Windows Autopilot Device Preparation aka Autopilot v2 Step by Step Guide

Windows Autopilot device preparation aims to simplify device provisioning, enhance the overall setup speed, and improve troubleshooting capabilities. This is also known as Windows Autopilot v2. The Windows Autopilot device preparation doesn’t require importing the device hash and it simply uses the device serial number to identify a device as a corporate device.

When using Windows Autopilot device preparation, the device should not registered with Windows Autopilot service. If the device is already registered with Windows Autopilot service, you need to deregister the same. Otherwise, the Windows Autopilot policy will take precedence.

Requirements

  • Windows 11, version 23H2 with KB5035942 or later.
  • Windows 11, version 22H2 with KB5035942 or later.
  • Microsoft Entra ID – only Microsoft Entra join is supported.
  • Device shouldn’t be registered or added as a Windows Autopilot device – if the device is registered or added as Windows Autopilot device, the Windows Autopilot profile takes precedence over the Windows Autopilot device preparation policy.

Set up Windows automatic Intune enrollment

Automatic enrollment lets the user automatically enroll their Windows devices in Microsoft Intune. When the device joins Microsoft Entra ID, it automatically enrolls in Microsoft Intune.

Follow the below steps to configure Automatic MDM enrollment from the Entra ID.

  • Sign in to the Azure portal, and select Microsoft Entra ID> Mobility (MDM and MAM) > Microsoft Intune.
  • Configure MDM user scope. If you select Some then you need to choose an Azure AD Group.

Intune - MDM Scope

Note: MDM user scope must be set to an Azure AD group that contains user objects.

Allow users to join devices to Microsoft Entra ID

The user should be able to join a device to Microsoft Entra ID. You can enable this setting from Azure portal > Entra ID > Devices > Device settings.

Microsoft Entra join and registration settings

Create a Device Group for Windows Autopilot Device Preparation

Windows Autopilot device preparation uses a device group as part of the Windows Autopilot device preparation policy. The devices are automatically added to this group during Windows Autopilot device preparation deployment. The Intune Provisioning Client service principal with AppId f1346770-5b25-470b-88bd-d5744ab7952c needs to be configured as owner of this device group.

Follow the steps below to create a device group and configure the Intune Provisioning Client as the owner of the group.

  • Sign in to the Microsoft Intune admin center and navigate to Groups.
  • in the Groups | All Groups page, click on New Group and provide the following details.
    • Group type: Security
    • Group Name: Windows Autopilot Device Preparation – Device Group
    • Group description: Enter an appropriate description for the group
    • Microsoft Entra roles can be assigned to the group: No
    • Membership type: Assigned
    • Owners: Click on No Owners Selected link.
    • In the Add owners screen that opens:
    • Search for  Intune Provisioning Client  / Intune Autopilot ConfidentialClient with AppId of f1346770-5b25-470b-88bd-d5744ab7952c and select the same from the result.

Windows Autopilot Device Preparation Device Group

Create a User Group

Windows Autopilot device preparation uses a user group as part of the Windows Autopilot device preparation policy. The members of this group receive the Windows Autopilot device preparation deployment. The user group specified in the Windows Autopilot device preparation policy needs to be a security group but can be either an assigned or dynamic group.

Follow the below steps to create a user group for Windows Autopilot Device Preparation.

  • Sign in to the Microsoft Intune admin center and navigate to Groups.
  • in the Groups | All Groups page, click on New Group and provide the following details.
    • Group type: Security
    • Group Name: Windows Autopilot Device Preparation – User Group
    • Group description: User group to receive Windows Autopilot device preparation policy.
    • Microsoft Entra roles can be assigned to the group: No
    • Membership type: Assigned
    • Select Create to create the group.

Windows autopilot device preparation user group

Assign applications and PowerShell scripts to the device group

You can install the application / Run the PowerShell script during device preparation. You need to assign all those applications/scripts to device group as a required assignment.

Autopilot device preparation - required assignment

Create a Windows Autopilot device preparation policy

The Windows autopilot device preparation policy specifies the settings that will be used to configure the device during Autopilot. Follow the below steps to create a Windows Autopilot device preparation policy.

