Windows Autopilot user-driven mode

Windows Autopilot user-driven mode lets you configure new Windows devices to automatically transform them from their factory state to a ready-to-use state. This process doesn't require that IT personnel touch the device.

The process is simple. Devices can be shipped or distributed to the end user directly with the following instructions:

  1. Unbox the device, plug it in, and turn it on.
  2. If it uses multiple languages, choose a language, locale, and keyboard.
  3. Connect it to a wireless or wired network with internet access. If using wireless, first connect to the wi-fi network.
  4. Specify your e-mail address and password for your organization account.

The rest of the process is automated. The device does the following steps:

  1. Join the organization.
  2. Enroll in Microsoft Intune or another MDM service.
  3. Get configured as defined by the organization.

You can suppress any other prompts during the out-of-box experience (OOBE). For more information on the available options, see Configuring Autopilot profiles.


If you use Active Directory Federation Services (ADFS), there's a known issue that can enable the end user to sign in with a different account than the one assigned to that device.

Windows Autopilot user-driven mode supports Microsoft Entra join and Microsoft Entra hybrid joined devices. For more information about these two join options, see the following articles:

The steps of the user-driven process are as follows:

  1. After the device connects to a network, the device downloads a Windows Autopilot profile. The profile defines the settings used for the device. For example, define the prompts suppressed during OOBE.

  2. Windows checks for critical OOBE updates. If updates are available, they're automatically installed. If necessary, the device restarts.

  3. The user is prompted for Microsoft Entra credentials. This customized user experience shows the Microsoft Entra tenant name, logo, and sign-in text.

  4. The device joins Microsoft Entra ID or Active Directory, depending on the Windows Autopilot profile settings.

  5. The device enrolls to Intune or another configured MDM service. Depending on your organizational needs, this enrollment occurs either:

    • During the Microsoft Entra join process, using MDM auto-enrollment.

    • Before the Active Directory-join process.

  6. If configured, it displays the enrollment status page (ESP).

  7. After the device configuration tasks complete, the user is signed into Windows using the credentials they previously provided. If the device restarts during the device ESP process, the user must reenter their credentials. These details don't persist after restart.

  8. After sign-in, the enrollment status page displays for user-targeted configuration tasks.

If any issues are found during this process, see Windows Autopilot troubleshooting.

For more information on the available join options, see the following sections:

  • Microsoft Entra join is available if devices don't need to join an on-premises Active Directory domain.
  • Microsoft Entra hybrid join is available for devices that need to join both Microsoft Entra ID and your on-premises Active Directory domain.

User-driven mode for Microsoft Entra join

To complete a user-driven deployment using Windows Autopilot, follow these preparation steps:

  1. Make sure that the users performing user-driven mode deployments can join devices to Microsoft Entra ID. For more information, see Configure device settings in the Microsoft Entra documentation.

  2. Create an Autopilot profile for user-driven mode with the desired settings.

    • In Intune, this mode is explicitly chosen when you create the profile.

    • In Microsoft Store for Business and Partner Center, user-driven mode is the default.

  3. If you use Intune, create a device group in Microsoft Entra ID, and assign the Autopilot profile to that group.

For each device that is deployed using user-driven deployment, these extra steps are needed:

  • Add the device to Windows Autopilot. You can do this step in two ways:

  • Assign an Autopilot profile to the device:

    • If you use Intune and Microsoft Entra dynamic device groups, this assignment can be done automatically.

    • If you use Intune and Microsoft Entra static device groups, manually add the device to the device group.

    • If you use other methods, like Microsoft Store for Business or Partner Center, manually assign an Autopilot profile to the device.


If the intended end-state of the device is co-management, you can configure device enrollment in Intune to enable co-management, which happens during the Autopilot process. This behavior directs the workload authority in an orchestrated manner between Configuration Manager and Intune. For more information, see How to enroll with Autopilot.

User-driven mode for Microsoft Entra hybrid join


Microsoft recommends deploying new devices as cloud-native using Microsoft Entra join. Deploying new devices as Microsoft Entra hybrid join devices isn't recommended, including through Autopilot. For more information, see Microsoft Entra joined vs. Microsoft Entra hybrid joined in cloud-native endpoints: Which option is right for your organization.

Windows Autopilot requires that devices be Microsoft Entra joined. If you have an on-premises Active Directory environment, you can join devices to your on-premises domain. To join the devices, configure Autopilot devices to be hybrid-joined to Microsoft Entra ID.


As Microsoft talks with customers that are using Microsoft Intune and Microsoft Configuration Manager to deploy, manage, and secure their client devices, we often get questions regarding co-managing devices and Microsoft Entra hybrid joined devices. Many customers confuse these two topics. Co-management is a management option, while Microsoft Entra ID is an identity option. For more information, see Understanding hybrid Microsoft Entra and co-management scenarios. This blog post aims to clarify Microsoft Entra hybrid join and co-management, how they work together, but aren't the same thing.

