Book a Demo
View Categories

Technical Overview – Windows Autopilot

5 min read

Windows Autopilot Integration (Technical Overview)

Overview

Windows Autopilot is a Microsoft technology that allows devices to automatically enrol into an Organisation’s management environment during the Out-of-Box Experience (OOBE).

When used with OneDeploy, devices can be rebuilt or freshly deployed and then handed directly to the user. During the first boot after deployment, Windows connects to Microsoft services and determines whether the device is registered for Autopilot. If it is, the user is guided through a controlled sign-in experience and the device is automatically configured according to the Organisation’s policies.

This integration allows organisations to combine:

  • Bare-metal operating system deployment using OneDeploy
  • Cloud-based device configuration using Microsoft Intune and Autopilot

The result is a streamlined workflow where devices can be rebuilt, issued, or replaced quickly while still following modern management practices.

Why Autopilot Integration Is Needed

For Autopilot to work correctly, Microsoft must already know about the device before the OOBE process begins.

Specifically, Microsoft Entra (Azure AD) must have:

  • The device hardware ID
  • An Autopilot device record
  • A deployment profile assigned to the device

Without these elements in place, Windows will proceed with the standard consumer setup process instead of the Organisation’s managed experience.

Because of this requirement, OneDeploy must perform several steps during deployment to prepare the device for Autopilot enrolment.

How the OneDeploy Autopilot Workflow Works

The OneDeploy Autopilot integration automates the preparation process so that the device is recognised by Microsoft before the user reaches OOBE.

The process typically follows this sequence.

1. Device Is Deployed with OneDeploy

A device is rebuilt or newly installed using a OneDeploy Deployment Source.

This process installs Windows and prepares the device according to the selected build configuration.

2. Hardware ID Is Collected

During deployment, OneDeploy gathers the Windows Autopilot hardware hash from the device.

This hardware ID uniquely identifies the device to Microsoft’s Autopilot service.

3. Device Is Imported into Microsoft Entra

OneDeploy communicates with the Organisation’s Microsoft Entra tenant using Microsoft APIs.

Using these APIs, OneDeploy:

  • Creates an Autopilot device record
  • Uploads the hardware ID
  • Applies any configured Group Tag

This ensures Microsoft knows about the device before OOBE begins.

4. Device Is Assigned to a Dynamic Device Group

Microsoft’s recommended approach is to use Dynamic Device Groups in Entra.

A dynamic group automatically includes devices that match a specific rule. For Autopilot devices, the rule typically evaluates the Group Tag associated with the device.

For example, a group might include devices that have a specific tag such as:

OD-FINANCE

When a device with this tag is imported, the dynamic group automatically includes it.

5. Autopilot Deployment Profile Is Applied

Autopilot deployment profiles are normally assigned to device groups, not individual devices.

When the device is added to the dynamic group:

  1. The device enters the group.
  2. The group has an Autopilot profile assigned.
  3. Microsoft applies that profile to the device.

This profile controls how the Windows setup experience behaves.

For example, the profile may:

  • Require user sign-in with organisational credentials
  • Automatically join the device to Entra ID
  • Enrol the device into Intune
  • Configure the setup screens shown to the user

6. Device Boots into OOBE

After deployment completes, the device restarts and enters the Windows Out-of-Box Experience (OOBE).

At this point Windows contacts Microsoft’s Autopilot service.

If the device is registered and assigned a profile:

  • Windows detects the Organisation
  • The sign-in screen is branded for the Organisation
  • The user signs in with their corporate credentials

7. Device Automatically Enrols into Management

Once the user signs in:

  • The device joins Microsoft Entra
  • The device enrols in Microsoft Intune
  • Configuration policies and applications are applied

This allows the device to be fully managed immediately after first login.

Group Tags and Device Targeting

Group Tags allow organisations to differentiate devices during Autopilot registration.