On the Intune admin center, navigate to Devices > Device onboarding > Enrollment and select Device preparation policy under Windows Autopilot device preparation.

Create Windows Autopilot Device Preparation Policy

On the Device Preparation Policies page, select + Create

Device preparation policies

On the Create profile > Introduction page, click Next

Device Preparation polcies  Create Profile

On the Basics page, Enter a suitable policy name and Description. Click on Next to go to the Device group page.

On the Device group page, add the Device preparation – device group that you created earlier. Click on Next to move to the Configuration Settings page.

Configure the following settings under Configuration settings > Deployment settings.

  • Deployment mode: User-driven
  • Deployment type: Single user
  • Join Type: Microsoft Entra Join
  • User account type: Standard or Administrator

Configure the following settings under Out of Box experience settings.

  • Minutes allowed before showing installation error: Default is 60 minutes. You can adjust the value as per your requirements.
  • Custom error message: Error message that the user will see when device provisioning failed
  • Allow users to skip setup after multiple attempts: Yes/No
  • Show link to diagnostics: Yes/No

You can assign up to 10 managed apps to install during device provisioning. Add the required apps to the policy under Configuration settings > Apps section.

Scroll down to go to the Script section. You can assign up to 10 PowerShell scripts to install during the deployment. Add the required PowerShell script to the policy under Configuration settings > Scripts section.

On the Assignment page, assign the policy to the Windows Autopilot device preparation user group. All the users who are members of this group will receive the Windows Autopilot device preparation policy.

On the Review + create page, review the policy and click on Create to complete the policy creation process.

You can check the Window Autopilot device preparation policy details under Devices > Enrollment > Device preparation policies.



Add Windows device to the corporate device identifier

Windows Autopilot device preparation doesn’t require device hash. However, you need to add the device serial number for the device to be identified as corporate device.

Follow the below steps to add the device serial number as a corporate identifier.

  • On the Intune admin console, navigate to Devices > Enrollment > Corporate Identifier and select Add identifiers
  • On the Select identifier type, select Serial number
  • Under Enter identifiers, enter the Serial number and details and click on Add.

Intune corporate identifier

You can now see that the device serial number is listed under the Corporate device identifiers list.

Intune corporate identifier


Reset Device to Factory Setting

The device should be reset to the factory setting to enroll to Intune using Autopilot device preparation. Please follow the below article to reset a Windows 11 device to factory settings.

How to Reset Windows 11 PC to Factory Settings


End User Experience

Once a Windows 11 device is reset to factory settings, the first screen that the user sees is to select country or region. you can select the correct country and then click on Next.

Is this the right country or region Windows OOBE

On the Is this the right keyboard layout or input method screen, select the keyboard layout as per your preference and click on Next.

Windows OOBE Is this the right keyboard layout or input method

On the Want to add a second keyboard layout screen, select Add if you want to add an additional keyboard layout. Otherwise, select Next to go to next screen.

Windows 11 OOBE Want to add a second keyboard layout

OOBE Checking for updates

On the Please review the License Agreement screen, review the license agreement, and click on Accept.

OOBE Please review the license agreement

On the Let’s set things up for your Work or school screen, enter your organization account.

OOBE Let's set things up for your work or school

You will now see Setting up for work or school screen. The setup may take time depending on the number of applications and policies applied to the device.

Windows 11 Setting up for work or school

Once the setup is completed, you will see the Required setup is complete screen. Click on Next to move to the next screen.

Windows 11 setup Required setup is complete

On the Choose privacy settings for your device page, turn on the settings as per your requirements and click on Next.

Windows 11 setup Choose privacy settings for your device

On the Use Windows Hello with your account page, click on Ok.

Windows Autopilot Device Preparation aka Autopilot v2 Step by Step Guide Use Windows Hello with your account

On the Set up a PIN page, enter the PIN that you want to set up for the device. You can set up numeric or alpha-numeric PIN.

Windows 11 Setup Set up a PIN

The Windows Autopilot Device Preparation is now completed. Click on Ok.

Windows Autopilot Device Preparation

Related Posts

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.


Scroll to Top