Windows Autopilot: The Proven Guide for 2025

1. Introduction to Windows Autopilot

Windows Autopilot is a modern provisioning solution that transforms how organisations deploy Windows devices. Whether you’re managing thousands of laptops across an enterprise or rolling out devices in a school environment, Autopilot offers a scalable, secure, and user-friendly approach.

This guide walks through everything you need to know from setup to deployment with real-world scenarios tailored for both enterprise IT and education environments.

2. What Is Windows Autopilot?

Windows Autopilot is a cloud-based service that automates the setup and configuration of new Windows devices. It integrates with Microsoft Intune and Microsoft Entra ID (formerly Azure AD) to deliver a zero-touch experience.

Real-World Scenarios

Education: A secondary school provisions 100 student laptops. Devices are grouped by year and assigned profiles with limited access and pre-installed learning apps

Enterprise: A finance company orders 500 laptops. The OEM registers the devices, and users receive them pre-configured. No IT imaging required.

3. Why Use Windows Autopilot?

• Zero-touch provisioning: Devices are ready to go out of the box.
• Consistent configurations: Profiles ensure standardised setup across the organisation.
• Reduced IT overhead: No need for imaging or manual setup.
• Improved user experience: Users sign in and start working with no IT intervention required.

4. Prerequisites for Windows Autopilot

Licensing

• Microsoft 365 E3/E5, or
• Enterprise Mobility + Security (EMS) E3/E5, or
• Microsoft Intune + Entra ID Premium P1

Intune Configuration

• Intune must be set up and managing Windows devices.

Entra ID Join Configuration

• Devices will be Entra ID joined during the Windows Autopilot process they do not need to be joined beforehand.

Permissions

• You need Intune Administrator or Global Administrator rights.

5. Capturing and Registering Devices in Windows Autopilot

Before diving into manual registration, it’s important to note that the first port of call should always be to work with your hardware vendor or reseller to have devices automatically added to Windows Autopilot. Most OEMs and authorised partners can register devices directly into your tenant using your Tenant ID, saving time and reducing errors.

However, if vendor registration isn’t possible for example, with existing devices or during lab staging you can use manual methods to capture and register the hardware hash.

What Is the Hardware Hash?

The hardware hash is a collection of device-specific information (e.g. TPM, CPU, BIOS, etc.) that uniquely identifies a Windows device. It’s required by Microsoft to register the device with the Windows Autopilot service.

Method 1 – CSV Export (Offline Registration)

This method is best suited for devices that are already on-site, being reimaged, or prepared in a lab environment where vendor registration isn’t possible.

Step-by-Step Instructions:

• During the OOBE press shift and F10 to open a command prompt
• Run the following commands

Powershell
Set-ExecutionPolicy bypass
Install-Script Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile "C:\AutoPilotHWID.csv"

Output Location: The CSV file will be saved to C:\Autopilot\AutoPilotHWID.csv. You can change this path if needed to a USB thumb drive which can then be transfered to the ICT admin desktop

• Run the below to verify the csv file has been created

Set-Location -Path C:\
Get-ChildItem

• Copy the CSV file to an external drive run the below

Copy-Item -Path "C:\AutoPilotHWID.csv" -Destination "E:\AutoPilotHWID.csv

To confirm your USB drive letter, you can run:

Get-PSDrive

Upload the CSV to Intune:

• Go to https://intune.microsoft.com
• Navigate to: Devices > Windows > Enrollment > Devices
• Click Import
• Select and upload your .csv file
• Once uploaded, the device will appear under Windows Autopilot Devices in Intune.

Method 2 – Online Registration (During OOBE or Staging)

This method registers the device directly to your tenant without needing a CSV file

• Devices being staged
• Devices in OOBE
• Remote registration

Step-by-Step Instructions:

• During the OOBE press shift and F10 to open a command prompt
• Run the following commands

Powershell
Set-ExecutionPolicy -ExecutionPolicy Bypass
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -Online -GroupTag "Teacher Device"

• When prompted, sign in using your Intune Administrator or Global Administrator credentials and complete any multi-factor authentication (MFA) steps required by your organisation.
• The device will be registered directly in your tenant and appear under Windows enrollment > Devices
• Under Profile Status, wait until the status changes from ‘Pending’ to ‘Assigned’. Once assigned, proceed to restart the device and initiate the Out-of-Box Experience (OOBE) process using the below

Restart-Computer

6. Preparing Your Environment for Windows Autpilot

6.1 Dynamic Groups in Microsoft Entra ID for Windows Autopilot

Dynamic groups in Microsoft Entra ID are essential for automating Windows Autopilot deployments. They allow you to automatically assign deployment profiles to devices based on attributes like registration status or group tags.

