How to documentation for AutoPilot

Question

My organization has a customer base of 600 end users. We are deploying Windows 11 with use of an MDT Server. This solution is fine for users who are local to our Headquarters. But for users around the country, I need to understand how to configure autopilot to enable me push Windows 11 and related applications for these users.

Answer 1

Hi sir. Likambi, Bismarck

Thank you for contacting Microsoft Q&A community!

Here’s a comprehensive guide to configuring Windows Autopilot for deploying Windows 11 and related applications to remote users across the country:

1. Overview of Windows Autopilot

Windows Autopilot is a cloud-based deployment technology for Windows 10 and Windows 11. It enables zero-touch deployment and configuration of devices, allowing IT departments to remotely set up and configure devices with minimal end-user interaction. The only required user actions are connecting to a network and verifying credentials; everything else is automated.

2. Deployment Paths

For organizations with remote users, Windows Autopilot (modern provisioning) is recommended. It allows you to set up and configure devices remotely. You can also use the Surface Autopilot Cookbook for Cloud Solution Providers if you’re working with CSPs, or the Microsoft Surface Deployment Accelerator for image-based deployments when needed.

3. Prerequisites

• Devices must be registered as Windows Autopilot devices.
• Devices can be registered at purchase through a Surface partner or manually via the Surface Support Portal.
• Devices must have network connectivity (wired or wireless) to download the Autopilot profile and begin provisioning.
• 4. Configuration Steps

Step 1: Set Up Windows Automatic Intune Enrollment

• Configure automatic enrollment in Intune to manage devices and push applications and policies.

Step 2: Allow Users to Join Devices to Microsoft Entra ID

• Enable users to join devices to Microsoft Entra ID (formerly Azure AD).

Step 3: Register Devices as Windows Autopilot Devices

• Register devices either at purchase or manually.
• Devices are identified by a hardware hash.

Step 4: Create Device Groups

• Create device groups in Intune or Microsoft Entra ID for targeted deployment.

Step 5: Configure and Assign Windows Autopilot Enrollment Status Page (ESP)

• Set up ESP to monitor provisioning progress and ensure all required applications and policies are installed before the device is available to the user.

Step 6: Create and Assign Windows Autopilot Profile

• Configure Autopilot profiles to customize OOBE (Out of Box Experience), restrict admin account creation, and auto assign devices to configuration groups.

Step 7: Assign Devices to Users (Optional)

• Assign devices to specific users for personalized provisioning.

 

5. Deployment Process

Technician Flow (Pre-Provisioned Deployment)

• IT, OEM, or reseller powers on the device, connects to the network, and initiates the Autopilot process.
• Device may reboot to apply critical updates.
• OOBE begins, prompting for country/region and keyboard layout if no network connectivity.
• Once network is established, the device downloads the Autopilot profile and completes technician provisioning.

User Flow

• Device is delivered to the end user.
• User powers on the device, connects to the network, and completes OOBE.
• Device downloads the Autopilot profile, applies updates, and begins the Autopilot process.
• User signs in with Microsoft Entra credentials.
• Enrollment Status Page (ESP) tracks device preparation, setup, and account setup.
• Once ESP completes, the desktop appears and the device is ready for use.

6. Application and Policy Deployment

• Assign applications and policies to device groups and user groups in Intune.
• Ensure at least one policy and one application are assigned to both devices and users for proper testing and deployment.

7. Additional Resources

• Surface Autopilot Cookbook for Cloud Solution Providers: Step-by-step guidance for CSPs.
• Windows deployment process posters: Visual guides for deployment workflows.

For more details, refer to the documentation links and resources provided in the relevant documents. Here’s a comprehensive guide to configuring Windows Autopilot for deploying Windows 11 and related applications to remote users across the country:

1. https://learn.microsoft.com/en-us/surface/windows-autopilot-and-surface-devices
2. https://learn.microsoft.com/en-us/autopilot/tutorial/pre-provisioning/azure-ad-join-user-flow
3. https://learn.microsoft.com/en-us/autopilot/tutorial/user-driven/azure-ad-join-deploy-device
4. https://learn.microsoft.com/en-us/autopilot/tutorial/pre-provisioning/azure-ad-join-technician-flow
5. https://learn.microsoft.com/en-us/autopilot/deployment-process

If you believe this information adds some value, please accept the answer so that your experience with the issue would help contribute to the whole community.

T&R!

Kate.

Answer 2

I will have to perform these suggestions to make sure they work before I can definitively say it resolved my issue.

Answer 3

To support remote Windows 11 deployments with Windows Autopilot instead of MDT, configure the environment and devices as follows.