You can't deploy the Configuration Manager client while provisioning a new computer in Windows Autopilot user-driven mode for Microsoft Entra hybrid join. This limitation is due to the identity change of the device during the Microsoft Entra join process. Deploy the Configuration Manager client after the Autopilot process. See Client installation methods in Configuration Manager for alternative options for installing the client.

Requirements for user-driven mode with hybrid Microsoft Entra ID

  • Create a Windows Autopilot profile for user-driven mode.

    In the Autopilot profile, under Join to Microsoft Entra ID as, select Microsoft Entra hybrid joined.

  • If you use Intune, you need a device group in Microsoft Entra ID. Assign the Windows Autopilot profile to the group.

  • If you use Intune, create and assign a Domain Join profile. A Domain Join configuration profile includes on-premises Active Directory domain information.

  • The device needs to access the internet. For more information, see the networking requirements.

  • Install the Intune Connector for Active Directory.


    The Intune Connector joins the device to the on-premises domain. Users don't need permissions to join devices to the on-premises domain. This behavior assumes that you configure the connector for this action on the user's behalf. For more information, see Increase the computer account limit in the Organizational Unit.

  • If you use a proxy, enable and configure the WPAD Proxy settings option.

In addition to these core requirements for user-driven Microsoft Entra hybrid join, the following extra requirements apply to on-premises devices:

  • The device has a currently supported version of Windows.

  • The device is connected to the internal network and has access to an Active Directory domain controller.

    • It needs to resolve the DNS records for the domain and the domain controllers.

    • It needs to communicate with the domain controller to authenticate the user.

User-driven mode for Microsoft Entra hybrid join with VPN support

Devices joined to Active Directory require connectivity to an Active Directory domain controller for many activities. These activities include validating the user's credentials when they sign-in, and applying group policy settings. The Autopilot user-driven process for Microsoft Entra hybrid joined devices validates that the device can contact a domain controller by pinging that domain controller.

With the addition of VPN support for this scenario, you can configure the Microsoft Entra hybrid join process to skip the connectivity check. This change doesn't eliminate the need for communicating with a domain controller. Instead, to allow connection to the organization's network, Intune delivers the needed VPN configuration before the user attempts to sign in to Windows.

Requirements for user-driven mode with hybrid Microsoft Entra ID and VPN

In addition to the core requirements for user-driven mode with Microsoft Entra hybrid join, the following extra requirements apply to a remote scenario with VPN support:

  • A currently supported supported version of Windows.

  • In the Microsoft Entra hybrid join profile for Autopilot, enable the following option: Skip domain connectivity check.

  • A VPN configuration with one of the following options:

    • Can be deployed with Intune, and lets the user manually establish a VPN connection from the Windows sign-in screen.

    • Automatically establishes a VPN connection as needed.

The specific VPN configuration required depends on the VPN software and authentication being used. For third-party VPN solutions, this configuration typically involves deploying a Win32 app via Intune Management Extensions. This app would include the VPN client software and any specific connection information. For example, VPN endpoint host names. For configuration details specific to that provider, see your VPN provider's documentation.


The VPN requirements aren't specific to Autopilot. For example, if a VPN configuration is implemented to enable remote password resets, that same configuration can be used with Windows Autopilot. This configuration would allow a user to sign in to Windows with a new password when not on the organization's network. Once the user signs in and their credentials are cached, subsequent sign-in attempts don't need connectivity since Windows uses the cached credentials.

If the VPN software requires certificate authentication, use Intune to also deploy the required device certificate. This deployment can be done using the Intune certificate enrollment capabilities, targeting the certificate profiles to the device.

Some configurations aren't supported because they aren't applied until the user signs into Windows:

  • User certificates
  • Non-Microsoft UWP VPN plug-ins from the Windows Store


Before you attempt a Microsoft Entra hybrid join using VPN, it's important to confirm that a user-driven mode for Microsoft Entra hybrid join process works on your internal network. This test simplifies troubleshooting by making sure the core process works before adding the VPN configuration.

Next, confirm that you can use Intune to deploy the VPN configuration and its requirements. Test these components with an existing device that's already Microsoft Entra hybrid joined. For example, some VPN clients create a per-machine VPN connection as part of the installation process. Validate the configuration using the following steps:

  1. Verify that at least one per-machine VPN connection is created.

    Get-VpnConnection -AllUserConnection
  2. Attempt to manually start the VPN connection.

    RASDIAL.EXE "ConnectionName"
  3. Sign out of Windows. Verify that you can see the "VPN connection" icon on the Windows sign-in page.

  4. Move the device off the internal network and try to establish the connection using the icon on the Windows sign-in page. Sign into an account that doesn't have cached credentials.

For VPN configurations that automatically connect, the validation steps might be different.


You can use an always-on VPN for this scenario. For more information, see Deploy always-on VPN.

Next steps