Autopilot Device Preparation: The Next Evolution in Windows Deployment
Device rollouts should be seamless, not stressful. Yet for many IT teams, traditional Autopilot (v1) still creates bottlenecks: hardware hash imports, ESP stalls, and poor visibility during deployment. Enter Autopilot Device Preparation (v2) Microsoft’s next-generation approach that simplifies provisioning, reduces overhead, and gives IT clearer visibility into what’s happening during setup.
In this blog, we’ll explore what Device Preparation is, how it differs from classic Autopilot, the business problems it solves, prerequisites and configuration, Conditional Access considerations, and the key limitations you need to plan for.
What is Autopilot Device Preparation?
Autopilot Device Preparation is a new deployment experience designed specifically for Windows 11 and Entra ID Join. It moves away from the complexity of v1 and focuses on speed, simplicity, and visibility.
Key features:
No hardware hash imports or device pre-registration needed.
Starts after user signs in, provisioning begins immediately.
Simple setup with up to 10 apps and 10 PowerShell scripts.
Real-time status updates and built-in diagnostics.
Cleaner, easier setup with clearer messages for users.
It's like a lighter version of Autopilot for cloud-first setups.
Autopilot v1 (classic)
User-Driven: End user signs in, device and user ESPs run during OOBE.
Pre-Provisioned (White Glove): Technician pre-installs apps/policies to save user time.
Supports Hybrid Join, Self-Deploying, large app payloads, and blocking desktop access until compliance is met.
Device Preparation (Autopilot v2)
Runs after the user signs in, no device registration required.
Device-targeted installs only during OOBE (user policies apply later).
Limited to 10 apps + 10 scripts during OOBE.
No Hybrid Join, Pre-Provisioning, or Self-Deploying.
Stronger real-time reporting and diagnostics.
Rule of thumb: If you need Hybrid Join, heavy app payloads, or pre-provisioning, stick with v1. If you want fast, simple, Entra-joined Windows 11 deployments, v2 is the way forward.
Business Use Case
Device Preparation is designed for organisations that need:
Reduced admin overhead: no hardware hash imports or profile juggling.
Simpler deployment: fewer steps for IT and end users.
Faster onboarding: users get to the desktop quicker with only critical apps installed up front.
Better visibility: live reporting and diagnostics reduce troubleshooting time.
For remote workers, growing teams, and businesses moving to Windows 11 and Entra, Device Preparation removes friction at scale.
Prerequisites
Pre-Deployment Checklist for Device Preparation Details / Requirements Operating System Windows 11 22H2/23H2 (with KB5035942+) or 24H2+
Licensing Microsoft 365 Business Premium, E3/E5, or equivalent with Intune + Entra
Network Access Ensure core Autopilot, Entra, Intune, Windows Update, and diagnostics endpoints are reachable. Please see specific and up to date networking here:
Tenant Setup - Enable automatic Intune enrolment
- Allow Entra ID Join for users
- Create user group for policy assignment
- Create device group for app/script targeting (must have the Intune Provisioning Client as owner)Corporate Identifiers (optional): If your enrolment restrictions block personal Windows devices, you’ll need to upload a Corporate Identifiers CSV (Manufacturer, Model, Serial Number) so Intune knows these devices are corporate-owned. If you allow BYOD, this step isn’t required.
Conditional Access Considerations
Device Preparation begins with a user sign-in. Conditional Access (CA) policies can make or break this step.
Don’t block enrolment: Exclude the cloud apps “Microsoft Intune Enrolment” and “Windows Azure Active Directory” from CA policies that require compliant devices. The device isn’t compliant yet at OOBE.
Use MFA wisely: MFA works during OOBE, but make sure the method is realistic (e.g. SMS or Temporary Access Pass for new users without the Authenticator app set up).
Compliance: Many organizations require compliant devices for corporate access. With Device Preparation, compliance enforcement must occur after enrollment, as early compliance blocks enrolment. Best practice excludes “Intune Enrolment” and “Azure AD” apps from compliance checks, while enforcing it for production apps like Exchange, Teams, and SharePoint. This allows devices to enrol, become compliant, then access corporate data.
How to Configure Device Preparation
1. Create groups
User group – Assign the Device Preparation policy to this group (e.g. a licensed user group for Cloud PCs).
Device group – Assign apps and scripts to this group.
Device Group can be dynamic when deployment as a BYOD device.
If BYOD is disabled the device will need to be added to the Corporate Identifiers list.
Optional: I recommend policies that should be installed on all devices particularly security policies to be assigned to device group. This will ensure devices are secure as soon as possible post device setup.
2. Make Intune Provisioning Client an owner of the device group
In the Entra admin centre, go to Groups → select your device group.
Under Owners, click Add owners.
Search for Intune Provisioning Client (
f1346770-5b25-470b-88bd-d5744ab7952c).Add it as an owner.
Without this step, the group won’t be available when linking in the policy.
3. Assign apps and scripts to the device group
Add up to 10 critical apps (Win32, Store, M365, or LOB).
Add up to 10 PowerShell scripts (run in system context).
4. Create the Device Preparation policy
In Intune: Devices → Windows → Windows enrolment → Device Preparation policies → Create
Deployment settings: User-driven, Entra join, account type.
OOBE settings: Timeout, error message, diagnostics link, “continue anyway” option.
Apps/Scripts: Select from those assigned to the device group.
Assignments: Assign the policy to your user group.
5. Deploy
User signs in → Device Preparation runs → apps and scripts install → user lands on the desktop.
Cloud PC example:
Assign the policy to the licensed user group.
Use a dynamic device group that targets Cloud PC models for app/script delivery.
When building this dynamic group you can use the provisioning policy names to dynamically fetch all Cloud PCs built by those provisioning policies.
Limitations
Windows 11 only (not Windows 10).
Entra ID Join only (no Hybrid Join).
10 apps + 10 scripts max during OOBE.
No pre-provisioning or self-deploying.
Classic Autopilot takes priority – if a device is registered in v1, it will use v1 instead of v2.
Known gaps – custom compliance and Managed Installer not supported during OOBE.
Dynamic Grouping for off-the-shelf devices: You can't easily divide off-the-shelf devices into several dynamic groups per entity because they don’t have unique attributes before enrolment. So, if you block BYOD and need multiple policies, you'll probably have to manage separate Corporate Identifier lists for each entity and assign devices to the right groups.
Troubleshooting Tips
Device shows ESP instead of Device Prep → It’s still registered in Autopilot v1. Deregister it.
Device Prep doesn’t start → Check OS build/KB, user group membership, or missing Corporate Identifier (if BYOD is blocked).
Apps skipped → Confirm they’re assigned to the device group and scoped correctly.
Device group not selectable → Ensure Intune Provisioning Client is an owner.
Logs needed → Download diagnostics directly from the Device Preparation deployment report.
Final Thoughts
Autopilot Device Preparation isn’t a full replacement for classic Autopilot, but it’s a major step forward for modern, cloud-first deployments. If your environment is Windows 11 + Entra Join, and you value speed, simplicity, and real-time visibility, v2 is the smarter choice. For hybrid or complex scenarios, Autopilot v1 still has a role to play.
At Endpoint Craft, we specialise in building modern workplace solutions that aren’t just technically correct but operationally smooth. Whether you’re adopting Device Preparation for the first time or planning a hybrid deployment strategy, we can help you design a rollout that keeps users productive and IT in control.
Ready to simplify your deployments? Let’s craft the modern workplace together.