1. Prepare the cloud environment
2. Configure Microsoft Entra automatic enrollment so devices can enroll into Intune during Autopilot:
   • Follow the steps in Set up Windows automatic Intune enrollment / Enable Windows automatic enrollment to enable MDM enrollment for some or all users.
   • This is required for Autopilot scenarios that use Intune as the MDM.
3. Ensure the first user who signs in has permission to join devices to Microsoft Entra ID:
   • Configure Microsoft Entra join permissions as described in Allow users to join devices to Microsoft Entra ID.
4. (Optional but recommended) Configure:
   • Windows Subscription Activation to automatically step up from Windows Pro to Enterprise.
   • Microsoft Entra custom branding so users see the organization’s logo and sign-in text during Autopilot.
5. Decide Autopilot scenario and join type

For 600 distributed users, the typical pattern is:

• Use Windows Autopilot user-driven mode with:
  • Microsoft Entra join (cloud-native devices), or
  • Microsoft Entra hybrid join if on-premises AD is still required.

User-driven mode flow for the end user:

1. Unbox device, plug in, turn on.
2. Select language/locale/keyboard.
3. Connect to wired or wireless internet.
4. Enter organizational email and password.

The device then automatically:

1. Joins the organization (Entra ID or hybrid).
2. Enrolls into Intune (or other MDM).
3. Applies configuration, apps, and policies defined by IT.
4. Register devices with Autopilot

Autopilot requires devices to be registered before deployment:

1. Collect device IDs (hardware hash) from OEM, CSP, or by exporting from existing devices.
2. Register devices as Windows Autopilot devices using one of the supported methods:
   • Use the Autopilot registration process described in Register devices as Windows Autopilot devices or Manually register devices with Windows Autopilot.
3. Create device groups in Intune
4. In Intune, create device groups for Autopilot devices (for example, by Autopilot group tag, region, or department).
5. These groups will be used to assign:
   • Windows Autopilot deployment profiles.
   • Enrollment Status Page (ESP) profiles.
   • Required apps and configuration profiles.
6. Create and assign Autopilot deployment profiles
7. Create Windows Autopilot deployment profiles in Intune:
   • Choose User-driven mode.
   • Choose Microsoft Entra join or Microsoft Entra hybrid join depending on your identity strategy.
   • Configure OOBE options (suppress privacy settings, skip local account, etc.) as needed.
8. Assign the profiles to the Autopilot device groups.

Profile configuration and assignment details are described in Configure Windows Autopilot profiles and Assignment of Windows Autopilot deployment profiles to devices.

6. Configure Enrollment Status Page (ESP) and apps

For a good remote experience:

1. Configure an Enrollment Status Page in Intune and assign it to the same device groups:
   • Enable Show app and profile configuration progress so users see progress while required apps and policies install.
2. Assign required applications (including line-of-business apps) to Autopilot device groups so they install during ESP.
3. Consider Autopilot for existing devices (if reusing hardware)

If some users already have Windows devices that need to be converted to Autopilot-managed:

1. Use Windows Autopilot deployment for existing devices with Configuration Manager and Intune:
   • Requires a supported Configuration Manager current branch.
   • Requires Intune licenses and Microsoft Entra ID P1/P2.
   • Import a supported Windows 10/11 OS image into Configuration Manager.
2. Use the JSON-based Autopilot for existing devices workflow for user-driven Microsoft Entra or hybrid join profiles.
3. Surface devices (if applicable)

For Surface hardware, Autopilot is fully supported and can be integrated into the deployment plan:

• Use Windows Autopilot (modern provisioning) for zero-touch setup.
• Optionally use the Surface Autopilot Cookbook for Cloud Solution Providers if working with a CSP.

9. New Autopilot device preparation (Windows 11 only)

For newer Windows 11 builds, Windows Autopilot device preparation can simplify deployment further:

• Requires Windows 11 22H2/23H2/24H2 with the specified KB.
• Only supports Microsoft Entra join.
• Device must not already be registered as a Windows Autopilot device (Autopilot profile takes precedence over device preparation policy).

This provides improved troubleshooting and near real-time deployment status for remote deployments.

---

References:

• Windows Autopilot requirements
• Windows Autopilot and Surface devices
• Windows Autopilot FAQ
• Overview of Windows Autopilot device preparation
• How to enroll with Windows Autopilot
• Windows Autopilot user-driven mode
• Windows Autopilot deployment for existing devices
• Step by step tutorial for Windows Autopilot deployment for existing devices in Intune and Configuration Manager