Prerequisites
Before touching Autopilot, verify these are in place. Missing any one of them causes silent failures during enrollment.
- Azure AD Premium P1 or P2 (or Microsoft 365 Business Premium) — required for automatic MDM enrollment
- Intune license assigned to all users who will enroll
- MDM auto-enrollment configured: Azure AD → Mobility (MDM and MAM) → Microsoft Intune → set MDM user scope to All or a group
- Network access: devices must reach
*.microsoftonline.com,*.manage.microsoft.com,*.windows.net, and Windows Update on first boot — without proxy authentication
Register Devices
Devices must be registered in Autopilot before they're deployed. Three ways to register:
Method A — OEM direct registration
When ordering from Dell, HP, Lenovo, or Microsoft directly, request Autopilot registration at time of purchase. Devices arrive pre-registered. Best option for new fleets.
Method B — CSV upload (existing hardware)
# On the device — collect hardware hash Install-Script Get-WindowsAutoPilotInfo Get-WindowsAutoPilotInfo -OutputFile C:\autopilot.csv # Import the CSV in Intune: # Devices -> Windows -> Windows enrollment -> Devices -> Import
Method C — PowerShell bulk import
Install-Module WindowsAutopilotIntune -Force Connect-MgGraph -Scopes "DeviceManagementServiceConfig.ReadWrite.All" Import-AutopilotCSV -csvFile "C:\autopilot.csv"
Create the Autopilot Profile
In Intune: Devices → Windows → Windows enrollment → Deployment profiles → Create profile → Windows PC
Key settings to configure:
- Deployment mode: User-driven (standard users) or Self-deploying (shared/kiosk)
- Join to Azure AD as: Azure AD joined (cloud-only) or Hybrid Azure AD joined (requires on-prem AD and Intune Connector)
- Apply device name template: e.g.,
CORP-%RAND:5%for consistent naming - Convert all targeted devices to Autopilot: Yes — registers devices not yet in Autopilot when they enroll
Configure the Enrollment Status Page
The ESP keeps users on the setup screen until apps and policies are fully applied. Without it, users can log in before Intune finishes — causing app delivery issues.
In Intune: Devices → Windows → Windows enrollment → Enrollment Status Page → Default
- Show app and profile configuration progress: Yes
- Block device use until all apps and profiles are installed: Yes
- Allow users to reset device if installation error occurs: Yes
- Error timeout: 60 minutes (increase to 120 for large app sets)
Assign the Profile to a Group
Create a dynamic device group for all Autopilot-registered devices:
# Dynamic group rule — targets all Autopilot-registered devices (device.devicePhysicalIds -any _ -contains "[ZTDId]")
In Azure AD: Groups → New Group → Dynamic Device → paste the rule above. Then assign the Autopilot profile and ESP to this group. Profile assignment can take up to 1 hour to propagate.
Test the Deployment
Go to Settings → Update & Security → Recovery → Reset this PC → Remove everything. Or wipe from Intune for a remote test.
Use a clean SSID with no proxy if possible — proxies can break Autopilot in ways that are hard to diagnose. Avoid authenticated proxies entirely during the technician phase.
After connecting, the device should reboot into your company's branded OOBE instead of the standard Windows setup. If it doesn't, the device isn't registered or the profile hasn't propagated yet.
Common Failure Points
- "Something went wrong" at OOBE — Usually network or the device isn't registered. Verify it shows in Intune → Devices → Windows enrollment → Devices
- ESP stuck at "Identifying" — MDM auto-enrollment isn't configured or the user lacks an Intune license
- ESP times out on app install — An app in the required assignment is failing. Check Intune → Devices → [device] → App install status
- Device joins Azure AD but not on-prem AD (hybrid) — The Intune Connector for AD is offline. Check Devices → Windows → Windows enrollment → Intune Connector for Active Directory