Woman provisioning Windows 10 deployment using Windows AutopilotSince its announcement, Windows Autopilot has continued to evolve and grow as the preferred method of Modern Windows 10 deployment. Leveraging Windows Autopilot and Intune (part of Microsoft Endpoint Manager or MEM), IT admins no longer must rely on the old method of imaging laptops/desktops before repackaging them to be delivered to end users. Using Windows Autopilot, IT admins can build the device enrollment profiles in Autopilot and have the device sent from the OEM directly to the end user. The end user then boots up the machine in the Out of Box Experience (OOBE), provides their credentials and Autopilot takes care of the rest.

Microsoft’s Goal: Simplifying the Windows Device Lifecycle

A goal of Microsoft is to make the deployment of a Windows 10 machine as simple as getting a new phone from your mobile carrier. This method allows the end user to perform the OOBE configuration and provision the device with minimal interaction, all while maintaining control and security of the device for the business.

Windows Autopilot:

  • Reduces the time IT spends on deploying, managing, and retiring devices
  • Reduces the infrastructure required to maintain the devices
  • Maximizes ease of use for all types of end users

How it works

Windows Autopilot transforms the traditional procedures of IT unboxing, imaging, repackaging, and shipping Windows machines into a three-step structure using Autopilot.

First, the device is registered with your tenant’s Autopilot service. This happens either to existing devices (PowerShell or harvest), or devices registered to you by the OEM/Vendor.

Next, with the device showing in your tenant, it can be assigned the proper Autopilot deployment profile.

Finally, the device is booted up for the first time and connected to a network during the OOBE. It then receives the Autopilot configuration and begins provisioning the device to your organization’s specifications.

NOTE: For a list of participating device OEM and resellers, see the link below.

Preconfigured Windows Devices—Microsoft 365


End user experience

When an end user receives the machine, they simply unbox it and power it on.

During the OOBE, Windows will ask the user to connect to a Wi-Fi network if the device is not already on a wired network connection.

The device will then check in with the Microsoft Autopilot service and recognize the device is registered to your tenant. The user will then see a welcome screen for your organization and be prompted to provide their organization credentials.

After successfully authenticating, the user will see a notice that the device is being prepared for use, followed by the Windows desktop. In the background, Autopilot has provisioned the machine and Intune (MEM) has begun deploying apps and configurations specified by the IT admin.


The device is now secured, managed and ready for business use.

Autopilot and Hybrid Azure AD Join devices

In Q1 of 2020, Autopilot got even better with the added support for deploying Hybrid AD Joined devices to users outside of the corporate network. With the COVID-19 pandemic forcing many businesses to adopt a work from home model, this feature came just in time for IT organizations.

NOTE: Previously, the Autopilot Windows 10 client needed the ablity to ping a local DC as part of the deployment phase for Hybrid Azure AD Join.

As of Q1 of 2020, Microsoft added support for VPN connectivity, removing the need for Ping to DC. This allows a VPN connection to be established during the Autopilot phase.

NOTE: Admins will need to pre-package VPN client configurations as an application for devices pushed via Intune, and must allow pre-login auth, or a VPN client that supports an always-on configuration.

Example: Cisco AnyConnect with Start Before Logon (SBL)

After connecting to the VPN and logging in for the first time, the device has visibility to the on-prem Domain Controller(s) and can complete the ODJ for the Hybrid AD Join, as well as receive any legacy on-premise configurations (scripts, GPO, etc.)


supported version of the Windows 10 semi-annual channel is required to use Windows Autopilot. Windows 10 Enterprise LTSC 2019 is also supported. For more information, see Windows Autopilot softwarenetworkingconfiguration and licensing requirements. 


Autopilot enables IT admins to save a significant amount of time traditionally spent on building and customizing Windows images. Now IT pros can simply order a new device, have it shipped directly to the end user (office or home), and the device is provisioned and ready for use—all while maintaining security and control over the device. This new method of deployment also gives IT admins the ability to reset devices remotely in the event of break/fix scenarios or just for just to get the device ready for the next user.

For more information about Windows Autopilot, visit: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot 

Was this article helpful?