Windows Autopilot registration overview

Applies to:

  • Windows 11
  • Windows 10
  • Windows Holographic, version 2004

Before a device is deployed using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service.

Successful registration requires that two processes are complete:

  1. The device's unique hardware identity (known as a hardware hash) is captured and uploaded to the Autopilot service.
  2. The device is associated to an Azure tenant ID.

Ideally, the OEM, reseller, or distributor performs both of these processes from which the devices were purchased. An OEM or other device provider uses the registration authorization process to perform device registration on your behalf.

Registration can also be performed within your organization by collecting the hardware identity from new or existing devices and uploading it manually. If devices meet certain requirements, they can also be configured for automatic registration with Windows Autopilot. For more information about the ways in which devices can be registered with Windows Autopilot, see the following overview articles:

When you register an Autopilot device, it automatically creates a Microsoft Entra object. The Autopilot deployment process needs this object to identify the device before the user signs in. If you delete this object, the device can fail to enroll through Autopilot.

Note

Don't register to Autopilot the following types of devices:

These options are intended for users to join personally-owned devices to their organization's network.

Once a device is registered in Autopilot if a profile isn't assigned, it receives the default Autopilot profile. If you don't want a device to go through Autopilot, you must remove the Autopilot registration.

Terms

The following terms are used to refer to various steps in the registration process:

Term Definition
device registration Device registration happens when a device's hardware hash is associated with the Windows Autopilot service. This process can be automated for new enterprise devices manufactured by OEMs that are Windows Autopilot partners.
add devices Adding a device is the process of registering a device with the Windows Autopilot service (if it isn't already registered) and associating it to a tenant ID.
import devices Importing devices is the process of uploading a comma-separated-values (CSV) file that contains device information such as the model and serial number in order to manually add devices.
enroll devices Enrolling a device is the process of adding devices to Intune.

Device identification

To identify a device with Windows Autopilot, the device's unique hardware hash must be captured and uploaded to the service. As previously mentioned, this step is ideally done by the hardware vendor (OEM, reseller, or distributor) automatically associating the device with an organization. It's also possible to do identify a device with a harvesting process that collects the device's hardware hash from within a running Windows installation.

The hardware hash contains details about the device, such as:

  • manufacturer
  • model
  • device serial number
  • hard drive serial number
  • details about when the ID was generated
  • many other attributes that can be used to uniquely identify the device

The hardware hash changes each time it's generated because it includes details about when it was generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that. It also considers large changes such as a new hard drive, and is still able to match successfully. But large changes to the hardware, such as a motherboard replacement, wouldn't match, so a new hash would need to be generated and uploaded.

For more information about device IDs, see the following articles:

Windows Autopilot devices

Devices that have been registered with the Windows Autopilot service are displayed in the Intune admin center under Devices > Enroll devices > Windows enrollment > Windows Autopilot Deployment Program > Devices:

Autopilot devices

Note

Devices that are listed in Intune under Devices > Windows > Windows devices aren't the same as Windows Autopilot devices Devices > Enroll devices > Windows enrollment > Windows Autopilot Deployment Program > Devices. Windows Autopilot devices are added to the list of Windows devices when both of the following are complete:

  • The Autopilot registration process is successful.
  • A licensed user has signed in on the device.

Deregister a device

Whenever a device permanently leaves an organization, whether it's for a repair or the end of the device life cycle, the device should always be deregistered from Autopilot.

Below we describe the steps an admin would go through to deregister a device from Intune and Autopilot.

Deregister from Intune

Before a device is deregistered from Autopilot, it first has to be deregistered from Intune. To deregister an Autopilot device from Intune:

  1. Sign in to the Microsoft Intune admin center.

  2. In the Home screen, select Devices in the left pane.

  3. In the Devices | Overview screen, under By platform, select Windows.

  4. Under Device name, find the device that needs to be deregistered and then select the device. If necessary, use the Search box.

  5. In the properties screen for the device, make a note of the serial number listed under Serial number.

  6. After making a note of the serial number of the device, select Delete in the toolbar at the top of the page.

  7. A warning dialog box appears to confirm the deletion of the device from Intune. Select Yes to confirm deleting the device.