For example, tags may be used to represent:

  • Departments
  • Device roles
  • Geographic regions
  • Different configuration profiles

Example tags might include:

  • OD-FINANCE
  • OD-RETAIL
  • OD-KIOSK

Dynamic device groups can use these tags to automatically assign the correct Autopilot deployment profile.

This allows the same deployment process to prepare devices for different environments without requiring multiple deployment workflows.

Autopilot

Microsoft API Integration

OneDeploy communicates with Microsoft Entra and Autopilot services using the Microsoft Graph API.

To enable this integration, an App Registration must be created in the Organisation’s Entra tenant.

This app registration provides the credentials OneDeploy needs to perform Autopilot operations.

Typical information required includes:

  • Tenant ID
  • App (Client) ID
  • Client Secret

The app registration must also have the appropriate API permissions to manage Autopilot devices.

Required API Permissions

At minimum, the integration requires permission to manage Autopilot devices.

Recommended permissions include:

DeviceManagementServiceConfig.ReadWrite.All

Required to create and manage Autopilot device records.

Device.Read.All (Recommended)

Allows OneDeploy to read device information.

This permission can also be used to monitor whether the device has been successfully added to the required dynamic group.

Group.ReadWrite.All (Optional)

Allows OneDeploy to make changes to group membership if advanced automation is required.

This permission provides broader control and should be granted only if required by the Organisation’s policies.

Internet Connectivity Requirements

The current implementation requires internet connectivity during the deployment process.

This is necessary because OneDeploy must communicate with Microsoft APIs to:

  • Upload the hardware ID
  • Register the device with Autopilot
  • Monitor device group assignment (optional)

Future improvements may introduce support for more offline-friendly workflows, but the current process depends on cloud connectivity during deployment.

Autopilot

Benefits of Using Autopilot with OneDeploy

Combining OneDeploy with Autopilot provides several advantages.

Modern Device Provisioning

Devices can be deployed using OneDeploy and then immediately transition into modern management using Intune and Entra ID.

Simplified User Experience

Users only need to sign in during OOBE. The device automatically configures itself afterwards.

Faster Device Replacement

Failed or replaced devices can be rebuilt and issued quickly without manual configuration.

Consistent Configuration

Autopilot ensures every device receives the correct policies, applications, and security configuration.

Flexible Device Targeting

Group Tags and Dynamic Groups allow organisations to apply different configurations to different types of devices.

Important Notes

  • The device must be registered with Autopilot before OOBE begins or the managed setup experience will not appear.

  • Autopilot profiles should be assigned to groups, not directly to devices.

  • Dynamic groups are the recommended method for assigning devices to Autopilot profiles.

  • The deployment process currently requires internet access so OneDeploy can communicate with Microsoft APIs.

Common Questions

Can OneDeploy replace Autopilot?

No. OneDeploy and Autopilot serve different purposes.

OneDeploy performs the operating system deployment, while Autopilot manages the first-boot enrolment and configuration process.

Do devices need to be purchased through an OEM for Autopilot?

No. Devices deployed with OneDeploy can still be registered with Autopilot by collecting and uploading the hardware ID during deployment.  You can do this with existing hardware, and not just brand new devices from the OEM.

What happens if the device is not registered with Autopilot?

Windows will start the normal consumer setup process and the device will not automatically join the Organisation.

Why use Dynamic Device Groups?

Dynamic groups automatically assign devices to the correct Autopilot profile based on attributes such as the Group Tag.

This avoids manual assignment of devices.

Does Autopilot work without internet access?

No. Autopilot requires communication with Microsoft services during OOBE.

Additionally, the current OneDeploy integration requires internet connectivity during deployment to register the device.

Related Articles

  • Configuring Autopilot Integration in OneDeploy
  • Creating an Entra App Registration for OneDeploy
  • Creating Dynamic Device Groups for Autopilot
  • Understanding Autopilot Deployment Profiles
  • Using Group Tags with Windows Autopilot
Updated on March 16, 2026

What are your Feelings