Hi all,

This is my first post as an MVP and i was not planning to do a post on How to configure Autopilot Device Preparation (APv2) because there are a lot of very good posts already available. However during the configuration of Autopilot Device Preparation i ran into something i did not expect. I decided to share this with the community.

As we dive into Autopilot Device Preparation (apv2), it’s essential to understand its significance in streamlining device deployment. Embracing apv2 can significantly enhance your organization’s efficiency.

This triggered me to write a blog post on this anyway, if I ran into this maybe some of you also could be facing the same issue.

So let’s get through the basics first, and configure everything we need in place to do Autopilot Device Preparation. The twist will show up sooner than you think and i thought…. But rest assure it works!

What is Autopilot Device Preparation (APv2)

Windows Autopilot device preparation is used to set up and configure new devices, getting them ready for productive use. Windows Autopilot device preparation aims to simplify device deployment by delivering consistent configurations, enhancing the overall setup speed, and improving troubleshooting capabilities.

With apv2, the process becomes more intuitive, enabling quicker setups that are less prone to errors, which is a game-changer for IT teams. Leveraging apv2 ensures a smoother transition for end users as well.

This article explores the capabilities of the Windows Autopilot device preparation, its benefits for administrators, and the user experience it offers including:

Utilizing apv2 allows businesses to reduce costs associated with device management while maximizing productivity through efficient resource allocation.

• • Reducing the time IT spends on deploying devices.
  • Reducing the infrastructure required to maintain the devices.
  • Maximizing ease of use for all types of end users.

The ease of use is particularly pronounced with apv2 as it reduces the learning curve for end users, providing them with a seamless onboarding experience.

• Improved troubleshooting.
• Near real-time deployment status and monitoring.

…..Sort of 😉

Requirements

• • Windows 11, version 23H2 with KB5035942 or later.
  • Windows 11, version 22H2 with KB5035942 or later.
  • Microsoft Entra ID – only Microsoft Entra join is supported. – NO HYBRID is supported
  • Device shouldn’t be registered or added as a Windows Autopilot device – if the device is registered or added as Windows Autopilot device, the Windows Autopilot profile takes precedence over the Windows Autopilot device preparation policy. If a device needs to be removed as a Windows Autopilot device

Understanding the nuances of apv2 can help organizations navigate the complexities of device management more effectively.

The Windows version are really important, this is where the twist starts, take a guess….. I wanted to try out the new experience on a VM so i went to the Microsoft Download site to download a new ISO file of Windows 11.

Setting up Autopilot Device Preparation

In these steps i will guide you on how to setup everything you need to get started.

Setting up the Autopilot Device Preparation using apv2 requires careful planning and adherence to best practices.

Check the device platform restrictions

In the good old Autopilot v1 days we block the enrollment for personal Windows devices for some customers, this we need to change because as of now we don’t use hardware hashes anymore to identify corporate devices. As we change this setting we will open up our tenant for personal devices, we don’t want this actually. We can fix this by using corporate identifiers but more on that later in a new post so stay tuned for some more information. 

You can always subscribe to my blog, by doing this you will ride shotgun for future posts!!

Open your intune portal – devices – enrollment – device platform restriction

Within the Intune portal, you can access features specific to apv2 that enhance the deployment process.

Click Windows restrictions and All users

By implementing apv2, organizations can streamline their device management processes and ensure compliance with their policies.

Click properties and check that Personally owned is set to allow for Windows MDM

Create the device group

One of the new features of the Autopilot Device Preparation deployment profile is its ability to automatically place a PC into a device group during provisioning. This device group is considered ‘special’ because it must comply to the following criteria:

Utilizing the capabilities of apv2 not only improves efficiency but also allows for better tracking and management of devices.

• Must be a security group
• Membership type must be assigned
• The owner must be the service principal Intune Provisioning Client with AppId of f1346770-5b25-470b-88bd-d5744ab7952c

Check for the service principal presence in your Entra ID tenant

Go to your Entra ID tenant – Enteprise applications – remove the filter Application type == Enterprise Applications – And copy paste the AppID f1346770-5b25-470b-88bd-d5744ab7952c in the Application ID starts with filter and click apply

As you can see i have the Intune Autopilot Confidential Client in my tenant

Having the right tools in place for apv2 can make all the difference in a successful deployment that meets organizational needs.

Add the Service principal (optional, if you have it in your tenant you can skip this)

If the service principal is not available in you tenant for some reason please follow these steps to add it.

On a device where Microsoft Intune or Microsoft Entra ID is normally administered, open a Windows PowerShell in admin mode, enter the following

install-module azuread

If prompted to do so, agree to install NuGet and the azuread module from PSGallery.

Once the azuread module is installed, connect to Microsoft Entra ID by entering the following command

Connect-AzureAD

If not already authenticated to Microsoft Entra ID, the Sign in to your account window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principles.

For those unfamiliar with the process, following the steps for apv2 can mitigate potential issues during setup.

Once authenticated to Microsoft Entra ID, add the Intune Provisioning Client service principle by entering the following command:

New-AzureADServicePrincipal -AppId f1346770-5b25-470b-88bd-d5744ab7952c

Create the group

Go to Intune – Groups – All groups – New group.

Name the group e.g. sg-intune-autopilotV2-Devices, fill in a description if you want

When naming groups for apv2, clarity and consistency are key to ensure easy management and identification.

Click on add owner and on the Add owners page, search for Intune and select Intune Autopilot ConfidentialClient and then click Select and then create the group

Create a user group (optional – you can use an existing user group if you want)

Go to Intune – Groups – All groups – New group.

