Guide: Preparing and Provisioning Devices with Windows Autopilot

Windows Autopilot is Microsoft’s zero-touch device provisioning tool. It enables organizations to preconfigure devices before delivery to end users. Autopilot automates device registration, Intune enrollment, and app, policy, and security baselines configuration.

Autopilot is essential for streamlining remote or distributed workforce deployment, enforcing security and compliance from first boot, and eliminating traditional imaging and manual setup.

How to prepare and provision with Windows Autopilot

Preparing and provisioning Microsoft Autopilot involves a series of steps, starting with the hardware hash collection needed for registration.

📌 Use Case: IT administrators and individual users looking to prepare and provision Microsoft Autopilot

📌 Prerequisites:

• Azure Active Directory (AAD) tenant with Microsoft Intune licenses
• Windows 10/11 Pro, Enterprise, or Education editions
• Devices with OEM-provided or captured hardware hashes
• Admin access to Microsoft Endpoint Manager Admin Center

📌 Recommended deployment strategies:

Part 1: Collecting hardware hash for registration

You need to get the Hardware ID manually for existing devices before provisioning.

📌 Prerequisite: Administrator privileges for PowerShell.

1. Press Win, type PowerShell, then click Run as administrator.
2. Copy and paste the following script into the prompt, then press Enter:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

New-Item -Type Directory -Path "C:\HWID"

Set-Location -Path "C:\HWID"

$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"

Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned

Install-Script -Name Get-WindowsAutopilotInfo

Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv

3. Open Intune, press Devices > Windows > Windows enrollment > Devices.
4. Click Import and upload the CSV file.
5. Devices will appear as pending until registered with a profile.

💡 Tip: You can find the CSV file in C:\HWID with the filename AutopilotHWID.csv.

⚠️ Warning: Copy and paste the correct script for proper registration. (For more information, refer to: Things to look out for)

Part 2: Creating and assigning deployment profiles

After collecting the hardware ID, you can create and assign Autopilot deployment profiles.

Creating deployment profiles

To create an Autopilot deployment profile, follow the steps below:

1. Sign in to the Microsoft Intune admin center.
2. Select Devices > Windows > Enrollment > Deployment Profiles.
3. Press the Create Profile drop-down menu and select Windows PC.
4. Enter a profile name and description, then select Next.
5. On the Out-of-box experience (OOBE) page, for Deployment mode, select User-driven.
6. In the Join to Microsoft Entra ID as box, select Microsoft Entra joined.
7. Configure the following options:
   • Microsoft Software License Terms: Specify whether to show users the EULA (End-User License Agreement).
   • Privacy settings: Option to show privacy settings to users or not.
   • Hide change account options: Select Hide to prevent change account options from displaying on the company sign-in and domain error pages.
   • User account type: Select the user’s account type (Administrator or Standard user).
   • Allow pre-provisioned deployment: Selecting Yes allows pre-provisioning support.
   • Language (Region): Select the language for the device.
   • Automatically configure keyboard: Select Yes to skip the keyboard selection page if a language is selected.
   • Apply device name template (requires Microsoft Entra join type): Select Yes to apply a naming template during device enrollment.
8. Press Next, then select Selected groups on the Assign to drop-down menu.
9. Click Select groups to include, then add the groups to include in the profile.
10. Press Next, then click Create to make the profile.

Assigning deployment profiles

Windows Autopilot deployment profiles are assigned to devices via Intune. However, the assignment is not immediate. Several systems and conditions need to align for the process to complete.

To avoid failed or partial provisioning, confirm that the device has an assigned deployment profile:

1. Sign in to the Microsoft Intune admin center.
2. Navigate to:
   • Devices > Windows > Windows enrollment > Devices
3. Locate the device to which you assigned a profile.
4. Monitor the Profile Status column. It should progress through these states:
   • Unassigned → Assigning → Assigned
5. Once the status is Assigned, click the device name to open its properties.
6. Ensure the Date assigned field is populated.
   • If it’s blank, wait for it to populate before deploying or resetting the device.

⚠️ Warning: Profile should be fully assigned before provisioning to ensure the device provisions properly. (For more information, refer to: Things to look out for)

Part 3: Provisioning with Windows Autopilot

After registering a device and assigning a profile, you can begin provisioning with Autopilot.

1. Connect the device to the internet before turning it on.
2. Press the Windows key five times on the Microsoft Entra sign-in page to open the “What do you want to do?” menu.
   • Windows 10:
     • Choose “Windows Autopilot provisioning”, then click Continue.
   • Windows 11:
     • Choose “Pre-provision with Windows Autopilot”, then click Next.
3. You should now notice a screen showing:
   • Organization name
   • Autopilot deployment profile name
   • QR code
4. Click Provision (Windows 10) or Next (Windows 11) to start.
5. The Enrollment Status Page (ESP) will appear after the reboot. It will go through:
   • Device preparation (Device ESP)
   • Device setup (Device ESP)
   • Account setup (User ESP)
     • Each phase installs policies, apps, and configurations defined in the Autopilot profile and Intune.
6. Once setup is complete, you’ll spot a summary/status screen:
   • Success: Click Reseal to shut down the device and return it to the end user’s OOBE mode.
   • Failure: Follow troubleshooting guidance based on the error displayed.

