Last year at Microsoft Ignite 2017, we announced Windows Autopilot. This solution provides a way for organizations to ship fresh, untouched Windows 10 devices directly to the end user and define the provisioning flow the user goes through to get a secure, productive Windows 10 device. First, the OEM registers purchased devices with the Windows Autopilot service, so you can assign the necessary Windows Autopilot profile. This profile defines the Out of Box Experience (OOBE) for that device. 

It is also possible to register your existing Windows 10 devices with the Windows Autopilot service so that if a device ever needs to be reset, or re-provisioned to a new user, the device will go through the same experience as new devices. ;For more information, see Adding devices to Windows Autopilot and the rest of our Windows Autopilot documentation.

In the year since we announced Windows Autopilot, we have received feedback from many customers who have Windows 7 estates running on modern hardware and want to re-provision those devices with Windows 10 using the Windows Autopilot experience. ;Unfortunately, the hardware hash necessary to pre-register an existing device with Windows Autopilot did not exist on Windows 10 prior to Windows 10, version 1703. This led to many people developing creative and often manual solutions to first reimage a device, then collect the hash to register the device with Windows Autopilot.

To address this, at Microsoft Ignite 2018, we announced Windows Autopilot for existing devices and other capabilities. Windows Autopilot for existing devices allows you to reimage and provision a Windows 7 device for Windows Autopilot user-driven mode using a single System Center Configuration Manager (current branch) task sequence.

You can test this scenario now using Configuration Manager 1806 or later and Windows 10 Insider Preview Build 17758 or later.

In this post, I will take you through the steps to:

  1. Retrieve a Windows Autopilot profile from Microsoft Intune.
  2. Convert the profile to the correct configuration file format.
  3. Configure a Windows Autopilot for existing devices task sequence in Configuration Manager.

Create the Windows Autopilot for existing devices JSON file

  1. On an Internet-connected Windows PC or Server open an administrative PowerShell command window.
  2. Enter the following commands to install the necessary modules:

    Install-Module AzureAD
    Install-module WindowsAutopilotIntune
  3. Accept any prompts to complete the module installations.
  4. Now log into Intune with administrator credentials using the following command:

  5. The next command will retrieve all the Windows Autopilot profiles associated with your Intune tenant.

  6. As these profiles are not usable for the Windows Autopilot for existing devices scenario, we must convert the profiles into the necessary JSON format using the following commands:

    Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
  7. As you can see, each profile is encapsulated within parentheses {}. The configuration file can only contain one file so select the required profile, including the opening and closing bracket, as shown below.

  8. Now copy the highlighted profile and paste into a Notepad window.

  9. Save this file as AutopilotConfigurationFile.json using ANSI encoding to a location suitable as a Configuration Manager package source. (Unicode and UTF-8 files will not work.)


NOTE: Multiple JSON profile files can be used, but each must be named AutopilotConfigurationFile.json when applied to Windows for OOBE to follow the Windows Autopilot experience.

Create a package containing the Windows Autopilot for existing devices JSON file

  1. Navigate to \Software Library\Overview\Application Management\Packages in the Configuration Manager console.
  2. Click Create Package.
  3. On the Create Package and Program Wizard enter the following details:
    • Package
      • Name: Windows Autopilot for existing devices Config
      • This package contains source files: YES
      • Click Browse.
      • Specify a UNC path containing the Windows Autopilot for existing devices JSON file and click OK.

  4. Click Next.
  5. On the Create Package and Program Wizard enter the following details:
    • Program Type: Do not create a program

  6. Click Next.
  7. On the Summary page, click Next.
  8. Finish the wizard by clicking Close.

Create a Windows Autopilot for existing devices Task Sequence

  1. Staying within the Configuration Manager admin console navigate to \Software Library\Overview\Operating Systems\Task Sequences.
  2. Click Create Task Sequence.
  3. Select Install an existing image package and click Next.