With the addition of apv2, organizations can adapt to changing technology demands and enhance user experiences.

Name your group e.g. sg-intune-autopilotV2-Users, this can be an assigned or dynamic group. Click create

Setup the Autopilot Device Preparation policy

Effective policy setup for apv2 is crucial in achieving the desired outcomes for device preparation.

Our tenant is now ready to configure the good stuff and we can proceed to configure the policy itself. Go to Intune – Devices – Enrollment and select Device preparation policies

Click create and click next on the intro

Fill in a name and/or description for your policy and click next

Now add the device group we have created in the previous step and click next

Taking into account the specific needs of your organization is essential when working with apv2.

The Configuration Settings of the Device Preparation Group

Now we are going to add all the details regarding the deployment itself, let’s dive in shall we.

Deployment settings

• Deployment Mode – Single user
• Deployment Type – User drive
• Join Type – Azure AD joined (Why not Entra ID, this is a new feature right ;-))
• User account type – Standard or admin user (i select administrator for my demo)

Out-of-box experience settings

• Minutes allowed before showing installation error – i have set this to 60 minutes – if you have a lot of apps to install (max 10) you can set a higher number
• Custom error message – feel free to put in what you want
• Allow users to skip setup after multiple attempts – Yes
• Show link to diagnostics – Yes

As you finalize your approach with apv2, remember that thorough testing can uncover any overlooked aspects.

Apps

Select up to 10 managed apps you want to reference with this deployment. These apps should be assigned to the device security group you selected earlier. You can check the installation status for these apps in the device details for devices in this deployment.

Click add to add the apps. Now the pane that opens to add the apps is really small in my opinion, this could have been better. I use update rings for my apps so i have multiple apps with the same name in front and the update ring numbers in the back, i cannot distinguish them in this small pane, on my screen i also cannot expand the apps column, i hope this is better for you. Annoying to say the least. But OK, select the apps you want to include in you deployment and click save.

Incorporating apv2 into your workflows can significantly enhance your operational efficiency and user satisfaction.

Scripts

Select up to 10 PowerShell scripts to install during this deployment. These scripts should be already assigned to the Device group selected earlier. You can check the installation status for these scripts in the device details for devices in this deployment. Select the scripts you want to include in you deployment and click save.

Scope Tags

Enter the scope tags if you want

Assignments

These settings for Autopilot device preparation are designed to be user targeted. In this section, you will select the user group/groups that will receive the device preparation policy.

In the search box, enter the name of the user group you’d like to use

Select your group when it’s displayed and click Next, on the review and create page click save

Now your policy is in place and we can start with enrolling our device, here comes the twist 😉

It’s also important to continually evaluate the effectiveness of your apv2 implementation to optimize performance.

The Twist

So i downloaded the ISO file in the first steps and i used this to setup a new VM in Hyper-V. So far so good. Let’s see the process in action. Notice that after about 10 seconds the installation says checking for updates – Making sure you have the latest. and at 2:20 we get presented with the location question. No autopilot here. Something must be wrong. Ok shit happens, so i went over all config settings, compared them with the Microsoft documentation, compared them with other blogs and guides i found on the net. Tried everything multiple times, same story, no autopilot.

I kept searching for what possibly went wrong and suddenly i got a aha moment. What about my version of Windows???? In the Microsoft documentation is says the following for software requirements for Windows 11:

• Windows 11, version 23H2 with KB5035942 or later – Windows installation media dated April 2024 or later has KB5035942 included.
• Windows 11, version 22H2 with KB5035942 or later – Windows installation media dated April 2024 or later has KB5035942 included.

I clicked on the link for the KB and there you can see the build number of you Windows 11 version:

Remember i downloaded a brand new ISO Windows 11 from the official channel and during the setup Windows installed the latest updates. Now back to the VM. I did shift + F10 to open up the CMD and typed winver and guess what, i was on the wrong minimum version!

But during the setup updates where being installed, but then again not the ones i need for Autopilot device preparation??? Also on the Microsoft site there is an important box saying this:

All good you think but not everybody has access to the volume licensing service center, and further more this doesn’t exist anymore because if click the link you get this:

I could not try to download an image of this because i don’t have a vlsc license. So back to start you think. Well not completely, i signed up for the  Windows insider preview program so i went to the Windows Insider site, signed in and downloaded me a copy of Windows 11 24H2, spun up a new VM with this ISO and the behavior is as followed:

Now everything is running as it should, so my config was perfectly fine, it was just that Windows version that was the culprit. After about 10 minutes i was presented with this screen.

In conclusion, embracing the full potential of apv2 will undoubtedly yield long-term benefits for your organization.

And when i clicked  next i got the Location question and all other stuff.

After answering all the questions i was presented with my login screen, and after confirming MFA and choosing a PIN i could log in as normal.

All of my apps are installed and also the new company portal app experience. This made me a happy camper.

Now just for your information and last check, go to intune – groups – your created device group and you will see your device there:

In the devices section the device is there and stated as compliant

Conclusion

As you wrap up your journey with apv2, consider sharing your experiences with others in the community.

So to conclude, the setup for Autopilot Device preparation isn’t that hard however make sure you have an updated Windows 11 version that supports the new way. In my opinion it is working very good, apart from the small app choose screens but overall the experience is quit good. I would like to see more info when the device is installing, with this i mean more detail of what is happening. But for a new Microsoft release this is pretty good, i’ve seen worse 😉

Good luck configuring!

See you soon for more….