3.1 Autopilot vs. Provisioning Packages
Key Takeaways
- Windows Autopilot is the better fit when devices can be registered with the Autopilot service and assigned an Intune deployment profile before first use.
- Provisioning packages are local `.ppkg` files created with Windows Configuration Designer and are useful for bulk enrollment when devices are not pre-registered for Autopilot.
- Autopilot profile assignment is device-centered, while most post-enrollment apps and settings can still be targeted to user groups, device groups, or both.
- Windows bulk enrollment with a provisioning package is userless; the Microsoft Entra users who later sign in are standard users and receive assigned Intune policies and required apps.
- A provisioning package can create a fragile state if domain join, scripts, certificates, or network assumptions are wrong, so it should be tested on disposable pilot devices first.
Choosing the deployment path
The Manage and maintain devices domain begins with a practical choice: should Windows be deployed through Windows Autopilot or through a provisioning package? Both can get a corporate-owned Windows device into Microsoft Entra ID and Intune, but they solve different operational problems.
Autopilot is a cloud deployment workflow. A device is registered with the Windows Autopilot deployment service, associated with the tenant, placed in a Microsoft Entra device group, and assigned an Autopilot profile. The profile controls the Out-of-box experience (OOBE), join type, deployment mode, naming behavior, and enrollment flow.
A provisioning package is a local .ppkg file, usually created with Windows Configuration Designer (WCD). It can be applied from removable media or a network location during or after initial setup. In Intune bulk enrollment scenarios, the package joins new corporate-owned Windows devices to Microsoft Entra ID and enrolls them into Intune.
| Decision point | Windows Autopilot | Provisioning package |
|---|---|---|
| Primary control plane | Autopilot service and Intune profile | Local .ppkg created with WCD |
| Device preparation | Device registered by OEM, reseller, partner, automatic registration, or admin upload | Package copied or made available locally |
| Best for | New corporate PCs, remote delivery, standardized OOBE, profile-driven deployment | Labs, kiosks, schools, bulk staging, devices not pre-registered for Autopilot |
| Assignment model | Autopilot profile targets device groups; ESP can target device or user depending on scenario | Bulk enrollment is userless; post-enrollment policy can target user or device groups |
| User state | Usually one primary user in user-driven or pre-provisioned flows | No primary user during enrollment; users sign in later |
| Risk area | Missing registration, profile conflict, hybrid join connectivity, ESP blockers | Expired bulk token, enrollment restriction, network dependency, risky scripts |
What Autopilot gives you
Autopilot avoids traditional imaging. The device uses the Windows installation that already came from the OEM and then receives identity, enrollment, app, and policy configuration from cloud services. This is why Autopilot is the exam answer when a company wants to ship devices directly to remote employees without IT touching each device.
Autopilot also makes device assignment explicit. You normally assign a deployment profile to a Microsoft Entra device group, often a dynamic group that contains registered Autopilot devices. Required apps, compliance policies, configuration profiles, and security policies may be assigned separately to user groups or device groups.
What provisioning packages give you
A provisioning package is more local and more immediate. WCD can include a device name pattern, Wi-Fi settings, certificates, local settings, an edition upgrade key, apps, and a bulk enrollment token. Applying the package can restart the device, join it to Microsoft Entra ID, and enroll it into Intune.
For Intune bulk enrollment, remember these details:
- The account used to request the bulk token must be allowed by the MDM user scope.
- The bulk token validity period is limited and should be protected like a credential.
- Bulk enrollment is userless, so only the default enrollment restriction applies during enrollment.
- Microsoft Entra users who later sign in are standard users unless another policy grants privileges.
- Apps installed through a package are not the same as apps deployed and managed by Intune.
Exam scenario cues
Pick Autopilot when the question mentions new devices purchased from an OEM, remote workers, a customized OOBE, pre-assigned deployment profiles, pre-provisioning by IT, or a need to reset a device to a business-ready state.
Pick provisioning packages when the question mentions WCD, .ppkg, USB staging, classrooms, kiosks, shared devices, no prior Autopilot registration, or bulk enrollment where a technician applies a package to many corporate-owned devices.
The safest exam habit is to identify the object being assigned. Autopilot deployment profiles are assigned to device groups. Provisioning packages are applied to devices directly. After the device is enrolled, Intune policies can be assigned to users or devices, and assignment filters can narrow the effective target.
A company buys Windows 11 laptops from an OEM that can register the hardware hashes before shipment. The laptops should ship directly to remote employees and present a guided corporate OOBE. Which deployment method is the best fit?
A school must enroll hundreds of shared Windows devices that are not registered in the Autopilot service. A technician can touch each device briefly and apply a local package. Which tool should be used to create the deployment artifact?
A Windows bulk enrollment provisioning package is applied successfully. Which statement about the users who later sign in is correct?