  4. On the Create Task Sequence Wizard enter the following details:
    • Task Sequence Information
      • Task sequence name: Windows Autopilot for existing devices
      • Boot Image: Boot image (x64)
        (or any other Windows 10, version 1809 boot image)

  5. Click Next.
  6. On the Install Windows page enter the following configuration:
    • Image Package: Windows 10 1809
    • Image Index: Enterprise, Education or Professional
    • Partition and format the target computer before installing the operating system: YES
    • Configure task sequence for use with Bitlocker: OPTIONAL
    • Product Key: OPTIONAL
    • Randomly generate the local administrator password and disable the account on all support platforms (recommended): OPTIONAL
    • Enable the account and specify the local administrator password: OPTIONAL

  7. On the Configure Network ensure that Join a workgroup is selected.

    Note: The Windows Autopilot for existing devices task sequence will run the Prepare Windows for capture action, which calls the System Preparation Tool (sysprep), and which will fail if the target machine is joined to a domain. Do not specify a domain!

  8. Click Next.
  9. Click Next again for Install Configuration Manager.
  10. Deselect all State Migration options.


    Note: The Windows Autopilot for existing devices task sequence will result in an Azure Active Directory Domain Joined device. Data backup should leverage OneDrive for Business known folder move to ensure the user’s data is backed up before the Windows 10 upgrade.
  11. The configuration on the Include Updates page shown below is optional. Alternatively, you can leverage Offline Image Servicing in Configuration Manager to ensure the image is up to date with the latest Windows 10 quality update.

  12. Similarly, you can specify applications to install as part of the task sequence, as shown below. To provide a consistent experience for users receiving new hardware and those refreshing their existing PC using Windows Autopilot for existing devices; however, it is recommended to mirror the signature image approach and have all applications and configuration applied from Intune or Configuration Manager co-management.

  13. Review the Summary and click Next.

  14. Review the Completion to ensure there are no issues and click Close.


Customize the Windows Autopilot for existing devices task sequence

  1. Right click on Windows Autopilot for existing devices in \Software Library\Overview\Operating Systems\Task Sequences and click Edit.
  2. In the Task Sequence Editor select Apply Windows Settings.

  3. Click Add -> New Group.

  4. Select the new group called New Group.
  5. Rename this new group to Windows Autopilot for existing devices Config.

  6. Click Add -> General -> Run Command Line.


    Note: Ensure that the Run Command Line step is nested under the Windows Autopilot for existing devices Windows Autopilot Config group and is placed after the Remove Windows Autopilot Directory step.

  7. Select the Run Command Line step
  8. Change the Name to Apply Windows Autopilot configuration file.
  9. Paste the following command line into Command line:

    cmd.exe /c xcopy AutopilotConfigurationFile.json
    %OSDTargetSystemDrive%\windows\provisioning\Autopilot\ /c

    Note: Ensure that AutopilotConfigurationFile.json is the name of the JSON file present in the Windows Autopilot for existing devices Config package created earlier.
  10. Select Package and click Browse.
  11. Select the Windows Autopilot for existing devices Config package created earlier and click OK.

  12. Select the Setup Windows and Configuration Manager
  13. Click Add -> New Group
  14. Select the new group called New Group.
  15. Change Name to Prepare Device for Autopilot.
  16. Use the Move Down button to place the Prepare Device for Autopilot group as the very last step in the task sequence.

  17. Click Add -> Images -> Prepare ConfigMgr Client for Capture.

    Note: Ensure that the Prepare ConfigMgr Client for Capture step is nested under the Prepare Device for Autopilot group.

  18. Click Add -> Images -> Prepare Windows for Capture and apply the following:
    • Automatically build mass storage driver list: NO
    • Do not reset activation flag: NO
    • Shutdown the computer after running this action: OPTIONAL


Note: Some customers wish to have the Windows Autopilot for existing devices task sequence refresh the PC and take the user through Windows Autopilot User-driven mode in one distinct sequence. In this scenario, the PC will reboot once imaged and re-sealed and immediately begin the OOBE.

Other customers may wish to collect hardware and refresh before delivering to a new user. In this case, you may select the Shutdown the computer after running this action to prevent OOBE from beginning immediately after the task sequence completes.

The task sequence is now ready to deploy to your Windows 7 machines, remembering to distribute the content!

We’ll continue to blog about the latest Windows Autopilot capabilities and our documentation will be soon be updated to reflect the new scenarios enabled with the release of Windows 10, version 1809.

New Contributor

Hello Rob,

after running the TaskSequence and booting through OOBE, the System is AzrueAD registered with Status "Managed By MDM/ConfigMgr Agent".
Is it possible to Change the TS to uninstall ConfiMgr Agent, because our Environment Needs to be MDM only managed?

