Windows Autopilot device preparation aims to simplify device provisioning, enhance the overall setup speed, and improve troubleshooting capabilities. This is also known as Windows Autopilot v2. The Windows Autopilot device preparation doesn’t require importing the device hash and it simply uses the device serial number to identify a device as a corporate device.
When using Windows Autopilot device preparation, the device should not registered with Windows Autopilot service. If the device is already registered with Windows Autopilot service, you need to deregister the same. Otherwise, the Windows Autopilot policy will take precedence.
- Requirements
- Set up Windows automatic Intune enrollment
- Allow users to join devices to Microsoft Entra ID
- Create a Device Group for Windows Autopilot Device Preparation
- Create a User Group
- Assign applications and PowerShell scripts to the device group
- Create a Windows Autopilot device preparation policy
- Add Windows device to the corporate device identifier
- Reset Device to Factory Setting
- End User Experience
- Related Posts
Requirements
- Windows 11, version 23H2 with KB5035942 or later.
- Windows 11, version 22H2 with KB5035942 or later.
- Microsoft Entra ID – only Microsoft Entra join is supported.
- Device shouldn’t be registered or added as a Windows Autopilot device – if the device is registered or added as Windows Autopilot device, the Windows Autopilot profile takes precedence over the Windows Autopilot device preparation policy.
Set up Windows automatic Intune enrollment
Automatic enrollment lets the user automatically enroll their Windows devices in Microsoft Intune. When the device joins Microsoft Entra ID, it automatically enrolls in Microsoft Intune.
Follow the below steps to configure Automatic MDM enrollment from the Entra ID.
- Sign in to the Azure portal, and select Microsoft Entra ID> Mobility (MDM and MAM) > Microsoft Intune.
- Configure MDM user scope. If you select Some then you need to choose an Azure AD Group.
Note: MDM user scope must be set to an Azure AD group that contains user objects.
Allow users to join devices to Microsoft Entra ID
The user should be able to join a device to Microsoft Entra ID. You can enable this setting from Azure portal > Entra ID > Devices > Device settings.
Create a Device Group for Windows Autopilot Device Preparation
Windows Autopilot device preparation uses a device group as part of the Windows Autopilot device preparation policy. The devices are automatically added to this group during Windows Autopilot device preparation deployment. The Intune Provisioning Client service principal with AppId f1346770-5b25-470b-88bd-d5744ab7952c needs to be configured as owner of this device group.
Follow the steps below to create a device group and configure the Intune Provisioning Client as the owner of the group.
- Sign in to the Microsoft Intune admin center and navigate to Groups.
- in the Groups | All Groups page, click on New Group and provide the following details.
- Group type: Security
- Group Name: Windows Autopilot Device Preparation – Device Group
- Group description: Enter an appropriate description for the group
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Assigned
- Owners: Click on No Owners Selected link.
- In the Add owners screen that opens:
- Search for Intune Provisioning Client / Intune Autopilot ConfidentialClient with AppId of f1346770-5b25-470b-88bd-d5744ab7952c and select the same from the result.
Create a User Group
Windows Autopilot device preparation uses a user group as part of the Windows Autopilot device preparation policy. The members of this group receive the Windows Autopilot device preparation deployment. The user group specified in the Windows Autopilot device preparation policy needs to be a security group but can be either an assigned or dynamic group.
Follow the below steps to create a user group for Windows Autopilot Device Preparation.
- Sign in to the Microsoft Intune admin center and navigate to Groups.
- in the Groups | All Groups page, click on New Group and provide the following details.
- Group type: Security
- Group Name: Windows Autopilot Device Preparation – User Group
- Group description: User group to receive Windows Autopilot device preparation policy.
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Assigned
- Select Create to create the group.
Assign applications and PowerShell scripts to the device group
You can install the application / Run the PowerShell script during device preparation. You need to assign all those applications/scripts to device group as a required assignment.
Create a Windows Autopilot device preparation policy
The Windows autopilot device preparation policy specifies the settings that will be used to configure the device during Autopilot. Follow the below steps to create a Windows Autopilot device preparation policy.
