By: Maggie Dakeva - Product Manager | Microsoft Intune

Provisioning devices at scale used to be complex and time-consuming, especially with today’s remote and hybrid work models. Windows Autopilot and Windows Autopilot device preparation simplify and secure the process, helping IT teams deliver ready-to-go devices with minimal touch. Understanding the differences between the two helps organizations choose the right approach for device lifecycle and deployment strategy.

Understanding Windows Autopilot device preparation

Windows Autopilot device preparation is a next-generation provisioning solution designed to simplify IT setup, improve reliability during device provisioning and provide better reporting and troubleshooting capabilities. While Windows Autopilot has long empowered organizations to automate device setup, Windows Autopilot device preparation introduces significant improvements in consistency, real-time visibility, and flexibility for device management.

Key benefits of Windows Autopilot device preparation

• Simpler setup: Configure a single device provisioning policy that includes both Windows deployment configuration and out-of-box experience (OOBE) settings.
• Consistent and reliable provisioning experience: Windows Autopilot device preparation removes most of the complexity and unpredictability from device deployments, ensuring better workload coordination.
• Enrollment time grouping: Allows granular targeting of unregistered devices, reduces the complexity of dynamic group management and latency, and avoids conflicts due to group membership calculations during provisioning.
• Near real-time reporting: IT admins can review detailed status of each configured app and script in addition to overall status, speeding up issue resolution and unblocking user productivity.

Windows Autopilot vs Windows Autopilot device preparation

Many customers wonder when they should use Windows Autopilot and when to use Windows Autopilot device preparation. The key difference is in their supported provisioning modes and requirements:

• Windows Autopilot: Best suited for organizations needing advanced customization, multiple device type support, and hybrid join scenarios. Requires device registration and delivers configurations both during device and user phases.
• Windows Autopilot device preparation: Designed for rapid, Microsoft Entra joined deployments without the need for Windows Autopilot registration. Focuses on device-based targeting during OOBE and can deliver both apps and scripts, with enhanced troubleshooting and reporting capabilities.

For a detailed comparison, review Compare Windows Autopilot solutions.

Use Windows Autopilot device preparation if:

• You haven’t deployed Windows Autopilot before or are looking to simplify your deployment process.
• Your organization will use a user-driven flow where each user will set up their device.
• Your organization is transitioning to cloud-native (Microsoft Entra joined) devices or Windows 11.
• Your organization is deploying Windows 365 Frontline devices.
• You want to avoid managing Windows Autopilot registration and the complexities it brings during the device lifecycle and repairs.
• Your organization needs to deploy devices in sovereign clouds (GCCH, 21Vianet in China).
• You’d like better visibility into the provisioning experience with a more detailed report.

Use Windows Autopilot if:

• Your organization requires pre-provisioning (device is prepared by technician) or self-deploying (shared device) flow.
• Your organization requires Windows Autopilot registration or the features it provides, such as hiding OOBE pages and renaming devices before enrollment, and device firmware configuration interface (DFCI).

Device setup flow step-by-step

Understanding the device preparation flow is key to leveraging this method effectively. Here’s an overview of the typical device journey:

Overview of all steps of device preparation, described in detail below.

1. Intune setup: You’d need to create a new device security group (steps) and a Device preparation policy in Intune where you include the group. Devices will receive configuration from that security group and will automatically be added to it during provisioning.
2. Physical device setup: Windows Autopilot device preparation requires Windows 11 devices which are not registered for Windows Autopilot and supports only Microsoft Entra joined (cloud-native) deployments. You should always start with a clean image, pre-loaded with drivers.
3. OOBE flow: User authenticates with their Microsoft Entra credentials.
4. Enrollment: Device automatically Microsoft Entra-joins and enrolls in Intune.
5. Windows backup (optional): If Windows Backup for organizations is configured for this user, they will see a page with options to restore user settings from previous device.
6. Device preparation setup: Next, the Intune Management Extension is installed, then the bootstrapper agent which controls the provisioning process, and the device syncs with the mobile device management service (Intune).).
7. Enrollment time grouping: After the device joins Microsoft Entra and enrolls in Intune, Windows Autopilot looks up the configuration assigned to the security group set for enrollment time grouping.
8. Policy installation: Intune policies, line-of-business (LOB) apps, and Microsoft 365 apps are delivered to the device. If any LOB or Microsoft 365 apps are selected in the device preparation policy Windows Autopilot will ensure they deliver successfully before continuing to the next step.
9. Script installation: PowerShell scripts selected in the device preparation policy are delivered. If successful, provisioning continues to the next step. Remediation and custom compliance scripts are not yet available.
10. App installation: Win32, Microsoft Store, and Enterprise App Catalog apps selected in the device preparation policy are installed. If successful, provisioning continues. Apps must also be targeted to the device security group configured during step 1.
11. Reboot: If needed, a coalesced reboot will be triggered prior to moving to the desktop.
12. Device preparation completes: The device completes the Windows Autopilot device preparation setup, user is informed that Required setup is complete. After the device preparation setup is completed, the user may receive a cumulative Windows update at the end of OOBE (learn more) and then set up Windows Hello for Business.
13. Desktop: The user proceeds to the desktop where additional Intune configuration which was not selected in the device preparation policy may be applied.