Thanks for Reply,


Occasional Contributor

Peter Kopper,


I asked a similar question on StackOverflow


Co-Management seems to happen anytime the SCCM Client gets installed (task "Setup Windows and ConfigMgr").  I found this was the case, even if the SCCM client was uninstalled prior to performing the OOBE reset. The secret is to stop your task sequence before the SCCM Client is needed.



Peter / Nathan,


The prepare client for capture step actually removes the SCCM client prior to the sysprep stage running.


There is a slight bug with the logic that makes a machine report co-managed to Intune via MDM even if SCCM isn't installed. This is fixed in the recent hotfix rollup for 1806.


But even without this fix you should see that the client isn't actually co-managed because SCCM was removed.


Another option is to follow Mike Niehaus' new blog which has steps on how to provision Autopilot for existing devices much faster - assuming you don't install software or configure the device. https://blogs.technet.microsoft.com/mniehaus/2018/10/25/speeding-up-windows-autopilot-for-existing-d...




New Contributor

Thanks Rob for your Answer.

I found the link you have postet and it works very fine.



Frequent Visitor

i receive error:


oobeidps something went wrong?

is the user beeing specified via SCCM primary user association? The error occurs before having the possibility so enter user account (for Azure AD Premium license verification and so on) 







Regular Visitor

Using Configuration Manager 1806 Hotfix Rollup (KB4462978), I was able to follow steps 1 - 18 and the task sequence completed successful.
During OOBE I was prompted for Windows 10 License Agreement and Sign in with Microsoft work or school and not Welcome to My Company! as the manually added devices do. Oddly, if I place my work credentials in the Sign in With Microsoft, it does proceed and Azure AD Join the device and Intune does see the ownership as Corporate. Sadly I do not get any assignments as I do when I manually.

Manual process is:
-Manually running the PoSh to obtain the exported csv
-Importing the csv to MS Store for Business and assign the AutoPilot Profile


I was hoping this process can be automated. Am I missing a step in this automation or any log files I can review?


Felix, It sounds as though the JSON file is missing/malformed/invalid in some way. I suggest you repeat those steps to create the file, ensuring it only contains one profile, is correctly encoded and is the only file in the package.


If you think everything checks out, you can use the event viewer to look for Autopilot events. See here for troubleshooting guides.


If all else fails, I'd suggest raising a case





Regular Visitor

Thanks for the quick response.

After reviewing your json file in this blog and comparing mine it seems the Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON

"CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenant


All I did was modify the line to:

"CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"MyCompany.com\"


A backspace was needed due to user error. SMH...  Ran it on a few machines and all work as expected.  Awesome!!!


Thanks again


Occasional Contributor

@Rob YorkWill this method still assign a 'ZTDId' to the device in Azure AD? I have several policies and apps assigned to an 'AutoPilot Devices' group using a dynamic membership rule based on whether the ZTDId exists.

Occasional Contributor

@Ryan MorashI found an article which talked about how devices enrolled using this method are tagged with an enrollmentProfileName set to "OfflineAutopilotprofile-<ZtdCorrelationId found in the JSON>". Making for an advanced (and ugly) dynamic query like this:


(device.devicePhysicalIds -any _ -eq "[OrderID]:LabPC") -or (device.enrollmentProfileName -eq "OfflineAutopilotprofile-55513afc-7589-454d-8b56-847059775816")


For some reason, this mysteriously worked for me on my first try. However, every attempt since has failed to be added to the expected group and I am not sure that if it were to be added to the correct group, that it would happen soon enough to be assigned the correct Enrollment Profile.


I suspect that during my initial experimentation, I had accidentally made the expected Enrollment Profile function as the default. I know that the article is partially true, as my first device is listed in a dynamic group having the following query:

(device.enrollmentProfileName -eq "OfflineAutopilotprofile-55513afc-7589-454d-8b56-847059775816")


Now, I am trying to figure out how to "see" the device.enrollmentProfileName value on a device. It doesn't seem to come back when using Get-AzureADDevice in the AzureAD module, nor Get-AutoPilotImportedDevice in the WindowsAutopilotIntune module. Sure wish there was a detailed device view/export in the web GUI.