Implementing Windows Autopilot – the future of device deployment

By Paul Winstanley, Microsoft System Center Configuration Manager Consultant, SCCM Solutions Ltd. He has 22 years experience in IT and is a community leader at Windows Management User Group (WMUG) and blogs at He was recently awarded MVP in Enterprise Mobility.

Microsoft has recently unveiled Autopilot, a new and emerging solution designed to allow you to setup and pre-configure devices for your environment, with little or no infrastructure in place.

The idea behind Autopilot is to remove some of the complexity of your current operating system deployment, reducing the task down to a set of simple settings and operations that can get your device ready to use, out of the box, quickly and efficiently.

Autopilot is a cloud-centric solution, your devices will need line of site to the Internet to pick up settings and configure correctly.

The Windows 10 Creators Update is required to get you started with Autopilot. Current configuration choices are limited but this is expected to grow with the Fall update due imminently.

If you are already aware of the Apple Device Enrollment Program (DEP), then Autopilot is similar. A unique hardware identifier can be pre-registered before the device is turned on, and when shipped to the user and connected to the Internet all the configuration, branding, software and compliancy can be pushed down to the device.

The following pre-requisites must be in place for Autopilot to work:

  • A device, pre-installed with Windows 10 Creators Update (1703 release) and with Internet access
  • Sufficient rights to the Azure portal
  • Intune account, or another MDM solution, to manage devices
  • Sufficient rights on the Windows Store for Business
  • An Azure AD premium P1 or P2 subscription

You can try Autopilot right now. The following details what you need to do to experience this first hand.

Gather data for Autopilot

You'll need to gather some information from your device. The idea with Autopilot is that your suppliers will be able to populate this information for you, but you can upload this information yourself.

You can either collect this information from within the OS and reset the machine, or you can invoke a CMD prompt from the OOBE phase, when the device powers on for the first time, to do this press Shift+F10.

Three bits of information are required and to collate this run the following commands (Note the last two commands are PowerShell commands and that you need administrator rights to execute):

wmic bios get serialnumber
Get-ItemPropertyValue "hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey\" "ProductId"
$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'"
$wmi.DeviceHardwareData | Out-File "($env:COMPUTERNAME).txt"

The resultant information needs to be stored in a .csv file and the format needed is comma separated as follows:

Device Serial Number,Windows Product ID,Hardware Hash

You can repeat this process for all the devices you wish to Autopilot and add them to the same .csv file.

Configuring Autopilot in the Windows Store for Business

With data collected and ready to upload, go to the Windows Store for Business portal and log in. Then click Manage\Devices


2017-08-28 16_52_12-Microsoft Store for Business.jpg


Click the AutoPilot deployment drop down and choose Create New Profile


2017-08-28 16_55_19-Microsoft Store for Business.jpg


At present the following choices are available to the Windows 10 Creators Update:

  • Skipping Work or Home usage selection (Automatically enabled)
  • Skipping OEM registration, OneDrive and Cortana (Automatically enabled)
  • Skipping privacy settings
  • Preventing the account used to set-up the device from getting local administrator permissions

Enable Skip Privacy Settings and Disable local admin account creation on the device. Then click Create.


2017-08-28 16_57_11-Microsoft Store for Business.jpg


Next you need to import the device or devices from the csv file that was created. To do this, click the Add Devices link.


2017-08-28 17_01_53-Microsoft Store for Business.jpg


Select the csv file for import.


2017-08-28 17_02_56-Open.jpg


Enter a relevant name for the group of devices you are importing.


2017-08-28 17_03_45-Microsoft Store for Business.jpg


Notice that the devices are being imported and you have to wait for this process to complete.


2017-08-28 17_04_52-Microsoft Store for Business.jpg


With the device/s imported, the next step is to assign the Autopilot profile to the device. Select the device/s and click the Autopilot deployment drop down and choose your profile. Once again, you will be informed that the request is being processed.


2017-08-28 17_07_02-Microsoft Store for Business.jpg


Once the profile has applied, you will see it assigned against against the device.


2017-08-29 20_09_25-Microsoft Store for Business.jpg


You are now in a position to fire up your Windows 10 device and let Autopilot do its work.

Autopilot in action

Before you fire up your Windows 10 device, make sure that you are auto enrolling your devices in Intune, or other MDM solution. Microsoft has an excellent guide on how to do this here.

With your Windows 10 device Internet connected, you'll be prompted to choose the region and keyboard settings that you prefer. After this is done your device will inform you that things are happening




After a restart, you will be presented with your work login. It's as simple as that. 




With your MDM solution of choice in place, you can start to push down applications, compliancy and settings to the device or end user. For example, you can push the latest Office 365 release direct from Intune, and this will stream down in the background.

It's going to be interesting to see where Microsoft takes Autopilot with the next release, the Creators Update, and what impact this will have overtime on traditional on-prem Windows image deployment mechanisms.

Further viewing

Microsoft has published a couple of Autopilot videos that are worth taking a look at.

Comments (22)

  1. Bishop says:

    I am getting these errors while running those last two commands in the CMD:
    C:\Users\Administrator>Get-ItemPropertyValue “hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey\” “ProductId”
    ‘Get-ItemPropertyValue’ is not recognized as an internal or external command,
    operable program or batch file.

