Windows Autopilot and Surface devices

Windows Autopilot is a cloud-based deployment technology in Windows 10 and Windows 11. You can use Windows Autopilot to remotely deploy and configure devices in a zero-touch process right out of the box.

Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices that already come with a perfectly good OS already installed on them. Windows Autopilot introduces a new zero-touch deployment approach using a collection of technologies to set up and configure Windows devices. This enables an IT department to configure/customize images with little to no infrastructure to manage and a process that is easy and simple. From the user’s perspective, it only takes a few simple steps to get Surface to a productive state. In fact, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything after that is fully automated.

Windows Autopilot allows you to:

  • Automatically join devices to Microsoft Entra ID.
  • Auto-enroll devices into MDM services, such as Microsoft Intune (requires a Microsoft Entra ID P1 or P2 subscription).
  • Restrict the Administrator account creation. Autopilot is the only way to have the first person who logs into Windows enter as a standard user.
  • Create and auto-assign devices to configuration groups based on device profiles.
  • Customize OOBE (Out of Box Experience) content and branding to meet organizational requirements.
  • Enable full device configuration with Intune.
  • Reset or restart devices remotely.

How it works

Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a hardware hash. They're automatically enrolled and configured by using modern management solutions such as Microsoft Entra ID and mobile device management.

You can register Surface devices at the time of purchase from a Surface partner that's enabled for Windows Autopilot. These partners can ship new devices directly to your users. The devices will be automatically enrolled and configured when they are first turned on. This process eliminates reimaging during deployment, which lets you implement new, agile methods of device management and distribution.

Modern management

Autopilot is the recommended deployment option for Surface devices, including Surface Pro 9, Surface Pro 9 with 5G, Surface Studio 2+, Surface Pro 8, Surface Laptop Studio (all generations), Surface Laptop Go (all generations), Surface Go 4, Surface Go 3, Surface Pro 7+, Surface Laptop 5, Surface Laptop 4, and Surface Pro X.

It's best to enroll your Surface devices with the help of a Microsoft Cloud Solution Provider. This step allows you to manage UEFI firmware settings on Surface directly from Intune. It eliminates the need to physically touch devices for certificate management. See Intune management of Surface UEFI settings for details.

Windows version considerations

Broad deployment of Surface devices through Windows Autopilot, including enrollment by Surface partners at the time of purchase, requires Windows 10 Version 1709 (Fall Creators Update) or later.

These Windows versions support a 4,000-byte (4k) hash value that uniquely identifies devices for Windows Autopilot, which is necessary for deployments at scale.

Exchange experience on Surface devices in need of repair or replacement

Microsoft automatically checks every Surface for Autopilot enrollment and will deregister the device from the customer's tenant. Microsoft ensures the replacement device is enrolled into Windows Autopilot once a replacement is shipped back to the customer. This service is available on all device exchange service orders directly with Microsoft.

Note

When customers use a Partner to return devices, the Partner is responsible for managing the exchange process including deregistering and enrolling devices into Windows Autopilot.

Microsoft Support registration

Customers and Microsoft Cloud Solution Providers (CSPs) have the option of registering Surface devices by submitting requests to Microsoft Support. To learn more, see Surface Registration Support for Windows Autopilot.

Surface partners enabled for Windows Autopilot

Select Surface partners can enroll Surface devices in Windows Autopilot for you at the time of purchase. They can also ship enrolled devices directly to your users. The devices can be configured entirely through a zero-touch process by using Windows Autopilot, Microsoft Entra ID, and mobile device management.

Surface partners that are enabled for Windows Autopilot include:

US partners Global partners US distributors
CDW ALSO Synnex
Connection ATEA Techdata
Insight Bechtle Ingram
SHI Cancom
LDI Connect Computacenter
F1
Protected Trust

Learn more

For more information about Windows Autopilot, see: