Microsoft Intune Device Preparation sometimes referred to as Autopilot V2 is a modern approach to Windows device enrolment that simplifies setup by eliminating the need to pre-import hardware hashes. Unlike traditional Autopilot, which requires IT admins to register devices in advance using a hardware ID, Device Preparation allows users to enrol their own devices using group-based targeting and policy automation.

This user-driven model streamlines deployment, reduces administrative overhead, and supports faster onboarding especially in environments where flexibility and scalability are key. However, it currently lacks some of the advanced controls and hybrid join options available in classic Autopilot, making it ideal for specific use cases rather than a full replacement.

In this tutorial, you’ll learn how to configure Device Preparation in Intune, create the necessary user and device groups, apply enrolment restrictions, and ensure apps and policies are deployed correctly all with step-by-step guidance and best practices.

Setting Up Required Groups for Deployment

To begin, we need to create two groups in Microsoft Intune: a user group and a device group.

  • Open a web browser and navigate to Microsoft Intune.
  • Go to ‘Groups’ and select ‘New Group’.
  • Create a user group named ‘Autopilot Device Preparation – User’.
  • Set Membership type to ‘Assigned’ and add members
Microsoft 365 admin center screenshot showing the 'Autopilot Device Preparation - User' group with two direct members: Josh Brownhill and Josh Cullen, including their email addresses.
  • Create a device group with the ‘Autopilot Device Preparation – Device’.
  • Assign ‘Intune Provisioning Client’ as the owner
Screenshot of the Microsoft Azure portal showing the 'Autopilot Device Preparation - Device' group owners tab, listing one owner: IPP, an Intune Provisioning Client with a service principal email.

Creating a Device Preparation Policy

  • Go to ‘Devices’ > ‘Enrollment’ > ‘Device Preparation Policies’.
  • Click ‘Create’ and under basics name the policy (e.g., ‘Autopilot Device Preparation Policy’).
  • Assign the previously created device group.
Screenshot of the 'Create profile' page in Windows Autopilot device preparation policies, showing step 3: Device group. It includes instructions for selecting an Entra ID security group and lists one group: 'Autopilot Device Preparation with 1 device and 0 users.
  • Configure settings such as deployment mode, join type, and user account type.
Screenshot of the 'Deployment settings' section showing selected options: Deployment mode set to 'User-driven', Deployment type set to 'Single user', Join type set to 'Microsoft Entra joined', and User account type set to 'Standard User'.
  • Configure Out-of-box experience settings
Screenshot of the 'Out-of-box experience settings' showing a 30-minute timeout before installation error, a custom error message instructing users to contact support, 'Allow users to skip setup' set to No, and 'Show link to diagnostics' set to Yes.
  • Add apps like Company Portal and Microsoft 365 Apps.
  • Assign the policy to the user group.
Screenshot of an app deployment interface showing two allowed applications: 'Company Portal' and 'Microsoft 365 Apps for Windows 10 and above', both published by Microsoft. A 'Next' button is visible at the bottom.

Deploying Required Applications

Because Device Preparation policies don’t automatically install apps they only define the enrolment experience. Marking apps like Company Portal or Microsoft 365 as required ensures they’re pushed to the device during setup, so users have the tools they need immediately after sign-in.

  • Go to ‘Apps’ > ‘Windows’.
  • Select ‘Company Portal’ > ‘Properties’ > ‘Assignments’.
  • Add the device group to the assignments.
  • Repeat for Microsoft 365 Apps and any other apps.
Screenshot of the 'Edit Add Microsoft 365 Apps' page showing assignment settings for Windows 10 and later. The 'Required' section includes the group 'Autopilot Device Preparation - Device' with no group filter applied. Options to add groups, all users, or all devices are visible.

Configuring Device Platform Restrictions

This step ensures that only corporate-owned devices can be enrolled into Intune using Device Preparation.

Why it matters:
By default, Intune allows both personal and corporate devices to enrol. Without restrictions, users might accidentally enrol personal devices, leading to privacy concerns and unnecessary management overhead. Blocking personally owned devices ensures that only pre-approved, corporate-identified hardware can complete the enrolment process.

  • Go to ‘Devices’ > ‘Enrolment’ > ‘Device Platform Restrictions’.
  • Create a new restriction named ‘Windows Device Restriction’.
  • Set ‘Personally Owned Devices’ to ‘Blocked’.
  • Assign the restriction to all users.
Screenshot of the 'Create restriction' interface under the 'Platform settings' tab, showing MDM set to 'Allow', min/max range fields left empty, and personally owned devices set to 'Block'.

Managing Corporate Device Identifiers

This step ensures that Intune can recognize a device as corporate-owned during enrolment especially important when using Device Preparation, which doesn’t rely on hardware hash pre-registration like traditional Autopilot.

Why it matters:
Since Device Preparation is user-driven, Intune can’t automatically tell if a device is personal or corporate. If you’ve blocked personal device enrolment (as recommended), any unrecognized device will fail to enrol. By uploading a CSV with the device’s manufacturer, model, and serial number, you explicitly mark it as corporate, allowing enrolment to proceed.

Create the CSV file

First, gather the required device information:

  • Vendor
  • Model
  • Serial Number

To retrieve this info from a sample device, open Command Prompt and run:

wmic csproduct get vendor,name,identifyingnumber
  • Copy the output into a CSV file with the following format from the below example:
Microsoft Corporation,Virtual Machine,1234-5678
  • If you’ve purchased a batch of identical devices, you can reuse the same Vendor and Model (Name) values across all entries. In many cases, you may be able to collect the Serial Numbers (IdentifyingNumber) directly from an order confirmation, delivery note, or asset list—saving you from having to run the command on each individual device.

Upload the CSV to Intune

  • Go to Devices > Enrollment > Corporate Device Identifiers
  • Click Add and choose Upload CSV
  • From the drop down select Manufacturer, model and serial number (Windows only)
  • Select the file you created and upload it
Screenshot of the 'Add identifiers' page under 'Corporate device identifiers', showing the selected identifier type 'Manufacturer, model and serial number (Windows only)' and an option to import a file to define corporate-owned devices.

Out-of-Box Experience (OOBE) Configuration

  • Boot the test machine and go through the OOBE setup.
  • Sign in with a user from the group (e.g., j.cullen@thedeploymentguy.co.uk).
  • Observe the new progress bar and answer setup questions.
  • Skip Windows updates if needed.
Screenshot of a setup screen for work or school showing a progress message: 'Setting up for work or school – 1% completed, Installing management extension…' with an illustration of a laptop on the left.

Post-OOBE Login and Desktop Setup

  • Log in with the user account.
  • Verify that apps like Excel, Teams, Outlook, PowerPoint, Word, and Company Portal are installed.

Conclusion

This tutorial walked you through configuring Autopilot Device Preparation in Microsoft Intune—from setting up user and device groups to applying enrollment restrictions and deploying essential apps. By following these steps, you can streamline device onboarding and ensure a consistent, policy-driven experience for your users.

If you found this guide helpful, be sure to check out more tutorials on my YouTube channel:
🔗 https://www.youtube.com/@thedeploymentguy

Don’t forget to subscribe for regular tips, walkthroughs, and best practices on Microsoft Intune and modern device management!

Overview of Windows Autopilot device preparation | Microsoft Learn

Home