⚠️ Warning: The device can’t download the Windows Autopilot profile without network connectivity. (For more information, refer to: Things to look out for)

Part 4: Verifying and tweaking the registry

You can verify Autopilot’s profile and enrollment status in the registry.

1. Press Win + R, type regedit, then press Enter.
2. Navigate to:
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot
3. Check the following values:
   • CloudAssignedAadServerData and CloudAssignedTenantDomain: These values are blank if the device isn’t registered with Autopilot.
   • IsAutoPilotEnabled: If set to 1, this value indicates the device is registered with Windows Autopilot.

Troubleshooting and resetting with the Registry Editor

Once you’ve set up your profile, you can use the Registry Editor to troubleshoot or reset Autopilot behavior.

📌 Use Case: IT administrators and individual users who want to troubleshoot or reset Autopilot behavior

1. Press Win + R, type regedit, then press Enter.
2. Copy and paste the following:
   • Force re-run out-of-box experience (if device is already provisioned):
     • sysprep /oobe /reboot
   • Wipe device and retain Autopilot registration:
     • systemreset -factoryreset
   • Reset and force Autopilot reprovisioning by using Intune:
     • Navigate Devices > Select Device > Fresh Start or Autopilot Reset

PowerShell automation and validation

You can use PowerShell to automate and validate Autopilot scenarios such as re-registering a device, checking the assigned Autopilot profile, wiping and redeploying a device, or manually initiating device preparation.

📌 Use Case: IT administrators and individual users who want to automate and validate Autopilot scenarios

📌 Prerequisites: WindowsAutopilotIntune module and administrator privileges

1. Press Win, type PowerShell, then right-click and select Run as administrator.
2. Download the WindowsAutopilotIntune module by copying and pasting the following script, then hitting Enter:
   • Install-Module -Name WindowsAutoPilotIntune -RequiredVersion 5.6
3. Copy-paste the following scripts into the prompt, then press Enter:
   • Re-register device with existing profile:
     • Get-WindowsAutopilotInfo.ps1 -Online
   • Check assigned Autopilot profile:
     • Get-AutopilotProfileAssignedStatus
   • Wipe and redeploy:
     • Invoke-AutopilotReset
   • Manually initiate device preparation:
     • Initialize-AutopilotDevice

Hybrid joining and enrollment syncing using GPO

Group Policy enables automatic MDM enrollment for domain-joined devices during Hybrid Azure AD Join with Autopilot.

📌 Use Case: Organizations that want their devices to be domain-joined, registered with Azure AD, and automatically enrolled in Intune during Autopilot provisioning.

1. Press Win + R, type gpmc.msc, then press Enter to open the Group Policy Management Console.
2. You can create a new GPO by right-clicking the domain or organizational unit (OU) and selecting “Create a GPO in this domain, and Link it here…”
3. Name it MDM Auto Enrollment.
4. Right-click the new GPO, then click Edit.
5. Navigate the following path:
   • Computer Configuration > Administrative Templates > Windows Components > MDM
6. Double-click Enable automatic MDM enrollment using default Azure AD credentials, then set it to Enabled.

💡 Additional notes:

• Ensure devices are domain-joined and that the Service Connection Point is configured.
• Use Azure AD Connect to sync devices into AAD.
• Devices receive the Autopilot profile after they reboot and connect to Microsoft servers.

⚠️ Things to look out for

Troubleshooting Windows Autopilot preparation and provisioning issues

Below are typical preparation and provisioning issues and how to fix them:

Device doesn’t show Autopilot profile

A device incorrectly registered with the organization’s Microsoft 365 tenant may not display an Autopilot profile. You can remedy this by re-running the PowerShell script to regenerate and re-upload the CSV. You can also validate that the device shows up by going to Azure Active Directory > Devices in the Azure AD portal.

Intune enrollment fails during ESP.

If Intune enrollment fails during ESP, it’s likely due to license assignment or network and connectivity issues. Ensure the end-user has a Microsoft Intune license and an Azure AD Premium P1 or P2 license.

💡 Tip: You can validate license status by visiting Microsoft 365 Admin Center > Users > Active Users.

Hybrid join delays

The main reason for hybrid join delays is SCP (Service Connection Point) misconfiguration.

• Check join status by opening Command Prompt as admin and running:
  • dsregcmd /status
• Confirm the following:
  • AzureAdJoined = YES
  • DomainJoined = YES
  • TenantName matches your organization

💡 Tip: You can check the following log files for a deeper dive into the issue:

• C:\Windows\Panther\UnattendGC\setupact.log
• C:\Windows\Provisioning\AutopilotDiagnostics
• Event Viewer > Applications and Services Logs > Microsoft > Windows > Provisioning-Diagnostics-Provider

NinjaOne services to complement Windows Autopilot

NinjaOne enhances provisioning and onboarding with robust monitoring, automation, and visibility tools.

Streamline deployment with Windows Autopilot

Windows Autopilot streamlines zero-touch device provisioning, while NinjaOne enhances the process with advanced monitoring, automation, and compliance tools. Autopilot and NinjaOne enable secure, scalable, and efficient device onboarding, making them ideal for IT teams managing remote or hybrid environments.

Related topics:

• How to Obtain a Hardware Hash for Microsoft 365 Devices
• Comprehensive Strategies to Obtain a Hardware Hash for Microsoft 365
• What Is Zero Touch Provisioning (ZTP)?