Autopilot Is Not a Separate Licence — It Is a Deployment Technology
Windows Autopilot is not an independently purchased product. It is a deployment and provisioning technology built into Windows 10/11 and the Intune management plane — there is no "Autopilot licence" SKU in a Microsoft EA. The licence requirement for Autopilot is the underlying Intune subscription that enables device enrolment and management, combined with the Azure AD / Entra ID capability required for the specific Autopilot join scenario. Understanding the Autopilot licensing question requires mapping your deployment scenario to the underlying licence components that enable it.
The reason Autopilot appears as a licensing question in EA reviews is that organisations often purchase additional Intune Plan 2 or Intune Suite add-ons under the assumption that Autopilot requires a higher tier than Plan 1 — it does not. Standard Windows Autopilot deployment scenarios (user-driven Entra ID join, self-deploying mode, pre-provisioning/White Glove) all operate on Intune Plan 1, which is included in M365 E3/E5. The only scenario that adds a licence requirement beyond Plan 1 is Hybrid Azure AD Join with Autopilot, which requires the Intune Connector for Active Directory and specific infrastructure prerequisites, but still uses only Intune Plan 1.
Autopilot Deployment Modes — Licence Requirements by Scenario
User-Driven Mode with Entra ID Join (Cloud-Only) — Intune Plan 1 Only
The most common modern Autopilot deployment: a new device shipped directly to a user (or picked up from IT) boots, connects to the internet, and self-provisions with the user's M365 identity — installing apps, applying policies, and joining Azure AD / Entra ID without IT imaging. This scenario requires Intune Plan 1 (included in M365 E3/E5), an Entra ID P1 subscription (included in M365 E3/E5 for the user), and the device hardware hash registered in the Autopilot deployment service. No Plan 2, no Suite, no additional Intune SKU. If your EA carries Plan 2 add-ons for an organisation that runs only cloud-joined Autopilot, those add-ons are redundant.
Self-Deploying Mode (Kiosk / Shared Device) — Intune Plan 1 Only
Self-deploying mode provisions devices without user interaction — the device boots, self-enrols, receives policies and apps, and is ready for any user or shared kiosk scenario. This mode uses device certificates rather than user credentials for the MDM enrolment. Licence requirement: Intune Plan 1 (and an Entra ID P1 licence assigned to the device's primary user account or the device object for user-less shared scenarios). Self-deploying mode is Plan 1 — no higher tier is required.
Pre-Provisioning / White Glove — Intune Plan 1 Only
Pre-provisioning (formerly "White Glove") allows a reseller or IT department to partially provision a device before it reaches the end user — installing apps and policies targeting the device — and then the user completes their portion of provisioning when they first log in. This two-phase provisioning model is Plan 1 only. It requires the device to be Entra ID joined (not domain joined) during the technician phase, and Intune Plan 1 handles the full provisioning workflow. Pre-provisioning is often positioned by Microsoft's field team as a "premium deployment" that justifies Suite add-ons — it does not.
Hybrid Azure AD Join — Intune Plan 1 with On-Premises Prerequisites
Hybrid Entra ID Join (Hybrid Azure AD Join) Autopilot is the deployment mode where Windows devices are joined to both on-premises Active Directory and Azure AD / Entra ID simultaneously. This scenario requires the Intune Connector for Active Directory installed on an on-premises server with line-of-sight to a domain controller. The licence requirement remains Intune Plan 1. The additional complexity comes from the infrastructure side (Intune Connector installation, Entra ID Hybrid Join configuration, on-premises AD connectivity for domain join during OOBE), not from a licence tier requirement. Hybrid Autopilot is Plan 1 — not Plan 2.
| Autopilot Deployment Mode | Intune Licence Required | Entra ID Requirement | M365 E3/E5 Covers It? |
|---|---|---|---|
| User-Driven, Entra ID Join | Intune Plan 1 | Entra ID P1 | Yes — E3/E5 includes both |
| Self-Deploying Mode | Intune Plan 1 | Entra ID P1 | Yes — E3/E5 includes both |
| Pre-Provisioning (White Glove) | Intune Plan 1 | Entra ID P1 | Yes — E3/E5 includes both |
| Hybrid Azure AD Join | Intune Plan 1 + Connector | Entra ID P1 + on-prem AD | Yes — Plan 1 sufficient; infrastructure setup required |
| No scenario requires Plan 2 or Suite | Plan 2 / Suite not required for Autopilot | — | Plan 2/Suite for Autopilot = overspend |
The Licences Autopilot Deployments Actually Need
Windows 10/11 Pro or Enterprise — Verify OEM vs EA Coverage
Autopilot provisions Windows 10/11 — but the Windows licence itself is separate from the Intune management licence. Most enterprise devices purchased through volume resellers include Windows 10/11 Pro OEM or Windows 10/11 Enterprise OEM. Windows 10/11 Enterprise E3/A3 is included in Microsoft 365 E3/E5 (via the Windows E3/E5 component of the M365 bundle). For an organisation on M365 E3 deploying Autopilot to company-owned devices, the Windows Enterprise licence is included — no additional Windows E3 standalone purchase is needed. Validate your device deployment against the Windows licence component of your M365 bundle before purchasing standalone Windows E3 licences for Autopilot devices.
