Windows Autopilot device preparation aka Autopilot v2 Configuration

In this post we will configure the Windows autopilot device preparation. The unofficial name is Autopilot v2. This unofficial name is getting very popular nowadays as it helps distinguishing the new way of provisioning the device using device preparation (Autopilot v2) vs Autopilot deployment profile.

What is Windows Autopilot device preparation

This is a new way of provisioning the device which requires minimal configuration. Microsoft has simplified the whole process of Windows Autopilot with the new feature been made available with the name Windows Autopilot device preparation. The option can be found under Microsoft Intune admin center’s enrollment page which requires you to create Device preparation policies.

The provisioning of device becomes very simple with this new option which is specifically supported for Windows 11 only.

Following are the benefits of using Windows Autopilot device preparation policies:

1. Onboarding experience becomes very easy with minimal configuration required.
2. This process doesn’t require organizations to upload hardware hash.
3. You can deploy mix and match of Line-of-business (LOB) apps and Win32 apps at the same time.
4. Near real-time reporting experience makes administrators life easy to monitor the Autopilot provisioning process.
5. You can deploy scripts as well as part of device preparation policies.

Limitations of Windows Autopilot device preparation policies

There are few limitations with this new approach (aka autopilot v2) as compared to the Autopilot deployment profiles (aka autopilot v1). Following is the list:

1. Autopilot v2 doesn’t support Microsoft Entra hybrid join scenario, it only supports Microsoft Entra join of devices.
2. It is supported only for Windows 11 operating system.
3. You can deploy maximum upto 10 apps and 10 scripts by using device preparation policies.
4. Few of the features are missing such as renaming the device. This might not be limitation in future as Microsoft is investing in this feature a lot. You might see more new features coming to Autopilot device preparation policies.

How Device preparation policies are different from Windows Autopilot deployment profiles

The traditional way of Windows Autopilot (till date) consists of 3 phases:

• Device preparation
• Device setup
• Account setup

These 3 phases are divided into device ESP and user ESP. Account setup is known as user ESP. To go through the ESP phases, device’s hardware hash needs to be uploaded to Intune portal. This makes device registered as Autopilot device. Then you have to create deployment profile targeting to the devices using group tag feature. If device doesn’t have any deployment profile targeted, it won’t receive the Autopilot profile.

With Autopilot v2, the approach is changing. There is no longer need of uploading the hardware hash. We are not even going to create any deployment profile. There is no need for configuring the Enrollment Status page as ESP is not used in this case. Autopilot v2 / device preparation requires you to target the policies to the users which will eventually go through OOBE phase by installing applications and scripts along with the policies we have defined for device preparation.

What happens during Windows Autopilot device preparation

Autopilot device preparation requires 2 groups to be created:

1. Device Preparation – Device group: This will be an empty group where device gets added automatically when autopilot device preparation policies are offered to the device. You need to set the appropriate owner for this group which we will cover soon. We need to target the apps to this group so as they can be deployed during Autopilot device preparation provisioning.
2. Device Preparation – User group: This group is used to add the users. Device Preparation policies will be targeted to this group. Any user part of this group will go through the device preparation process which shows circular ring for installation and process.

Following is the process which will happen:

• User switches on the device and connects to internet (wifi/LAN).
• User needs to enter the credentials and receives device preparation policy.
• Device joins to Microsoft Entra ID and gets enrolled.
• Installs Intune management extension.
• Device gets all the applications and scripts targeted (upto 10 apps and scripts).
• Completion notification is presented to user and desktop is presented to them.

Pre-requisites for Windows Autopilot device preparation

1. You need to have Windows 11 version (22H2 or 22H2) with KB5035942 cumulative update installed. This is patch was released on 26^th March’2024 and already part of Windows installation media available in April 2024. Following Windows 11 editions are supported:

• Windows 11 Pro
• Windows 11 Pro Education
• Windows 11 Pro for Workstations
• Windows 11 Enterprise
• Windows 11 Education

2. You need to have appropriate Intune license which can be EMS E3 or E5, Microsoft 365 Business Premium subscription along with Microsoft Entra ID P1 or P2 subscription. For complete list check Windows Autopilot device preparation requirements | Microsoft Learn.

3. Users should have appropriate permissions to join Microsoft Entra. This can be verified by logging onto Microsoft Entra admin center and navigating to Devices | Device settings and make sure Users may join devices to Microsoft Entra is set to Selected or All.

4. Users should have rights to enroll the device to Intune. This can be verified by logging onto Microsoft Intune admin center and navigating to Devices | Enrollment | Automatic Enrollment. Make sure MDM user scope is set to All or some. If set to some, user should be part of that specific group.

