IT Professional deploying a a computer for remote employee using Windows Autopilot

Windows Autopilot is a relatively new feature of Microsoft Intune. Microsoft Intune, part of Microsoft Endpoint Manager, is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Windows Autopilot is a collection of technologies used to set up and pre-configure new devices to get them ready for productive use. In other words, it allows your organization to take a device that is fresh out of the box (straight from OEM), and send that device to your user/employee for immediate use.

Utilizing this feature allows end users to enter their Office 365 credentials during the initial setup of Windows—with all of their configurations, settings, applications, security enforcement, etc.—and have everything downloaded to that device and set up on their desk remotely. In doing so, computers don’t have to go to your IT department first to apply an image, install anti-virus, etc., before being re-packaged and sent to the user/employee.

Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices, but Windows Autopilot introduces a new approach. From the user’s perspective, it only takes a few simple steps to get their device ready to use. And from the IT pro’s perspective, the only interaction required from the end user is to connect to a network and verify their credentials. Everything beyond that is automated.

This scenario is especially ideal for remote workers, where new systems can be sent directly from the distributor (or wherever you are getting it from) to the end user, where a corporate image—including applications and security settings—can be pushed from the cloud with little to no involvement from the end user except logging in. Microsoft Windows Autopilot is flexible, so you can choose a deployment scenario that suits your business. For example, a user-driven Autopilot deployment is, well, driven by employees—wherever they are. All you need is Microsoft Intune, Windows 10 Pro devices, and Azure AD to get started.

Windows Autopilot enables you to:

  • Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join)
  • Auto-enroll devices into MDM services, such as Microsoft Intune (Requires an Azure AD Premium subscription for configuration).
  • Restrict the administrator account creation.
  • Create and auto-assign devices to configuration groups based on a device’s profile.
  • Customize OOBE content specific to the organization.

Existing devices can also be quickly prepared for new users by utilizing Windows Autopilot Reset. The Reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.

Microsoft Windows Autopilot Overview and Video

Click on the video below to learn more about Windows Autopilot:

You can also use Windows Autopilot to reset, repurpose, and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that’s easy and simple. Windows Autopilot simplifies the Windows device lifecycle, for both IT and end users, from initial deployment to end of life. Using cloud-based services, Windows Autopilot:

  • Reduces the time IT spends deploying, managing, and retiring devices.
  • Reduces the infrastructure required to maintain devices.
  • Maximizes ease of use for all types of end users.

Need help with Microsoft Intune? Contact the Microsoft security experts at MessageOps to get started

Windows Autopilot Process

When initially deploying new devices, Windows Autopilot uses the OEM-optimized version of Windows 10. This version is preinstalled on the device, so you don’t have to maintain custom images and drivers for every device model. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state that can:

  • Apply settings and policies
  • Install apps
  • Change the edition of Windows 10 being used (for example, from Windows 10 Pro to Windows 10 Enterprise) to support advanced features

Once deployed, you can manage Windows 10 devices with:

  • Microsoft Intune
  • Windows Update for Business
  • Microsoft Endpoint Configuration Manager
  • Other similar tools

How to create an Autopilot device group using Intune

  1. In the Microsoft Endpoint Manager admin center, select GroupsNew group.
  2. In New Group, configure the following properties:
    • Group type: Select Security.
    • Group name and Group description: Enter a name and description for your group.
    • Azure AD roles can be assigned to the group (Preview)Yesallows Azure AD roles to be assigned to the group you’re creating. Once set, the group is permanently and always allowed to be assigned Azure AD roles. When set to No, Azure AD roles aren’t assigned to the this group.

For more information, see Use cloud groups to manage role assignments in Azure AD.

  • Membership type: Choose how devices become members of this group. Select AssignedDynamic user, or Dynamic Device. For more information, see Add groups to organize users and devices.
  • Owners: Select users that own the group. Owners can also delete this group.
  • Members: Select Autopilot devices that belong to this group. Autopilot devices that aren’t enrolled show the serial number for the device name.
  • Dynamic device members: Select Add dynamic queryAdd expression.

Create rules using Autopilot device attributes. Autopilot devices that meet these rules are automatically added to the group. Creating an expression using non-autopilot attributes doesn’t guarantee that devices included in the group are registered to Autopilot.

When creating expressions:

  • To create a group that includes all of your Autopilot devices, enter: (device.devicePhysicalIDs -any (_ -contains “[ZTDId]”)).
  • Intune’s group tag field maps to the OrderIDattribute on Azure AD devices. To create a group that includes all Autopilot devices with a specific group tag (the Azure AD device OrderID), enter: (device.devicePhysicalIds -any (_ -eq “[OrderID]:179887111881”)).
  • To create a group that includes all your Autopilot devices with a specific Purchase Order ID, enter: (device.devicePhysicalIds -any (_ -eq “[PurchaseOrderId]:76222342342”))

Save your expressions.

  1. Select Create.

For further information on assigning users to specific Autopilot devices, visit:

Need Assistance with Intune and Autopilot? Engage MessageOps!

MessageOps can support you with Microsoft Intune, Windows Autopilot and all of your Microsoft cloud business requirements. Click on the following link to get started:, call us at 877-788-1617, or email us at [email protected] for assistance with any of the following services:

  • Cloud Migration
  • Microsoft Cloud Collaboration (Teams, SharePoint) Consulting, Training, Design, Deployment and Management
  • Microsoft Cloud Governance
  • On premise and Azure Active Directory
  • Enterprise Mobility + Security / Intune
  • Microsoft Endpoint Manager / SCCM
  • Advance Threat Protection
  • Windows Hello
  • Autopilot
  • Microsoft Security Assessment
Was this article helpful?