On the Intune admin center, navigate to Devices > Device onboarding > Enrollment and select Device preparation policy under Windows Autopilot device preparation.
On the Device Preparation Policies page, select + Create
On the Create profile > Introduction page, click Next
On the Basics page, Enter a suitable policy name and Description. Click on Next to go to the Device group page.
On the Device group page, add the Device preparation – device group that you created earlier. Click on Next to move to the Configuration Settings page.
Configure the following settings under Configuration settings > Deployment settings.
- Deployment mode: User-driven
- Deployment type: Single user
- Join Type: Microsoft Entra Join
- User account type: Standard or Administrator
Configure the following settings under Out of Box experience settings.
- Minutes allowed before showing installation error: Default is 60 minutes. You can adjust the value as per your requirements.
- Custom error message: Error message that the user will see when device provisioning failed
- Allow users to skip setup after multiple attempts: Yes/No
- Show link to diagnostics: Yes/No
You can assign up to 10 managed apps to install during device provisioning. Add the required apps to the policy under Configuration settings > Apps section.
Scroll down to go to the Script section. You can assign up to 10 PowerShell scripts to install during the deployment. Add the required PowerShell script to the policy under Configuration settings > Scripts section.
On the Assignment page, assign the policy to the Windows Autopilot device preparation user group. All the users who are members of this group will receive the Windows Autopilot device preparation policy.
On the Review + create page, review the policy and click on Create to complete the policy creation process.
You can check the Window Autopilot device preparation policy details under Devices > Enrollment > Device preparation policies.
Add Windows device to the corporate device identifier
Windows Autopilot device preparation doesn’t require device hash. However, you need to add the device serial number for the device to be identified as corporate device.
Follow the below steps to add the device serial number as a corporate identifier.
- On the Intune admin console, navigate to Devices > Enrollment > Corporate Identifier and select Add identifiers
- On the Select identifier type, select Serial number
- Under Enter identifiers, enter the Serial number and details and click on Add.
You can now see that the device serial number is listed under the Corporate device identifiers list.
Reset Device to Factory Setting
The device should be reset to the factory setting to enroll to Intune using Autopilot device preparation. Please follow the below article to reset a Windows 11 device to factory settings.
How to Reset Windows 11 PC to Factory Settings
End User Experience
Once a Windows 11 device is reset to factory settings, the first screen that the user sees is to select country or region. you can select the correct country and then click on Next.
On the Is this the right keyboard layout or input method screen, select the keyboard layout as per your preference and click on Next.
On the Want to add a second keyboard layout screen, select Add if you want to add an additional keyboard layout. Otherwise, select Next to go to next screen.
On the Please review the License Agreement screen, review the license agreement, and click on Accept.
On the Let’s set things up for your Work or school screen, enter your organization account.
You will now see Setting up for work or school screen. The setup may take time depending on the number of applications and policies applied to the device.
Once the setup is completed, you will see the Required setup is complete screen. Click on Next to move to the next screen.
On the Choose privacy settings for your device page, turn on the settings as per your requirements and click on Next.
On the Use Windows Hello with your account page, click on Ok.
On the Set up a PIN page, enter the PIN that you want to set up for the device. You can set up numeric or alpha-numeric PIN.
The Windows Autopilot Device Preparation is now completed. Click on Ok.
Related Posts
- Windows Autopilot Device Preparation – Step-by-Step Guide
- Windows 10 Autopilot Deployment Guide | Intune
- Intune – Configure Enrollment Status Page (ESP)
- Intune – Windows 10 MDM- Basic troubleshooting
- Bulk enrollment of Windows 10/ 11 Device to Intune using Provisioning Package
- Enroll Windows 11 Device to Intune through Azure AD Join method
- Windows 11 enrollment with Provisioning package failed with error code 0x800700b7
- How to Obtain Hardware Hash for Manually Registering Devices with Windows Autopilot
- Dynamic Group Based on Enrollment Profile in Intune.
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.