A Guide to Zero-Touch Provisioning with Intune - Windows Autopilot

 You no longer need to image and set up each device manually before handing it off to the user. With Windows Autopilot, you can ship devices directly to employees, already configured, secured, and ready to go the moment they power it on.

Autopilot works hand-in-hand with Microsoft Intune to enable zero-touch provisioning, saving time, reducing errors, and improving the onboarding experience.

In this article, I’ll break down:

  • What Windows Autopilot is
  • How it works
  • Key benefits for IT and users
  • How to get started with setup and enrollment

Windows Autopilot is a cloud-based provisioning technology that lets you:

  • Pre-configure new Windows 10/11 devices before the user powers them on
  • Automatically join devices to Microsoft Entra ID (formerly Azure AD)
  • Enroll them in Intune for policy, app, and config delivery
  • Apply your organization’s branding and policies without IT touching the device

It’s like having a modern, cloud-native replacement for imaging, built for distributed and hybrid teams.

Here’s the basic flow:

  1. You (or your hardware vendor) upload the device’s hardware ID (hash) to Intune/Autopilot
  2. You assign an Autopilot profile to the device
  3. The user receives the device and powers it on
  4. Windows contacts Microsoft Autopilot service
  5. The profile is applied, device is joined to Entra ID, enrolled in Intune, and configured automatically
  6. User logs in and starts working, no IT setup required

Key Benefits

  • Zero-touch setup for remote and hybrid employees
  • Consistent, policy-driven provisioning
  • Automated Entra ID join and Intune enrollment
  • Apply company branding (logos, color, sign-in screens)
  • Supports white glove setup for IT pre-provisioning if needed
  • Reduces shipping costs and time to productivity

Autopilot profiles allow you to define:

  • Device name templates
  • Entra join or Hybrid join
  • User account type (standard or admin)
  • Skip or show EULA, privacy, and other setup screens
  • Enable automatic enrollment into Intune

How to Set Up Windows Autopilot

Step 1: Gather device hardware IDs

  • Use the Get-WindowsAutopilotInfo.ps1 PowerShell script, you can copy below code and save it as powershell script to use.

<#
.SYNOPSIS
    Retrieves hardware hash and other details for Windows Autopilot registration.

.DESCRIPTION
    This script gathers device hardware information needed for Windows Autopilot enrollment and exports it to a CSV file.

.NOTES
    Author: Michael Niehaus, Microsoft
    Source: https://github.com/microsoft/WindowsAutopilotIntune

.PARAMETER OutputFile
    The name of the CSV file to create (e.g., AutopilotHWID.csv)

.EXAMPLE
    .\Get-WindowsAutopilotInfo.ps1 -OutputFile AutoPilotHWID.csv
#>

param(
    [Parameter(Mandatory=$true)]
    [string]$OutputFile
)

function Get-AutopilotInfo {
    Write-Host "Getting hardware hash..."

    # Create temp folder
    $TempFolder = "$env:TEMP\AutoPilot"
    if (!(Test-Path -Path $TempFolder)) {
        New-Item -Path $TempFolder -ItemType Directory | Out-Null
    }

    $HWIDPath = "$TempFolder\HWID.json"

    # Run MDM diagnostics tool to get the hash
    mdmdiagnosticstool.exe -area Autopilot -cab $TempFolder\AutoPilot.cab

    # Extract the JSON file from CAB
    expand.exe $TempFolder\AutoPilot.cab -F:* "$TempFolder" | Out-Null

    if (!(Test-Path -Path $HWIDPath)) {
        Write-Error "Hardware hash not found. Are you running this as administrator?"
        return
    }

    # Read and parse the JSON
    $json = Get-Content -Path $HWIDPath | Out-String | ConvertFrom-Json

    # Select only the required fields
    $hash = $json.DeviceHardwareData
    $serial = $json.SerialNumber
    $manufacturer = $json.Manufacturer
    $model = $json.Model

    # Create output object
    $output = [PSCustomObject]@{
        DeviceSerialNumber = $serial
        WindowsProductID   = ""
        HardwareHash       = $hash
        Manufacturer       = $manufacturer
        Model              = $model
    }