Why Use Dynamic Groups with Windows Autopilot?

• Automatically assign devices to the correct Windows Autopilot profile
• Target devices by department, location, or user type
• Reduce manual admin work and errors
• Enable scalable deployments across enterprise and education

Create a ZTDId-Based Dynamic Group

This group captures all devices registered with Autopilot, using the Zero Touch Deployment ID.

Instructions:

• Go to https://entra.microsoft.com
• Navigate to: Groups > All groups > + New group
• Configure the group:
  • Group type: Security
  • Group name: Autopilot Devices - ZTDId
  • Membership type: Dynamic Device
• Click Add dynamic query
• In the Rule syntax box click edit and paste:

(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))

• Click Save, then Create.

Create a Group Tag-Based Dynamic Group

This group targets devices based on a Group Tag set during Windows Autopilot registration (e.g. via CSV or -Online method). You can set the Group Tag in two ways.

Option A – Addtional Column On CSV Import

• Open your Autopilot CSV file (e.g. AutoPilotHWID.csv).
• Add a column named Group Tag.
• Populate it with your desired tag, e.g. Teacher Device

Option B – Powershell – Online Registration During the OOBE

If you’re registering the device during OOBE add -GroupTag to the syntax

Get-WindowsAutoPilotInfo.ps1 -Online -GroupTag "Teacher Device"

Create the Dynamic Group in Entra ID

• Go to https://entra.microsoft.com
• Navigate to Groups > All groups > + New group
• Configure the group:
  • Group type: Security
  • Group name: Autopilot - Teacher Device
  • Membership type: Dynamic Device
• Click Add dynamic query
• In the Rule syntax box, paste:

(device.devicePhysicalIds -any _ -eq "[OrderID]:Teacher Device")

• Click Validate rules to ensure syntax is correct.
• Click Save, then Create.
  

6.2 Windows Autopilot Deployment Profiles in Intune

Windows Autopilot deployment profiles define how a Windows device behaves during the Out-of-Box Experience (OOBE). They control everything from how the device joins Entra ID to what screens are shown to the user.

Types of Deployment Profiles

• User-Driven Mode
  • Purpose: Designed for devices assigned to individual users (e.g. staff or students).
  • Behaviour: User signs in during setup; device joins Entra ID and enrols in Intune.
  • Requirements: Internet access, user credentials, TPM recommended.
  • Limitations: Not suitable for shared or kiosk devices; requires user interaction.

• Self Deploying
  • Purpose: Ideal for shared, kiosk, or lab devices with no user interaction.
  • Behaviour: Device auto-provisions and joins Entra ID without user input.
  • Requirements: TPM 2.0, Ethernet connection, automatic MDM enrolment.
  • Limitations: No Hybrid Join support; Wi-Fi not supported during setup

How to Create a Deployment Profile in Intune

• Go to https://intune.microsoft.com
• Navigate to Devices > Windows > Enrollment > Deployment Profiles
• Click + Create profile > Windows PC
• Configure the profile:
  • Basics
    • Give the Deployment Profile a name e.g. Autopilot Teacher Device
  • Out-of-box-experience (OOBE)
    • These settings are dependant on your own requirements but the below is a good starting point
  • Assignment
    • Assign to the required group e.g. Autopilot Devices – ZTDId or Autopilot – Teacher Device

• Click Create

6.3 Understanding the Enrollment Status Page (ESP) in Windows Autopilot

The Enrollment Status Page (ESP) is a feature in Microsoft Intune that controls what happens during the device setup phase of Autopilot. It ensures that critical apps, policies, and configurations are applied before the user reaches the desktop.

What Is ESP?

ESP is a full-screen experience shown during Autopilot provisioning. It tracks and enforces:

• Device setup: Ensures required apps and policies are installed
• User setup: Applies user-targeted configurations
• Compliance checks: Blocks access until the device meets security requirements

Why Use ESP?

• Prevents users from accessing a device before it’s fully configured
• Reduces helpdesk calls due to missing apps or broken policies
• Ensures compliance and security from the first login
• Ideal for education (students get a ready-to-use device) and enterprise (staff devices meet corporate standards)

Real-World Example

• In a school, ESP ensures that Microsoft Teams, OneNote, and Safe Exam Browser are installed before students can use the device.
• In a business, ESP ensures that BitLocker, Defender, and VPN policies are applied before staff can access sensitive data.