Steps to enable Windows Autopilot device preparation

1. We need to create 2 groups, one as device group and other as user group.
   • Device group: Login to Intune admin center or Microsoft Entra admin center and create the device group with the name “Windows Autopilot device preparation – Device”  with the membership type Assigned. No need to add any device. Click on Owner’s and add the service principle with the name Intune Provisioning Client. The AppID of the service principle has to be f1346770-5b25-470b-88bd-d5744ab7952c. If you can’t find the Intune Provisioning Client, then look for Intune Autopilot ConfidentialClient. The key is to verify the correct AppID starting with f1346770.

If you are not able to see any AppID starting with f1346770. Create the service principle by running following command:

Install-Module AzureAD
Connect-AzureAD
New-AzureADServicePrincipal -AppId f1346770-5b25-470b-88bd-d5744ab7952c

This will register the service Principle for you.

2. User group: Create another group with the name “Windows Autopilot device preparation – User”.  Add the test users to this group. The members of this group will receive

3. Deploy applications to Device Prep group: Assign the applications to the device group Windows Autopilot device preparation – Device. Though the group will not be having any device containing under it, but during device preparation autopilot process, device gets added to the group. Hence, all the targeted applications to this group will get deployed during Autopilot device preparation process. Adding the device to the group is known as enrollment time grouping which makes the process fast as it doesn’t rely on any dynamic group membership update, device is added automatically to get targeted applications during device preparation phase.

4. Create device preparation policy: Follow the steps as:
   • Navigate to Devices | Enrollment. Under Windows Autopilot device preparation, click on Device preparation policies.
   • Under Introduction page, Click Next.
   • Under Basics page, provide the name as Autopilot device prep1 and click Next.

7. • Under Device group page, add the device group we created previously ie. Windows Autopilot device preparation – Device.

8. Under Configuration settings page, you will see multiple options, set the options:

Deployment settings

Deployment mode: Single user
Deployment type: User driven
Join type: Azure AD joined

User account type: standard user (this is a toggle switch, click on it to change it to administrator). We don’t want user to be administrator, hence standard user option is recommended.

Out-of-box experience settings

Minutes allowed before showing installation error: 30 mins (set it accordingly)
Custom error message: Contact your organization’s support person for help.
Allow users to skip setup after multiple attempts: Yes
Show link to diagnostics: Yes

Apps: Add couple of applications which you wanted to deploy during device preparation phase. I have added 7-zip, Chrome browser, Microsoft 365 apps and Notepad++. Make sure these apps are already targeted to device group previously. You need to also  make sure the app install context should be set to device, if set to user, installation of that specific app will skip. You can target up to 10 apps.

Scripts: Similarly you can target up to 10 scripts.

• Under Scope tags page, click Next.
  • Under Assignments page, target it to the group Windows Autopilot device preparation – User and click Next.

Verify the settings under Review + create page and click Save to create the device preparation policy.

Note: If you get the following error “There was a problem with the device security group for Windows Autopilot device prep1. Check the group meets the requirements”. Then you have not mentioned either the correct device group, or device group doesn’t have the correct owner set with serviceprincipal name.

Windows Autopilot device preparation process

Let’s initiate the process now, switch on the Windows 11 device which will take it to OOBE phase.

1. You will be represented with country choice, select the country and click Yes.

2. Select the keyboard layout and click Yes.

3. Skip the addition second keyboard layout page.

4. You will be prompted to enter the credentials, the first page will show you Microsoft icon / logo as device has not connected to your tenant.

5. Once you enter the username and click on Next, it will show your organization’s logo and custom text. This will be the indication you are connecting to correct tenant. Provide username, authenticate the MFA token.

6. Once you see the circular ring with percentage mentioning “Setting up for work or school”, you can confirm that device preparation has kicked in. There is no device preparation, device setup, account setup ESP’s shown which was the case for Autopilot deployment profile. It will start with Intune management extension installation.

7. It will further progress with installing the required apps and policies for your organization. Infact, it is going to install just apps and scripts if targeted to device group. As we have targeted 3-4 apps, it might take some time to complete.

Conclusion

Windows Autopilot device preparation is a new feature introduced by Microsoft which is a good initiative to make to provisioning easier. Though it comes up with few challenges which needs to be handled carefully. Such as, users can perform Autopilot device preparation on their personal PC’s. To prevent this, we must configure the device platform restriction to block enrollment for personally owned devices into Windows MDM. However, at this moment, if you have set the blocking of device for personally owned device, device preparation profile fails. This has been investigated by Microsoft. We are in just initial phase / release of device preparation policies, there is more to come in future with more reliable settings and features.

 Microsoft will also provision Windows corporate identifier which required make, model and serial number to be uploaded to the device. It seems Microsoft made the feature available, but recently it has been removed. Eagerly waiting for the feature to be made available to test it further.