By: Maggie Dakeva – Sr. Product Manager & Juanita Baptiste – Sr. Product Manager | Microsoft Intune
Organizations are increasingly adopting a hybrid workplace and Windows Autopilot provides flexibility to deliver devices to users anywhere with internet connectivity. With more and more adoption of Windows Autopilot, Microsoft Intune is enhancing this solution to support a greater variety of scenarios and use cases.
Today, Intune is releasing a new Autopilot profile experience, Windows Autopilot device preparation, which enables IT admins to deploy configurations efficiently and consistently and removes the complexity of troubleshooting for both commercial and government (Government Community Cloud (GCC) High, and U.S. Department of Defense (DoD)) organizations and agencies.
What is Windows Autopilot device preparation and why was it created?
While the existing Windows Autopilot experience supports multiple scenarios and device types, we’re extending this value across additional cloud instances and improving consistency and troubleshooting capabilities based on customer feedback. We’re introducing Autopilot device preparation in a way that won’t interrupt current deployments or experience and provides a more consistent and efficient experience.
Among some of the benefits of Autopilot device preparation are:
- Availability in government clouds (GCC High and DoD) which will allow government customers to deploy at scale using Autopilot.
- Providing more consistency in user experience during deployments by locking in IT admins intentions for onboarding.
- Creating more error resiliency in the experience to allow users to recover without needing to call a help desk.
- Sharing more insight into the Autopilot process with new reporting details.
A single Autopilot device preparation profile to configure deployment and OOBE settings
The Autopilot device preparation admin experience simplifies admin configuration by having a single profile to provision all policies in one location, including deployment settings and out-of-box (OOBE) settings. It also improves the consistency of the experience for users and gets them to the desktop faster by allowing you to select which apps (line-of-business (LOB), Win32, or Store apps) and PowerShell scripts must be delivered during OOBE.
Grouping at enrollment time
An improved grouping experience places devices in a group at the time of enrollment. Simply assign all configurations to a device security group and include the group as part of the device preparation profile. The configuration will be saved and then delivered on the device as soon as the user authenticates during OOBE.
New user experience in OOBE
A simplified OOBE view shows the progress of the deployment in percentage % so that users know how far along in the process they are. When the device preparation configuration has been delivered to the device, the user will be informed that critical setup is complete, and they can continue to the desktop.
The Autopilot device preparation deployment report
The new Autopilot device preparation deployment report captures the status of each deployment in near real-time and provides detailed information to help with troubleshooting. Here are some highlights of what to expect:
- Easily track which devices went through Autopilot
- Track status and deployment phase in near-real-time
- Expand more details for each deployment:
- Device details
- Profile name and version
- Deployment status details
- Apps applied with status
- Scripts applied with status
Coming soon: Corporate identifiers for Windows
While we don’t have a tenant association feature ready in this initial release, we understand the importance of only allowing known devices to enroll to your tenant. Soon we'll expand corporate device identifiers to include Windows platform. Autopilot device preparation will support the new corporate identifier enrollment feature. This added functionality will allow you to pre-upload device identifiers and ensure only trusted devices go through Autopilot device preparation. Stay tuned to an update in this blog, and our What’s new in Intune for the release!
Note: Until the new corporate identifiers is supported for Autopilot device preparation, if the personal device restriction is enabled and personal devices aren't allowed, enrollment always fails. Since enrollment always fails, Windows Autopilot device preparation doesn't work when the personal device restriction is enabled.
Frequently Asked Questions
How is this new Autopilot profile different from the current Autopilot profile?
The new Autopilot profile is a re-architecture of the current Autopilot profile so while the experience to OEMs, IT admins and users may look the same, the underlying architecture is very different. The updated architecture in the new Autopilot profiles gives the admin new capabilities that improve the deployment experience.
- New orchestration agent allows the experience to fail fast and provide more error details.
- Targeting is more precise and avoids dynamic changes when dynamic grouping is used.
- Reporting infrastructure provides more details on the deployment experience.
Who does the new Autopilot profile benefit?
The new profile will benefit government customers who can now use Windows Autopilot device preparation to streamline their deployments at scale. It’ll also benefit new customers onboarding Windows Autopilot by reducing the complexity of setting up the deployment.
Is the new profile available in all sovereign clouds?
The new profile is available for Government Community Cloud (GCC) High and U.S. Department of Defense (DoD). It’s expected to be available for Intune operated by 21Vianet in China later this year.
What about the other Autopilot scenarios like pre-provisioning and self-deploying mode?
These functionalities will be supported in the future but aren’t part of the initial release.
Why is there a limit on the number of apps I can select to be delivered during OOBE?
We limited the number of applications that can be applied during OOBE to increase stability and achieve a higher success rate. Looking at our telemetry, almost 90% of all Autopilot deployments are deployed with 10 or fewer apps. This limit is intended to improve the overall user experience so that users can become more productive quickly. We understand that there are outliers and companies that want to target more during setup, but for the user-driven approach, we want to leverage the desktop experience for non-essential applications.
What is the order of installation for the device preparation profile?
The process is described in detail in: Overview for Windows Autopilot device preparation user-driven Microsoft Entra join in Intune.
Can we now mix app types such as LOB and Win32 apps with the device preparation profile?
While we always recommend Win32 apps, in current Autopilot deployments, mixing apps may result in errors. With the device preparation profile, we’ve streamlined the providers so different app types should not impact each other.
What is the guidance on user- vs device-based targeting?
Only device-based configurations will be delivered during OOBE. Assign security policy to devices, ensure all selected apps in the device preparation profile are set to install in system context, and are targeted to the device security group specified in the profile.
How will users know when the setup is complete?
Many users aren’t sure when the provisioning process is complete. To help mitigate confusion and calls to the help desk, we’re adding a completion page in OOBE. Admins can configure the page to require a user to manually select to continue or set the page to auto-continue. This message will let the user know that OOBE setup is complete but there may be additional installations happening that they can monitor in the Intune Company Portal.
Can the new profile be used by other MDMs?
Windows Autopilot device preparation will support 3rd party MDMs. In this initial release, configuration is only possible via Intune.
Will this be available on Windows 10 devices?
Currently, device preparation profiles are only available on:
How can I move my existing devices to the new device preparation profile?
If you’d like to have an existing device join your tenant through the device preparation profile, the device would first need to be de-registered from Autopilot, then retargeted to a security group within your device preparation profile.
Do I need to migrate my existing profiles from Autopilot-to-Autopilot device preparation?
There’s no need to migrate from existing Autopilot to the new Autopilot profile. We expect both environments to exist in parallel for a while as we work to improve the experience and add more functionality.
Does this mean we are no longer investing in Autopilot?
Not at all! We’re continuing to work on Autopilot in parallel with developing Autopilot device preparation. The first release of Autopilot device preparation won’t have all the scenarios of Autopilot, specifically pre-provisioning and self-deploying modes, so we’ll continue to invest in those areas. Additionally, where possible, we plan to add any high value features from Autopilot device preparation to Autopilot to improve the experience for all customers.
If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam. Stay tuned to What’s new in Intune and What’s new in Autopilot as we continue developing this new deployment experience.