Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Hyper-Scale Provisioning

Category filter

The Definitive Guide to Windows Autopilot Zero-Touch Provisioning

Jump To

Welcome to the technical blueprint for achieving “Zero-Touch” deployment using Windows Autopilot and Hexnode UEM. This guide covers how to transition a Windows device from a shrink-wrapped box to a fully managed corporate asset without your IT department ever needing to physically touch the hardware.

Unlike traditional imaging methods (like PXE or USB drives), Windows Autopilot does not re-install the operating system. Instead, it relies on a Hardware Hash (a unique digital fingerprint) to register the device in the cloud.

The Device Lifecycle: From Factory to Employee

When an employee first powers on their new device and connects to Wi-Fi, the hardware identifies itself to the Windows Autopilot Deployment Service. The service then recognizes the device and redirects it to Hexnode UEM for automatic configuration. Here is the step-by-step technical handshake:

  1. Upload Hardware Hashes: Your OEM or Hardware Vendor uploads the device Hardware Hashes (PKID) to the Microsoft Intune Admin center.
  2. Sync Device IDs: Hexnode UEM syncs these Device IDs via the Microsoft Graph API.
  3. Assign Profiles: IT assigns a “Deployment Profile” (e.g., User-Driven or Self-Deploying) to the devices from the Microsoft Intune Admin center.
  4. Power On: The end-user receives the sealed box, powers on the device, and connects to Wi-Fi.
  5. Identification: The device asks Microsoft, “Who am I?” by sending its Hardware Hash.
  6. Redirection: Microsoft responds, “You belong to [Your Enterprise]. Redirecting to Hexnode.
  7. Enrollment: The device requests enrollment into Hexnode via Entra ID Authentication.
  8. Provisioning: Hexnode pushes all required apps, security policies, and certificates to the device.
  9. Ready: The user is greeted with a ready-to-use desktop.

Choosing an Autopilot Deployment Profile

The behavior of the device during the Out-of-Box Experience (OOBE) is governed by the profile you assign in Hexnode.

Feature User-Driven Mode (Standard) Self-Deploying Mode (Kiosk)
Primary Use Individual employee laptops. Shared devices, digital signage, kiosks.
Auth Trigger User must enter their Entra ID credentials. Automatic (No user login required).
Hardware Requirement TPM 2.0 (Recommended). TPM 2.0 (Mandatory for attestation).
User Experience Custom welcome screen with company branding. Skips all OOBE screens directly to the desktop.

The Enrollment Status Page (ESP)

To ensure a device is secure before the user can access the desktop, Hexnode enforces the Enrollment Status Page (ESP). This acts as a holding pattern governed by three logical steps:

  • SENSE (Device Preparation): The device downloads its assigned Autopilot Deployment profile configured in the Intune Admin Center and joins Entra ID.
  • THINK (Account Setup): Hexnode checks the configuration for “Blocking Apps”—these are critical security software (like your Antivirus or VPN) that must be present before the user is allowed to work.
  • ACT (Enforcement): The device remains locked on the ESP screen until all “Blocking Apps” and mandatory profiles are successfully installed.

Pre-Provisioning (“White Glove” Service)

If you have remote employees with slow home internet connections, downloading heavy applications during the OOBE can result in a poor first-day experience. To solve this, IT can utilize Pre-Provisioning.

  • The Action: An IT technician unboxes the laptop in the office, boots it to the first OOBE screen, and taps the Windows Key 5 times.
  • The Result: This triggers the device to download all heavy apps, policies, and updates using the corporate network.
  • The Handoff: Once finished, IT “reseals” the device and ships it to the user. When the user receives it, they only need to perform a quick 2-minute final sign-in.

Troubleshooting Common Error Codes

If a deployment fails, reference this diagnostic dictionary to quickly identify and resolve the issue:

Error Code Meaning Resolution Path
0x800705b4 TPM Timeout: Hardware attestation failed during Self-Deploying mode. Verify that TPM 2.0 is enabled and cleared in the device BIOS.
0x80180014 MDM Enrollment Disabled: The user is not authorized to enroll devices. Check your Entra ID “Mobility (MDM and MAM)” user scope settings.
0x801c03ea Hardware Hash Missing: The device was turned on before the hash was synced to your tenant. Ensure your vendor uploaded the PKID to the tenant and manually sync Hexnode.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework