Deploying Windows devices at scale has always been a challenge for IT teams, especially in hybrid and remote work environments. Microsoft’s new Windows Autopilot Device Preparation is designed to make that process easier, more reliable, and more transparent.
In this blogpost, we’ll cover what Autopilot Device Preparation is, how it works, when to use it over traditional Autopilot, and best practices for successful deployment.
What Is Windows Autopilot Device Preparation?
Windows Autopilot Device Preparation is Microsoft’s next-generation provisioning solution for Windows 11 devices. Its main goals are:
- Simplification – deployment configuration and Out-of-Box Experience (OOBE) settings are merged into a single provisioning policy.
- Reliability – improved consistency across device rollouts.
- Visibility – near real-time reporting on scripts, apps, and deployment status.
- Flexibility – enrollment-time grouping eliminates delays caused by group evaluations.
Autopilot vs. Autopilot Device Preparation: When to Use Which?
Choosing between traditional Windows Autopilot and Autopilot Device Preparation depends on your organization’s needs:
| Use Case | Traditional Autopilot | Device Preparation |
|---|---|---|
| Hybrid Azure AD join | ✔ Supported | ✘ Limited |
| Pre-provisioning / self-deploying flows | ✔ Supported | ✘ Not supported |
| DFCI, device rename pre-enrollment | ✔ Supported | ✘ Not supported |
| Cloud-native Microsoft Entra join | Partial | ✔ Best suited |
| Avoid device registration overhead | ✘ No | ✔ Yes |
| Better real-time visibility | Limited | ✔ Yes |
Best suited for Autopilot Device Preparation:
- Cloud-native setups with Windows 11
- Organizations wanting to simplify device deployment
- Environments where device registration adds overhead
- Sovereign cloud scenarios with restrictions on Autopilot registration
How the Device Preparation Deployment Flow Works
Here’s the step-by-step journey of provisioning with Autopilot Device Preparation:
- Intune setup – Create a security group in Microsoft Entra and assign an Autopilot Device Preparation policy.
- Device readiness – Devices must run Windows 11 and not already be Autopilot-registered.
- OOBE sign-in – User signs in with Microsoft Entra credentials.
- Enrollment – Device joins Microsoft Entra and enrolls in Intune.
- Optional Windows Backup – User may restore settings from a previous device.
- Preparation phase – Intune Management Extension and bootstrapper install, device sync begins.
- Enrollment-time grouping – Device is added to the right security group for targeting.
- Policy, app, and script install – Only critical items defined in the policy are installed here.
- App deployment continues – Win32 and Microsoft Store apps install in the background.
- Reboot if required – System may restart.
- Completion of preparation – Device setup finishes; users complete OOBE tasks like Windows Hello.
- Desktop phase – Non-critical policies and apps install after user reaches the desktop.
Best Practices for IT Teams
To maximize success with Autopilot Device Preparation:
- Use dedicated device security groups in Microsoft Entra, owned by the Intune Provisioning Client service principal.
- Target only critical apps/scripts for OOBE; keep the rest for after setup.
- Target apps to devices (system context) for smoother installations.
- Review timeout settings and adjust them for larger apps or slower networks.
- Monitor reports in Intune for near real-time status of apps and scripts.
Common Deployment Issues
Even with improvements, you may encounter issues:
- Enrollment failures → often due to devices already registered with Autopilot or unsupported restrictions.
- Unsupported OS versions → ensure Windows 11 is used with a clean, supported image.
- App/script failures → check detection rules and test outside Autopilot before deploying.
- Timeouts → increase default timeout values for larger apps.
Migrating from Autopilot to Device Preparation
If you’re moving from traditional Autopilot:
- Create/confirm a Microsoft Entra security group.
- Build a new device preparation profile in Intune.
- Deregister existing devices from Autopilot.
- Reset devices to start fresh with the new flow.
Note: Advanced scenarios like pre-provisioning, self-deploying, or DFCI are not yet supported in device preparation.
Conclusion
Windows Autopilot Device Preparation is a streamlined, modern approach to provisioning. It reduces complexity, avoids registration overhead, and provides better visibility into deployments—making it especially valuable for cloud-native organizations using Windows 11.
If your IT team wants faster, simpler, and more reliable device onboarding, it may be time to evaluate whether Autopilot Device Preparation is the right fit for your environment.
