Understand Windows Autopilot scenarios and benefits
Windows Autopilot supports several deployment scenarios that allow organizations to provision devices based on their operational requirements. These scenarios help IT teams deploy devices without traditional imaging processes while ensuring devices are automatically configured with organizational policies, applications, and security settings.
Common Windows Autopilot deployment scenarios include:
- User-driven deployment
- Self-deploying deployment
- Windows Autopilot for existing devices
- Pre-provisioned deployment
- Windows Autopilot Reset
Benefits of Windows Autopilot
Windows Autopilot helps organizations simplify and modernize device deployment. Instead of maintaining custom operating system images, administrators can configure devices using cloud-based management services such as Microsoft Intune.
Key benefits include:
- Reduced deployment complexity: Organizations no longer need to maintain or deploy custom operating system images. Devices use the factory-installed version of Windows and receive configuration settings during setup.
- Faster device provisioning: Devices can be shipped directly from the manufacturer or partner to end users. During the first startup experience, devices automatically enroll in management and receive required applications and policies.
- Improved user experience: Users only need to connect the device to the internet and sign in with their organizational account. The remaining configuration is automated.
- Consistent configuration and security: Policies and applications are automatically deployed, ensuring devices meet organizational standards.
Windows Autopilot deployment scenarios
User-driven mode
User-driven deployment allows new Windows devices to be configured directly by the end user during the Windows out-of-box experience (OOBE). After connecting the device to the internet and signing in with their organizational account, the device automatically joins Microsoft Entra ID and enrolls in device management.
To use user-driven Windows Autopilot with Microsoft Entra join, users must be allowed to join devices to Microsoft Entra ID. Devices must be registered with Windows Autopilot, and an Autopilot deployment profile must be assigned to the device, typically through a Microsoft Entra device group. In Intune-based deployments, automatic MDM enrollment should also be configured. For user-driven Windows Autopilot with Microsoft Entra hybrid join, the required profile must specify Microsoft Entra hybrid join, the device must have access to the internet and the on-premises domain environment, and the Intune Connector for Active Directory must be installed and configured.
For new device deployments, use Microsoft Entra join (cloud-native) as the preferred approach. Microsoft Entra hybrid join remains supported for scenarios that require on-premises Active Directory, but it isn’t the recommended path for new devices deployed with Windows Autopilot.
Important
For Microsoft Entra hybrid join deployments, Intune Connector for Active Directory versions older than 6.2501.2000.5 are deprecated and can no longer process enrollment requests. If the legacy connector is installed, uninstall it first before installing the updated connector (there is no in-place upgrade). Use the latest Intune Connector requirements guidance to confirm current version and server prerequisites.
Self-deploying mode
Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction, providing a near zero-touch deployment experience. During deployment, the Enrollment Status Page (ESP) can display while the device is configured. When provisioning is complete, the device displays the sign-in screen for Microsoft Entra ID credentials. For kiosk or shared-device scenarios, self-deploying mode can be combined with management policies that configure a local account for automatic sign-in.
To use self-deploying mode, create an Autopilot deployment profile for self-deploying mode in Microsoft Intune and assign it to the target device or device group before deployment. Devices must support TPM 2.0 and TPM device attestation, and they must run a supported version of Windows for Windows Autopilot. Self-deploying mode is supported for Microsoft Entra join devices only. If the device uses Wi-Fi, some user interaction might still be required to select language, locale, keyboard, and connect to the wireless network.
Windows Autopilot device preparation
Windows Autopilot device preparation is an improved Autopilot experience that aims to be simple, fast, observable, and reliable. Unlike traditional Autopilot scenarios, device preparation uses Enrollment Time Grouping and typically doesn’t require device pre-registration (hardware hash import). During enrollment, the device is added to a predefined device group so that assigned apps, scripts, and policies can begin applying immediately.
Device preparation requirements include:
- Windows 11 only (Windows 11 24H2 or later, or Windows 11 23H2/22H2 with KB5035942 or later)
- Microsoft Entra join only (Microsoft Entra hybrid join isn’t supported)
To create a device preparation policy in Intune, go to Devices > By platform > Windows, then under Device onboarding select Enrollment, and under Windows Autopilot device preparation select Device preparation policies.
Use device preparation for Windows 11 cloud-native new device deployments (Microsoft Entra join). Use traditional Autopilot when you need Windows 10, hybrid join, pre-provisioning, or existing device scenarios.
Windows Autopilot for existing devices
Windows Autopilot can also be used to transition existing devices from traditional deployment methods to modern provisioning. In this scenario, administrators reimage an existing device and prepare it for Windows Autopilot so that it can be automatically configured during the next startup experience.
Organizations can use tools such as Microsoft Configuration Manager to deploy Windows and include an Autopilot configuration file that associates the device with an Autopilot deployment profile. When the device enters the Windows out-of-box experience (OOBE), the Autopilot deployment process begins and applies the organization's configuration settings.
This approach allows organizations to transition previously deployed devices to modern cloud-based management without requiring new hardware.
Windows Autopilot for pre-provisioned deployment
Windows Autopilot can provide a capability that enables partners or IT staff to pre-provision a Windows PC so that it's fully configured and business-ready. From the end user's perspective, the Windows Autopilot user-driven experience is unchanged, but getting the device to a fully provisioned state is faster. Instead of the entire provisioning process occurring when the user powers on the device, the provisioning process is split. Time-consuming portions such as device-targeted applications and policies are completed by IT. Final user settings and policies are applied when the user connects and powers on the device.
Pre-provisioned deployment requires a supported Windows Autopilot scenario, Intune, TPM 2.0, and TPM device attestation. Virtual machines aren't supported. Internet connectivity is required, and for Microsoft Entra hybrid join scenarios, connectivity to the on-premises domain environment is also required during the user phase.
Windows Autopilot Reset
In many environments, devices need to be reset after they've been in use for some time. For example, an organization might provide temporary employees with Windows devices that must be reset for each new user, or reset computers in training rooms after each class. Windows Autopilot Reset enables this without redeploying a Windows image. It removes personal files, apps, and settings, reapplies the device’s original settings, and preserves the device’s Microsoft Entra ID identity and Intune management enrollment.
Windows Autopilot Reset supports local and remote reset scenarios. It's commonly used to return an existing Microsoft Entra join device to a business-ready state for the next user. Windows Autopilot Reset doesn't support existing Microsoft Entra hybrid join devices.