    # Export to CSV
    $output | Export-Csv -Path $OutputFile -NoTypeInformation

    Write-Host "Hardware hash exported to $OutputFile"
}

# Run the function
Get-AutopilotInfo

Usage example:

.\Get-WindowsAutopilotInfo.ps1 -OutputFile "AutoPilotHWID.csv"

  • Or request the hash file from your OEM (like Dell, HP, Lenovo)

Step 2: Upload to Intune

  • Go to: Intune Admin Center > Devices > Enrollment > Windows
  • Then under Windows Autopilot section click on Devices as shown in the screenshot below.
  • Upload the CSV file

Article content
Article content

Step 3: Create Autopilot profile

  • Go to: Intune Admin Center > Devices > Enrollment > Windows
  • Then under Windows Autopilot section click on Deployment profiles as shown in the screenshot below.
  • Click + Create profile
  • Choose Windows PC, configure settings, and assign to a device group

Article content
Article content

Step 4: Assign the profile to devices

  • Select uploaded devices and assign the appropriate profile

Step 5: Deliver the device to the end user

  • On first boot, Windows will apply the assigned Autopilot profile

Autopilot vs. Traditional Imaging

Article content

Recommendations:

  • Use White Glove/Pre-Provisioning for IT-led setup when shipping internally
  • Combine with Enrollment Status Page (ESP) to block access until setup is complete
  • Create dynamic groups in Entra ID to assign profiles automatically
  • Use naming conventions for devices (e.g., MKT-LAPTOP-%SERIAL%)
  • Partner with OEMs that support direct Autopilot registration

Windows Autopilot and Intune redefine device provisioning, enabling a secure, scalable, and seamless experience from factory to first login.

If you’re still imaging devices manually, now’s the time to rethink your approach and modernize deployment.

Comments

Post a Comment

Popular posts from this blog

4 Most common Issues while registering devices with Microsoft Intune MDM

Image
  The built-in Mobile Device Management (MDM) for Office 365 helps you secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports. During implementation or deployment, there are some common issues which occur in many of the environment  1-   Windows Update Sometimes you will notice that Windows Update is showing-Up-To-Date but in actual, the version needed for the MDM Registration is not updating automatically and eventually fails every time in the loop Solution Suggested Go to this  link  upgrade your Windows 10 to the latest version You will find a home page like the screenshot below. Click on UPDATE Now button. It will download a .exe file. Run the file and click on UPDATE Now button and press YES. Here it will update your Windows 10 to the Latest Version Note:  You can still work during downloading a...
Read more

Managing Windows Updates with Intune: Best Practices with Update Rings

Image
  Keeping Windows devices up to date is one of the most critical, and often most overlooked, aspects of endpoint security. With Microsoft Intune, you can manage Windows updates centrally using Update Rings , giving you control over when updates install, how users experience restarts, and how you test updates before broad deployment. In this guide, I’ll walk you through: What update rings are Why they’re essential for patch compliance How to configure them in Intune Best practices for rollout and user experience 1. What Are Windows Update Rings in Intune? Update rings in Intune allow you to: Define when and how Windows updates are delivered Set deadlines for installation and restarts Delay feature updates (e.g., to test before production) Control user experience during updates They apply to Windows 10 and 11 devices enrolled in Intune, including those provisioned via Autopilot. 2. Why Update Management Matters Without structured update management, you risk: Devices missing crit...
Read more

The Intune Device Lifecycle: From Onboarding to Retirement (Best Practices)

  Managing endpoints isn’t just about deployment, it’s about handling the entire device lifecycle : from onboarding and day-to-day management to secure deprovisioning when a device is no longer in use. Microsoft Intune provides a streamlined, policy-driven approach to each phase of this lifecycle, and when done right, it reduces IT overhead, increases security, and improves the user experience. In this post, I’ll walk you through the key stages of managing a device in Intune from start to finish, and how to handle each one effectively. Stage 1: Provisioning & Onboarding This is where the device journey begins, and it sets the tone for everything that follows. Tools and features to use: Windows Autopilot for zero-touch setup Enrollment Status Page (ESP) to control setup sequence Dynamic groups to assign configurations automatically Baseline security policies (compliance, Defender, encryption) Goal: Make the first experience smooth, secure, and consistent for every user. Sta...
Read more