM enrollment. Azure AD Premium P1 or P2 is required for dynamic device groups and Conditional Access.
• Intune configured as MDM authority -- Intune must be set as the MDM authority in your tenant, with automatic enrollment configured for Azure AD-joined devices.
• Network requirements -- Devices need outbound HTTPS access to several Microsoft services during provisioning. Ensure your firewall allows traffic to login.microsoftonline.com, enrollment.manage.microsoft.com, and the other Autopilot-required endpoints documented by Microsoft.
• Hardware vendor support -- Your hardware vendor (Dell, HP, Lenovo, etc.) must register devices with the Autopilot service by uploading their hardware hashes. Most major OEMs offer this as part of their ordering process.

Step-by-Step Setup Guide

Follow these steps to configure Intune for Autopilot deployment:

• Step 1: Configure automatic MDM enrollment -- In Azure AD > Mobility (MDM and MAM), configure Microsoft Intune as the MDM application and set the MDM user scope to "All" or a specific Azure AD group.
• Step 2: Register device hardware hashes -- Obtain hardware hashes from your OEM vendor or extract them from existing devices using a PowerShell script. Import them into Intune under Devices > Windows Enrollment > Devices.
• Step 3: Create a device group -- Create a dynamic Azure AD device group using the ZTDID (Zero Touch Device ID) attribute that automatically includes all Autopilot-registered devices. Example query: (device.devicePhysicalIDs -any _ -contains "[ZTDId]").
• Step 4: Create an Autopilot deployment profile -- In Intune, navigate to Devices > Windows Enrollment > Deployment Profiles. Create a profile specifying: deployment mode (user-driven or self-deploying), Azure AD join type, OOBE settings (privacy, EULA, account type), and naming template.
• Step 5: Configure the Enrollment Status Page (ESP) -- The ESP shows provisioning progress to users during setup. Configure it to track app installations, policy applications, and certificate deployments. Set timeout values and determine whether to allow users to use the device before all apps are installed.
• Step 6: Assign configuration profiles -- Create and assign Intune configuration profiles for Wi-Fi, VPN, email, certificates, and security baselines to the Autopilot device group.
• Step 7: Assign applications -- Assign required applications to the Autopilot device group. Mark critical apps as "required" so they install during ESP, and make optional apps "available" for user self-service through the Company Portal.
• Step 8: Assign compliance policies -- Apply compliance policies to ensure devices meet security standards (BitLocker, Defender, OS version) before gaining access to corporate resources.
• Step 9: Test with a pilot device -- Before rolling out to the entire organization, test the complete Autopilot flow with a pilot device. Document the timing, any issues encountered, and the final device state.

Optimizing the Autopilot Experience

A smooth Autopilot experience requires careful optimization. These tips come from hundreds of enterprise deployments we have managed:

• Minimize ESP-tracked apps -- Only mark truly critical apps as "required" during ESP. Each additional required app extends the provisioning time. Aim for 5-10 ESP-tracked apps maximum, with the rest available through Company Portal after setup.
• Use Delivery Optimization -- Configure Delivery Optimization to enable peer-to-peer content sharing, reducing WAN bandwidth during mass deployments.
• Set realistic ESP timeouts -- The default 60-minute ESP timeout is often insufficient for environments with many required apps. Set the timeout to 90-120 minutes to prevent false failures.
• Pre-provision when possible -- For high-profile deployments (executives, new office openings), use pre-provisioning to complete the heavy lifting in advance so employees experience a 5-10 minute setup instead of 30-60 minutes.
• Name devices meaningfully -- Use the Autopilot naming template (e.g., EPC-%SERIAL%) to automatically assign meaningful device names that simplify inventory management and troubleshooting.

How EPC Group Can Help

With 29 years of enterprise Microsoft consulting, EPC Group specializes in Windows Autopilot deployments that deliver a seamless, zero-touch provisioning experience. Our services include:

• Autopilot architecture design -- We design the complete Autopilot deployment framework including device groups, profiles, ESP configuration, app assignments, and naming conventions.
• OEM coordination -- We work directly with Dell, HP, Lenovo, and other vendors to ensure hardware hashes are registered and devices ship Autopilot-ready.
• App packaging and testing -- We package Win32 applications using the Intune content prep tool, configure detection rules, and test deployment in the Autopilot workflow.
• Pre-provisioning setup -- We configure and test pre-provisioning workflows for organizations that want the fastest possible end-user experience.
• Pilot and production rollout -- We manage the entire rollout from pilot through production, monitoring success rates, troubleshooting failures, and optimizing the experience based on real-world data.

Frequently Asked Questions