Autopilot overview
Foundry supports three Autopilot provisioning modes. Choose one mode before building ISO or USB media.
Use this page to decide which mode matches the deployment workflow, then open the mode guide for the end-to-end steps.
Mode comparison
| Mode | Use when | Tenant sign-in in Foundry OSD | Certificate/PFX | Technician sign-in during deployment | Group tag selection |
|---|---|---|---|---|---|
| JSON profile injection | You already have offline Autopilot profile JSON files. | Optional, only when downloading profiles from the tenant | No | No | Not configured by Foundry |
| Zero-touch hardware hash upload | Devices should be uploaded automatically during deployment without technician sign-in on the target device. | Yes | Yes | No | Selected before media creation and reviewed in Foundry Deploy |
| Interactive hardware hash upload | Enterprise policy blocks the zero-touch app-registration certificate model, but a technician can authenticate during OOBE. | No | No | Yes | Selected in the OOBE assistant |
The generated media carries one Autopilot provisioning mode. Build separate media when different device groups require different Autopilot behavior.
Where each mode runs
| Surface | JSON profile injection | Zero-touch hardware hash upload | Interactive hardware hash upload |
|---|---|---|---|
| Foundry OSD | Imports or downloads profile JSON and selects the default profile. | Connects the tenant, prepares the media authentication app registration, creates certificates, selects the PFX, and sets the default group tag. | Selects the interactive mode only. No tenant connection, certificate, PFX, or group tag is configured in Foundry OSD. |
| Foundry Connect | Only validates networking for the normal deployment flow. | Validates that WinPE networking is ready before Foundry Deploy starts. | Validates networking for deployment. Internet access must also be available later when the assistant starts during OOBE. |
| Foundry Deploy | Stages AutopilotConfigurationFile.json into the applied Windows image. | Captures the hardware hash in WinPE, imports it with Microsoft Graph, waits for device visibility, and reconciles the group tag. | Stages the OOBE registration assistant into the applied Windows image. |
| Windows OOBE | Windows consumes the staged profile. | Windows continues after Foundry Deploy completes. | The Foundry assistant opens during OOBE, requests Microsoft device-code authentication, uploads the hash, and restarts the device. |
Quick recommendations
Use JSON profile injection for the simplest offline Autopilot path when profile JSON files are already available.
Use Zero-touch hardware hash upload when the tenant allows the administrator to create or manage the app registration, grant Microsoft Graph consent, and create the certificate used by generated media.
Use Interactive hardware hash upload when the tenant does not allow the zero-touch app-registration model, but a technician is allowed to sign in during OOBE with delegated Microsoft Graph permissions.
Required permissions
Zero-touch hardware hash upload uses application permissions through the tenant app registration and certificate staged into generated media.
Interactive hardware hash upload uses delegated device-code authentication during OOBE with DeviceManagementServiceConfig.ReadWrite.All. A tenant administrator must be able to grant consent for this delegated Microsoft Graph permission, and the signed-in account must be allowed to import Windows Autopilot devices.
Screenshot placeholders
Add a Foundry OSD screenshot showing the Autopilot mode selector with all three modes visible.
Add one final-result screenshot per mode after the mode guides have matching images.
Next steps
- Open JSON Profile Injection for offline profile staging.
- Open Zero-touch Hardware Hash Upload for certificate-based automatic upload.
- Open Interactive Hardware Hash Upload for OOBE technician sign-in.
- Open Troubleshooting for logs, common failures, and validation checks.