How to Create and Configure ESP in Intune

• Go to https://intune.microsoft.com
• Navigate to: Devices > Windows > Enrollment > Enrollment Status Page
• Click + Create
• Configure the ESP:
  • Basics
    • Provide a name name e.g. Staff Device ESP or Student Device ESP
  • Settings
    • Below settings (Use block device until required apps wisely to prevent Autopilot from timing out)
  • Assignment
    • Assign to device group

7. Best Practices for Windows Autopilot Deployment

When deploying Windows devices with Autopilot, following best practices can significantly improve reliability, reduce support calls, and ensure a smooth experience for both IT staff and end users. Here are some key recommendations, explained in detail:

7.1 – Minimise Required Applications to Speed Up Setup

The more applications you require during the Windows Autopilot provisioning process, the longer it will take for devices to be ready for use. Each additional app increases the risk of delays or failures, especially if there are network issues or installation problems. To streamline deployment

• Only include essential applications in the required apps list for Autopilot.
• Consider deploying non-critical apps after the initial setup, once the device is in the user’s hands.
• Regularly review and update your required apps list to remove any that are no longer necessary.

This approach ensures that users can start working sooner and reduces the likelihood of timeouts or failed deployments.

7.2 – Use Win32 Apps with Retry Logic for Reliability

Win32 applications in Intune support advanced deployment options, including retry logic. This means that if an app fails to install on the first attempt (perhaps due to a temporary network issue), Intune will automatically try again. To take advantage of this

• Package your critical applications as Win32 apps using the Microsoft Win32 Content Prep Tool. Win32 Apps Simplified: The Ultimate Intune Deployment Guide
• Configure retry settings to allow multiple installation attempts.
• Test your app deployments in a controlled environment to ensure they behave as expected.

7.3 Monitor ESP Performance with Intune Reporting and Endpoint Analytics

The Enrollment Status Page (ESP) is a powerful tool, but issues can arise if required apps or policies fail to apply. Proactive monitoring allows you to spot and resolve problems before they affect users. To do this

• Use Intune’s built-in reporting features to track ESP progress and identify devices that are stuck or have failed to complete setup.
• Leverage Endpoint Analytics to gain insights into device health, setup times, and common issues across your fleet.
• Set up alerts or dashboards to notify IT staff of repeated failures or trends that may indicate a wider problem.

Regular monitoring not only helps you troubleshoot individual devices but also enables you to refine your deployment process over time.

7.4 – Test and Iterate Your Deployment Process

Before rolling out Autopilot at scale, always test your configuration with a small group of devices and users. This allows you to

• Identify and resolve issues with profiles, apps, or policies in a controlled setting.
• Gather feedback from users about their experience.
• Make adjustments to your process based on real-world results.

Iterative testing ensures that your deployment is robust and reduces the risk of widespread problems during a large rollout.

7.5 – Document and Communicate

Clear documentation and communication are essential for successful deployments. Make sure to

• Document your Autopilot process, including prerequisites, steps, and troubleshooting tips.
• Share this information with IT colleagues and end users as appropriate.
• Provide guidance on what users should expect during device setup and who to contact if they encounter issues.

Well-informed users and IT staff are better equipped to handle minor issues and less likely to escalate problems unnecessarily.

8. Final Thoughts

Deploying Windows devices at scale doesn’t have to be a daunting task. With Windows Autopilot, organisations of all sizes can streamline device provisioning, reduce manual effort, and deliver a consistent, secure experience for users from day one. By following the best practices outlined in this guide minimising required apps, leveraging retry logic, and actively monitoring deployments you’ll set your IT team and end users up for success.

Remember, every environment is unique. Take the time to test your Autopilot process, gather feedback, and refine your approach to suit your organisation’s needs. Stay up to date with the latest features in Intune and Autopilot, and don’t hesitate to reach out to the community or Microsoft support if you encounter challenges.

With the right preparation and a thoughtful deployment strategy, Autopilot can transform the way you manage Windows devices freeing up valuable IT resources and empowering users to get started quickly and securely.

Want More Intune & Entra ID Tutorials?

Explore my YouTube channel for clear, step-by-step video guides, expert tips, and the latest updates on Microsoft Intune, Entra ID, and best practices in device management. Subscribe now at (YouTube Channel) and stay up to date!