Windows Autopilot: Zero-Touch Device Provisioning for Small Business in Berlin
Every new PC that arrives at a Berlin office used to mean an imaging session: boot from USB, apply a Windows image, install drivers, join the domain, install apps, configure user settings — two to four hours per device, minimum. Windows Autopilot eliminates that process entirely. The device ships directly from the reseller to the end user’s desk. The user powers it on, signs in with their corporate credentials, and Autopilot handles the rest: Azure AD join or Hybrid Azure AD join, Intune enrolment, policy application, app installation, and desktop configuration. The IT administrator never physically touches the machine. For a small business in Berlin with staff in multiple locations or remote workers, Autopilot is the operational difference between scalable device management and a perpetual hands-on imaging backlog.
How Autopilot Works: The Provisioning Flow
Autopilot is not a separate imaging tool — it is a set of configuration profiles stored in Intune that transform the Windows Out-of-Box Experience (OOBE). When a pre-registered device connects to the internet during OOBE, it checks in with the Autopilot deployment service, downloads the matching profile, skips unnecessary OOBE screens, and initiates Intune enrolment automatically. The user sees a minimal, branded sign-in screen. After authenticating, Intune pushes all assigned apps and policies in the background.
Autopilot Deployment Modes
| Mode | Use Case | User Interaction | Join Type |
|---|---|---|---|
| User-Driven (Azure AD Join) | Cloud-only organisations, remote workers | User signs in with Entra ID credentials during OOBE | Entra ID (Azure AD) Join |
| User-Driven (Hybrid Azure AD Join) | Hybrid AD environments with on-premises domain | User signs in; device joins on-premises AD + Entra ID | Hybrid Azure AD Join (requires Intune Connector for AD) |
| Self-Deploying | Shared kiosk devices, conference room machines | No user interaction — device provisions fully automatically | Entra ID Join only |
| Pre-Provisioning (White Glove) | IT does a first-pass app install before device reaches user | IT completes device-context provisioning; user completes user-context on first login | Entra ID or Hybrid |
Prerequisites and Licencing
Autopilot requires Microsoft Intune for device management (included in Microsoft 365 Business Premium). The devices must be pre-registered in the Autopilot service with their hardware hash — either by the OEM/reseller at purchase (the recommended path for new devices) or manually via the Get-WindowsAutoPilotInfo PowerShell script for existing hardware. Azure AD Premium P1 is required for Hybrid Azure AD Join (included in Microsoft 365 Business Premium). For Hybrid Join, the Intune Connector for Active Directory must be installed on a domain-joined Windows Server in the on-premises network.
Deploying Autopilot: Configuration Steps
- Register devices: Coordinate with your reseller to register device hardware hashes in your Intune tenant at purchase. For existing devices, run
Install-Script Get-WindowsAutoPilotInfothenGet-WindowsAutoPilotInfo -Onlineto upload hashes directly to Intune. - Create an Autopilot Deployment Profile: In Intune (intune.microsoft.com) → Devices → Enrollment → Windows Autopilot deployment profiles. Set join type, deployment mode, and OOBE settings (skip privacy settings, skip EULA, hide account setup page for user-driven). Add a company branding name so users see a familiar login screen.
- Create a Deployment Profile Assignment: Assign the profile to a device group (dynamic group based on
device.devicePhysicalIdscontaining the Autopilot order ID or purchase order, or a static group of pre-registered devices). - Configure Enrolment Status Page (ESP): The ESP blocks the desktop until critical apps finish installing. Configure it to block access until Intune apps and policies are applied — prevents users from logging in before security baselines are in place.
- Assign apps and configuration profiles: Ensure the Intune app groups and compliance/configuration policies are assigned to the same device or user groups. Autopilot does not install apps itself — Intune does; Autopilot just triggers the enrolment that kicks off Intune deployment.
- Test with a pilot device: Before rolling out fleet-wide, go through the full OOBE flow on one device. Validate that the ESP completes, all required apps are installed, and Compliance Policy shows Compliant in Intune within 30 minutes of setup.
- For Hybrid Join only — install the Intune Connector: On a Windows Server that can reach your on-premises AD DCs and has outbound internet access to Intune, install the Intune Connector for Active Directory from Intune → Devices → Enrollment → Windows → Intune Connector for Active Directory. This connector creates the AD computer object during Autopilot provisioning.
Autopilot Reset: Reprovisioning Without Reinstalling
When a device needs to be reassigned to a new user or reprovisioned after a security incident, Autopilot Reset wipes the device back to a policy-compliant state without requiring a full Windows reinstall. In Intune, trigger a remote Autopilot Reset — the device reboots into a clean OOBE state, still registered to your tenant, ready for the next user to sign in and reprovision. For small businesses that cycle devices between employees or repurpose hardware, this eliminates the imaging overhead entirely.
Operational Benefits for Berlin Small Businesses
The labour cost of traditional imaging is often invisible until it is quantified: 3 hours per device, 10 new hires per year, equals 30 hours of IT time per year just on initial provisioning — before accounting for reprovisioning, OS reinstalls, and hardware replacements. Autopilot reclaims that time. More importantly, it enforces consistent security baselines from first boot: every device that provisions through Autopilot is compliant with Intune policy before the user reaches the desktop. There is no window between imaging and policy application where the device is unmanaged.
For Berlin businesses scaling headcount or managing remote workers across multiple locations, Autopilot combined with Intune MAM and Conditional Access creates a complete modern device lifecycle: zero-touch provisioning, continuous compliance enforcement, and secure app access — regardless of where the device is located. IT Experts Berlin configures and manages Autopilot deployments as part of Microsoft 365 Business Premium implementations. Request a free IT assessment to review your current device provisioning and management posture.