Guide:

Windows Deployment After MDT

Why Intune and Autopilot don’t close the post-MDT deployment gap — and what actually does

Introduction to the Guide

In January 2026, Microsoft retired the Microsoft Deployment Toolkit without a migration guide and without an official replacement. For IT teams that relied on MDT as the foundation of their Windows deployment workflow, the message was clear: figure it out yourself.

The reason MDT was retired matters. Security researchers identified vulnerabilities that allow extraction of privileged Active Directory credentials directly from MDT deployment shares. Those vulnerabilities will not be patched. Every day MDT remains in a deployment workflow, the risk remains open.

At the same time, many IT teams have assumed that Intune and Autopilot fill the gap MDT left behind. They do not. This guide explains what MDT actually covered, why the post-MDT deployment gap is still real, what the options are for closing it, and how to choose the right path depending on where your organisation is starting from.

What You Will Learn

Why organisations still running MDT are exposed to a documented, unpatched security risk
What Intune and Autopilot can and cannot do at the deployment layer — and where their dependency on a working OS creates a gap
The four device scenarios that require bare-metal capability in any modern IT environment
How to evaluate your replacement options and what each involves in terms of infrastructure, maintenance, and cost
What cloud-native provisioning looks like in practice — and why it eliminates the infrastructure model that made MDT a liability

About the Author

Rikke Borup
CMO, CapaSystems

Rikke is Chief Marketing Officer at CapaSystems, where she has led marketing and communications since 2009. With more than 17 years of experience in the IT sector, including cybersecurity, endpoint management software, and IT services, she brings long-standing, practical insight into the challenges facing modern enterprise IT environments.

Trained as a journalist, Rikke specialises in translating complex technical concepts into clear, easy-to-understand communications for IT decision-makers.

Download Now ↓

Have More Questions?

Cloud-based provisioning platforms are the most complete replacement. They handle bare-metal OS deployment, driver orchestration, and remote recovery without requiring on-premise infrastructure. Intune and Autopilot handle device management and configuration, but do not replace MDT’s deployment capabilities.

No. Intune requires a device to already be running Windows. It handles configuration, policy enforcement, application deployment, and patch management — but it cannot deploy Windows to a bare-metal device or recover a device that cannot boot.

No. Autopilot requires an existing, functioning OS. A device with a corrupted or missing OS cannot be enrolled through Autopilot without first being provisioned by a separate tool.

No. Provision Manager works as a standalone provisioning solution. For organisations running Intune, it provides the bare-metal OS foundation that Autopilot requires — creating a complete zero-touch experience from bare-metal boot to daily endpoint use.

The first deployment template can be configured in under one hour. There are no servers to install, no images to build, and no PXE infrastructure to configure.

Provision Manager provides the bare-metal OS foundation required for Microsoft Autopilot. Once a device is provisioned, it hands off cleanly to Autopilot and Intune for enrollment, configuration, and ongoing management.

Provision Manager automatically identifies hardware models and applies manufacturer-certified driver packs for Dell, HP, Lenovo, and Microsoft devices. A single, hardware-independent OS image works across all supported device models.