Windows Autopilot: Zero-Touch Device Deployment for Modern IT

Windows Autopilot is a collection of cloud-based technologies built into Windows 10 and Windows 11 that allow organisations to pre-configure new devices so they arrive ready for productive use straight out of the box. Instead of creating and maintaining custom OS images, Autopilot takes the OEM-installed Windows build and layers corporate settings, applications, and security policies on top during the Out-of-Box Experience (OOBE). The device registers itself with Microsoft Entra ID (formerly Azure AD) and Microsoft Intune, pulling down everything it needs without a technician intervening.

For IT resellers, Autopilot fundamentally changes the provisioning conversation. Rather than charging customers for hours of bench time imaging laptops in a warehouse, you can offer a managed service that ships hardware directly from your distributor to the end user's desk. The value shifts from manual labour to design, policy configuration, and ongoing endpoint management — a much more scalable and profitable model. Autopilot also reduces the risk of misconfiguration, since every device follows the same automated playbook.

Before a device can use Autopilot, its unique hardware identity must be registered with the Windows Autopilot service. This identity is called the hardware hash — a computed value derived from the device's SMBIOS fields including serial number, disk serial, MAC address, and TPM endorsement key. The hash is uploaded as a CSV file to the Microsoft Intune portal (or via the Partner Center for resellers), where it is associated with the customer's tenant. When the device connects to the internet during OOBE, it phones home, matches its hash, and receives its assigned Autopilot profile.

There are several ways to obtain the hardware hash. The simplest for new hardware is to have the OEM or distributor register it at the point of sale — major vendors like Dell, HP, and Lenovo all support this. For existing devices, you can extract the hash using a PowerShell script (Get-WindowsAutopilotInfo) or by booting into the OOBE screen and pressing Shift+F10 to open a command prompt. Australian distributors like Dicker Data, Synnex, and Ingram Micro can register hashes on behalf of resellers, which streamlines the process enormously for large deployments.

An Autopilot deployment profile defines what the user experiences during OOBE and how the device joins the organisation. You create profiles in the Microsoft Intune admin centre and assign them to device groups. The profile controls whether the user sees the license agreement, privacy settings, and Cortana setup screens, or whether those are suppressed entirely. It also determines the join type — Entra ID joined (cloud-only) or Hybrid Entra ID joined (for organisations that still need on-premises Active Directory domain membership).

User-driven mode is the most common Autopilot scenario. The end user powers on the device, connects to Wi-Fi or Ethernet, and signs in with their corporate credentials. Autopilot takes over from there — enrolling the device in Intune, applying compliance and configuration policies, and installing assigned applications. The user watches a branded progress screen (the Enrollment Status Page) while everything is configured. This mode works well for knowledge workers who are comfortable signing in and waiting ten to thirty minutes for the setup to complete.

Self-deploying mode requires no user interaction at all. The device powers on, connects to the network, and automatically provisions itself without anyone signing in. This is ideal for shared devices, kiosks, digital signage, or conference room equipment — anywhere a device needs to be set up without a named user present. Self-deploying mode requires a TPM 2.0 chip for device attestation, since there is no user credential to verify identity. The device authenticates itself to Entra ID using the TPM, then enrols into Intune and pulls down its configuration.

Pre-provisioning, formerly known as White Glove, is a hybrid approach that splits the Autopilot process into two phases. In the first phase, a technician (or the reseller) boots the device, presses a key combination during OOBE to enter the pre-provisioning flow, and lets the device download and apply all device-targeted policies and apps. The device is then resealed and shipped to the end user. When the user powers it on, the second phase runs — applying user-targeted policies and apps, which is much faster because the heavy lifting was already done.

Pre-provisioning is valuable for Australian resellers because it lets you add a tangible service to hardware sales. You receive the devices at your warehouse, run the technician phase (which can be done in bulk on a staging network), then ship to the customer. The end user gets a device that is ready in minutes rather than thirty or more. It also ensures that large application installs — such as the full Microsoft 365 Apps suite or line-of-business software — happen on a fast warehouse network rather than over the user's potentially slower home or branch office connection.

Autopilot is tightly integrated with Microsoft Intune, which serves as the management plane for enrolled devices. Once a device completes Autopilot enrolment, Intune pushes down configuration profiles (Wi-Fi, VPN, email, certificates), compliance policies (BitLocker encryption, password complexity, OS version requirements), and applications (Win32 apps, Microsoft Store apps, Microsoft 365 Apps). The Enrollment Status Page (ESP) can be configured to block user access until critical apps and policies have been applied, ensuring the device is compliant before the user starts working.

For resellers managing multiple tenants, Intune's grouping and targeting capabilities are essential. You can create dynamic device groups based on the Autopilot group tag — a label assigned during hardware hash registration — so that devices automatically receive the correct profile for their department, location, or role. This means a single Autopilot configuration can handle diverse requirements across an organisation without creating dozens of separate profiles. Combined with Intune's role-based access control, you can delegate day-to-day management to the customer's IT team while retaining oversight as a managed service provider.

The major Windows OEMs — Dell, HP, Lenovo, Microsoft Surface, and Dynabook — all support Autopilot registration as part of their order process. When you place an order through an Australian distributor, you can request that the hardware hashes be uploaded directly to your customer's tenant (or your partner tenant if you manage on their behalf). This eliminates the need to physically handle the devices for hash extraction. Some OEMs also offer factory-level customisation — pre-installing specific apps, applying BIOS settings, or attaching asset tags — which pairs well with Autopilot to deliver a fully ready device without any reseller touch.

Autopilot Reset allows an IT administrator to wipe a device and return it to a business-ready state without re-imaging. There are two flavours: local reset, triggered from the device's lock screen, and remote reset, initiated from the Intune portal. Both options remove user data, apps, and settings while preserving the device's Entra ID join, Intune enrolment, and Wi-Fi profiles. This makes it straightforward to reassign a laptop from one employee to another — the next user simply signs in and receives their personal apps and policies without going through the full OOBE again.

For education and shared-device scenarios, Autopilot Reset is particularly valuable. A school can reset a fleet of laptops at the end of each term, and a hospital can wipe and reassign a shared workstation between shifts. The remote reset capability is also useful for lost or stolen devices — the admin can trigger a wipe from the Intune console, and if the device comes back online it will reset itself. Combined with BitLocker encryption, this provides a solid data protection story for compliance-conscious customers.

Autopilot is included with Microsoft 365 Business Premium, Microsoft 365 E3/E5, and Microsoft 365 F1/F3 licences. It requires Entra ID P1 (included in Business Premium and above) and Intune enrolment. The device must be running Windows 10 version 1809 or later, or any version of Windows 11. A TPM 2.0 chip is mandatory for self-deploying mode and strongly recommended for all scenarios. Internet connectivity during OOBE is essential — the device must reach Microsoft's Autopilot service endpoints, Entra ID, and Intune. Ensure that your customer's firewall or proxy allows outbound HTTPS traffic to the required Microsoft URLs.