Best practices for Windows Autopilot device preparation

To maximize the benefits of Windows Autopilot device preparation, organizations should follow these best practices:

• Define clear security groups: Create a dedicated device security group in Microsoft Entra and assign the Intune Provisioning Client service principal as the group owner. This step is critical for profile assignment and app delivery.
• Use policies strategically: Windows Autopilot device preparation policies control the configuration of devices during OOBE. Carefully curate the list of critical apps and scripts, leaving additional configuration to deploy at the desktop. This will ensure an optimal user experience during OOBE.
• Use device-based apps: Assign apps to the device security group and configure them to install in the system context for successful deployment during OOBE.
• Manage timeout values: Review and adjust timeout settings in the device prep policy to ensure deployments don’t fail due to time constraints.
• Start troubleshooting by reviewing the report: Use the Windows Autopilot device preparation deployment report in Intune’s “Monitor” section for near real-time insights into deployment progress and to quickly spot any issues.

Common issues and troubleshooting tips

Even with the best planning, device preparation may encounter roadblocks. Here are some of the most frequently reported issues and strategies for addressing them:

Device enrollment failures

• Blocked by enrollment restrictions: If corporate identifiers aren’t uploaded, devices may fail to enroll. Ensure these identifiers are added as required.
• Unsupported OS Version: Devices with incompatible OS versions will not appear in the device preparation deployment report and won’t display the device preparation page in OOBE. They may get the Enrollment status page, if configured for All users and all devices, or proceed straight to the Privacy settings page.
• Previously registered devices: If a device is already registered for Windows Autopilot, it can’t go through device preparation. Confirm that the registration is removed before deploying with Windows Autopilot device preparation.

Application and script deployment issues

• App detection rules: Always review Win32 app detection rules and the Apps report in Intune. Inaccurate detection logic can cause apps to fail deployment. This is one of the most common issues causing deployment failures.
• Network constraints: Proxy settings, VPN clients, and Wi-Fi profile configurations may cause network instability if applied during the provisioning process. In addition, Delivery Optimization failures (often caused by network issues) can impede downloading app content. Review network setup and ensure reliable connectivity during the provisioning process.
• Script execution testing: Execute PowerShell scripts outside of Autopilot to ensure they work independently before inclusion in device preparation policies.
• Managed installer issues: If Managed Installer policy is enabled for your tenant, Win32 and Microsoft Store apps are skipped. This will be addressed in a future release. Monitor announcements on What's new in Windows Autopilot device preparation | Microsoft Learn.
• Targeting and context: Make sure apps are set to install in the system context and targeted to the device security group specified in the device preparation policy.

Deployment timeout: If a device preparation deployment fails due to timeout, compare the timeout value in the device preparation policy with the actual deployment time reported and adjust as needed.

Conclusion

Windows Autopilot device preparation marks a significant evolution in Windows device provisioning, offering IT admins a predictable, flexible, and transparent deployment framework. By following the best practices outlined above and leveraging the robust troubleshooting features built in, organizations can minimize deployment headaches and ensure users can provision their devices and become productive as quickly as possible.

FAQ

Are corporate identifiers the new registration?

Corporate identifiers aren’t a replacement for Windows Autopilot registration. They’re needed for organizations that block personal devices and to ensure only trusted devices can be enrolled in your tenant.

How do I move from Windows Autopilot to Autopilot device preparation?

You’d need to follow these steps:

1. Create an assigned device security group and make sure all configurations are assigned to it.
2. Create a new device preparation profile and assign it to your users.
3. Deregister all devices from Windows Autopilot.
4. Reset all devices.

Note that some advanced scenarios aren’t yet available for Windows Autopilot device preparation but may be available in the future.

Resources

For more details, including updates and a full list of known policies or issues, review the Microsoft documentation below:

• Overview of Windows Autopilot device preparation
• Overview for Windows Autopilot device preparation user-driven Microsoft Entra join in Intune
• Compare Windows Autopilot device preparation and Windows Autopilot

As always, if you have any questions let us know in the comments or reach out to us on X @IntuneSuppTeam or @MSIntune!