Entra ID P1 — Included in M365 E3/E5
Autopilot enrolment, Entra ID join, and device compliance for Conditional Access all require Entra ID P1. Entra ID P1 is included in M365 E3 and E5. Entra ID P2 is included in M365 E5. If your Autopilot user population has M365 E3/E5, the Entra ID P1 requirement is covered. If you have standalone Office 365 licences (E1/E3) without the M365 bundle, Entra ID P1 needs to be purchased as a standalone or through an EMS bundle — but this is an Office 365 scenario, not an M365 E3/E5 scenario. Most large enterprise EA deployments have transitioned to M365 E3/E5 — confirm your base SKU before assuming Entra P1 gaps.
Endpoint Privilege Management (EPM) for Standard User Autopilot — Intune Suite, But Only If EPM Is Active
One scenario where Intune Suite licensing is legitimately connected to Autopilot is Endpoint Privilege Management deployment. EPM allows standard users (non-admin) to elevate specific applications with controlled, audited elevation requests rather than requiring local admin rights. If your Autopilot deployment is part of a broader standard-user enforcement programme (removing local admin from Autopilot-enrolled devices and using EPM for elevation), Intune Suite provides the EPM capability. The licence requirement is for EPM specifically — not for Autopilot. EPM should be scoped to the affected device population, not the full Autopilot fleet. For a 5,000-device Autopilot deployment where EPM is deployed to 800 regulated workstations, Suite licensing is correct for 800 devices — not 5,000.
Autopilot in EA Negotiations — Three Commercial Positions
1. Challenge Any Plan 2 or Suite Proposal for Autopilot
If Microsoft's account team or a Microsoft partner proposes Intune Plan 2 or Intune Suite as part of a "Windows Autopilot deployment package" in your EA, push back immediately. Request the specific technical justification for why Plan 2 or Suite is required — which specific Autopilot feature requires the add-on capabilities. The answer is none. No Autopilot deployment mode requires Plan 2 or Suite. If EPM is being proposed as part of the package, treat it as a separate line item with its own deployment scope validation, not as part of Autopilot licensing.
2. Validate Windows Enterprise Licence Inclusion Before Any Standalone Purchase
Windows Autopilot deployments require Windows Enterprise. If your organisation has M365 E3 or E5 assigned to Autopilot users, the Windows Enterprise E3 component is included. Request a line-by-line licence confirmation from Microsoft before any new Windows E3 standalone lines appear in your EA for Autopilot device pools. This is a common incremental charge that appears in EA proposals when an account team either does not check the M365 inclusions or assumes the Windows component is not covering the Autopilot fleet. For a 3,000-device Autopilot deployment where all users have M365 E3, the Windows E3 standalone add-on is a $108,000/year redundant spend (at ~$3/device/month).
3. Negotiate Autopilot for Government and Education Environments Separately
For public sector organisations on Government Community Cloud (GCC) or GCC High, Autopilot is supported but with specific identity and MDM infrastructure requirements that can affect licensing. Entra ID for Government tenants, Intune for Government, and Windows Autopilot for GCC/GCC High each have distinct licence SKU variants. The commercial inclusions (Plan 1 in M365 GCC E3) are the same in principle but require verification against the specific GCC product terms. Our Microsoft EA Government GCC guide covers the GCC licence mapping in detail.
1. Confirm Autopilot mode — identify which Autopilot deployment modes are in use (user-driven, self-deploying, pre-provisioning, hybrid); all require Plan 1 only.
2. Audit Plan 2 / Suite on Autopilot devices — export Intune licence assignments for Autopilot-enrolled devices; any Plan 2 or Suite licence on an Autopilot device requires a specific justification (MAM Tunnel or EPM deployment) beyond the Autopilot deployment itself.
3. Validate Windows Enterprise coverage — confirm whether M365 E3/E5 users' Windows Enterprise licence covers the Autopilot device fleet; remove any standalone Windows E3 lines duplicating the M365 bundle inclusion.
Autopilot Licensing in the Full EA Context
Windows Autopilot is one component of the broader Microsoft Intune and Windows deployment stack in an EA. Its licence requirements are covered by Plan 1 (included in M365 E3/E5) across all deployment modes, making it a cost-neutral capability relative to the base EA. The commercial risk is in the adjacent licences that get attached to Autopilot deployments: Plan 2 add-ons without MAM Tunnel deployment, Suite add-ons without EPM deployment, and Windows E3 standalone licences duplicating M365 bundle inclusions. Our Intune complete guide covers the full Intune licence architecture, and the Intune Suite add-ons guide provides the detailed EPM, Remote Help, and LAPS deployment analysis relevant to devices managed through Autopilot. For the Windows licensing side — Windows Server, Windows 10/11 Enterprise, and Software Assurance — our Windows Server licensing guide and Software Assurance guide provide the complete commercial framework.