    C:\Users\Administrator>$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter “InstanceID=’Ext’ AND ParentID=’./DevDetail'”$wmi.DeviceHardwareData | Out-File “($env:COMPUTERNAME).txt”
    ‘$wmi’ is not recognized as an internal or external command,
    operable program or batch file.

    1. ManelR says:

      Those aren’t CMD commands but PowerShell ones 😉

      1. Bishop says:

        Does anyone know when Autopilot Reset will be available? I would love to be able to reset a device quickly after an employee hands it.
        Then to be able to quickly give it to another employee without having to re run the commands. Seeing as the hardware hash changes when I do an Azure Intune factory reset.

        1. Per Larsen says:

          It is working in windows 10 1709 – it already works in the insider build

          1. Bishop says:

            Where do I find the documentation on how to activate the Autopilot Reset? We have old computers we would like to reuse with new employees.

    2. directorcia says:

      Slight error in last script parameter line. There should be a new line at:

      $wmi.DeviceHardwareData | Out-File “($env:COMPUTERNAME).txt”

      Thus, should read:

      $wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter “InstanceID=’Ext’ AND ParentID=’./DevDetail'”

      $wmi.DeviceHardwareData | Out-File “($env:COMPUTERNAME).txt”

  2. Paul Winstanley says:

    Bishop – run those two commands in PowerShell

  3. John Hunter says:

    I wonder if he means ‘line of sight’ or maybe he means ‘connected’ but he was running below the mandatory quota of made-up jargon that Microsoft seem to impose on all their documentation?

  4. Sampo says:

    I have played a little bit with Autopilot and I got everything working except bitlocker encryption
    When configuring autopilot profile I chose “Disable local admin account creation”. Then I have setup an Intune MDM policy that requires bitlocker encryption for the device. However when the device is enrolled and MDM policy is being applied, user is asked to verify that no other disk encryption software is installed, when clicking “yes” admin rights are required but those are not available as the device was setup without local admin rights. This leads to end user needing to call admin to enable bitlocker. Will this change in the future or how can I automate bitlocker encryption with the current windows 1703? Thanks

    1. I have the same issue, sampo. If anyone has an idea on how to solve that, it is very welcome.

      1. niall says:

        you can now disable that third party popup question when creating the Endpoint Protection BitLocker policy in Intune.

  5. Akeem says:


    I don’t get any info returned back to me when I do the last command.
    $wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter “InstanceID=’Ext’ AND ParentID=’./DevDetail'”
    $wmi.DeviceHardwareData | Out-File “($env:COMPUTERNAME).txt”

    I get the file however nothing is returned. If I don’t return anything in the MDM_DevDetail_Ext01 is there another way to get the Hardware hash or do I have to figure something else out?

    1. Sagagx says:

      Same problem here, the last command is not returning any information. The file is well created but is empty.

      1. Sagagx says:

        Maybe because the version of Windows 10 is 1607 and not 1703 or later

  6. Noushin Kananian says:

    Many thanks for sharing your experience, skills and knowledge.

  7. BL says:

    A bit late to the show… but should the Get-WMIObject command really generate a 4002 character long string in the output file? Seems a bit longer than expected.

    Running 1703 on a two different Dell and one HP computer with same long output.

    The last 3000-ish characters contains only capital A’s.


  8. Berg says:

    I ran the script for getting the hash on a Dell Latitude 5580. Produced a very long string with “/ ” (forward slash) in it. Trying to import the complete CSV containing the serial number, product Id and Hardware hash didn’t succeed. Any thoughts?

  9. Anantha says:

    Hi, The auto enrollment URL talks about the enrolling with Intune-can someone provide details for Airwatch? can we make certain devices get enrolled in Airwatch and certain through Intune?

  10. Ram says:

    Hi Paul – I have a question about this “collect this information from within the OS and reset the machine” – How do, I reset the machine from which, I have collected hardware information?



  11. Ram says:

    Hi – Not sure why AutoPilot system is in workgroup mode.

    MDM is properly configured in Intune within Azure and all users can enroll. I even looked at the devices in Intune and, I can see AutoPilot system as Azure AD Joined and MDM is Microsoft Intune. Strange.


  12. Niles says:

    Please remove “Domain Join instead” and what does one do if the device is not connected to the internet? There should be a “phone home” function built in and why does it require the Product ID and hardware hash? you have any idea how difficult it will be to obtain this data from thousands of devices already in one environment!? It should only require the serial number and/or MAC address.

    These are to many loop holes in the AutoPilot process. So currently the only way to lock down devices involves that the device be sent directly to IT to be processed using the following method.

    1. Configure Azure AD and Intune to only allow DEM and package_* (created by bulk enrollment WICD) accounts.
    2. Configure bulk enrollment using a WICD provisioning package.
    3. Image devices with include PPKG file create by WICD in step 2.

    This is how we deal with this process today. Unfortunately this does not prevent rouge users from reformatting their device. AutoPilot would prevent this but unfortunately users can still either click on “Domain Join instead” or keep the device offline during the OOBE.

    Come in MSFT get you act together! Apples does this today so can you.

Skip to main content