Deregister from Autopilot using Intune

Once the device has been deregistered from Intune, it can then be deregistered from Autopilot. To deregister a device from Autopilot:

  1. Make sure the device has been deregistered from Intune as described in the Deregister from Intune section.

  2. Sign in to the Microsoft Intune admin center.

  3. In the Home screen, select Devices in the left pane.

  4. In the Devices | Overview screen, under By platform, select Windows.

  5. In the Windows | Windows enrollment screen, select Windows enrollment

  6. Under Windows Autopilot Deployment Program, select Devices.

  7. In the Windows Autopilot devices screen that opens, under Serial number, find the device that needs to be deregistered by its serial number as determined in the Deregister from Intune section. If necessary, use the Search by serial number box.

  8. Select the device by selecting the checkbox next to the device.

  9. Select the extended menu icon () on the far right end of the line containing the device. A menu appears with the option Unassign user.

    • If the Unassign user option is available and not greyed out, then select it. A warning dialog box appears confirming to unassign the user from the device. Select OK to confirm unassigning the device from the user.
    • If the Unassign user option isn't available and greyed out, then move on to the next step.
  10. With the device still selected, select Delete in the toolbar at the top of the page.

  11. A warning dialog box appears to confirm the deletion of the device from Autopilot. Select Yes to confirm deleting the device.

  12. The deregistration process may take some time. The process can be accelerated by selecting the Sync button in the toolbar at the top of the page.

  13. Every few minutes select Refresh in the toolbar at the top of the page until the device is no longer present.

Important

  • For Microsoft Entra join devices, no additional steps are necessary to remove the device from Intune and Autopilot. Unneeded steps include manually deleting the device from Microsoft Entra ID. Manually deleting the device from Microsoft Entra ID may cause unexpected problems, issues, and behavior. If needed, the device will be automatically removed from Microsoft Entra ID after these steps are followed.

  • For Microsoft Entra hybrid join devices, delete the computer object from the on-premises Active Directory Domain Services (AD DS) environment. Deleting the computer object from the on-premises AD DS ensures that the computer object isn't resynced back to Microsoft Entra ID. After the computer object is deleted from the on-premises AD DS environment, no additional steps are necessary to remove the device from Intune and Autopilot. Unneeded steps include manually deleting the device from Microsoft Entra ID. Manually deleting the device from Microsoft Entra ID may cause unexpected problems, issues, and behavior. If needed, the device will be automatically removed from Microsoft Entra ID after these steps are followed.

The above steps deregister the device from Autopilot, unenroll the device from Intune, and disjoin the device from Microsoft Entra ID. It may appear that only deregistering the device from Autopilot is needed. However, there are barriers in Intune that require all the above steps to avoid problems with lost or unrecoverable devices. To prevent the possibility of orphaned devices in the Autopilot database, Intune, or Microsoft Entra ID, it's best to complete all the steps. If a device gets into an unrecoverable state, you can contact the appropriate Microsoft support alias for assistance.

Deregister from Autopilot using Microsoft 365 admin center

The device can be deregistered from Autopilot in Microsoft 365 admin center if using Microsoft 365 admin center instead of Intune. To deregister an Autopilot device from the Microsoft 365 admin center:

  1. Sign into to the Microsoft 365 admin center
  2. Navigate to Devices > Autopilot.
  3. Select the device to be deregistered and then select Delete device.

Deregister from Autopilot in Microsoft Partner Center (MPC)

To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would:

  1. Log into the Microsoft Partner Center (MPC).

  2. Navigate to Customer > Devices.

  3. Select the device to be deregistered and then select Delete device.

    Screenshot of delete device

Partners deregistering a device from Autopilot in Microsoft Partner Center (MPC) only deregisters the device from Autopilot. It doesn't perform any of the following actions:

  • Unenroll the device from the MDM (Intune)
  • Disjoin the device from Microsoft Entra ID

For the reasons listed above, the OEM or CSP should work with the customer IT administrators to have the device fully removed by following the steps in the Deregister a device section.

An OEM or CSP that has integrated the OEM Direct APIs can also deregister a device with the AutopilotDeviceRegistration API. Make sure the TenantID and TenantDomain fields are left blank.

Note

If an admin registered a device via another portal other than the Microsoft Partner Center (MPC) such as Intune or Microsoft 365 admin center, the device doesn't show up in Microsoft Partner Center (MPC). For a partner to register a device in the Microsoft Partner Center (MPC), the devices first needs to be deregistered using the steps outlined in the Deregister a device section.

Register devices manually