Windows Autopilot lets you provision devices straight out of the box. No imaging. No manual OS setup. No need for a device to touch IT hands before it reaches the end user. A device boots, the user signs in, and Intune handles the rest — applying policies, installing apps, and joining the device to your tenant automatically.
Before any of that works, you need an enrollment profile. This tells the Autopilot service what to do when the device checks in during OOBE. There are currently two ways to configure this in Intune: the classic Autopilot Profile (V1) and the newer Device Preparation policy (V2). This guide covers both.
How Autopilot Works
When a Windows device boots for the first time (or after a reset), it reaches out to the Microsoft Autopilot service using the device’s hardware hash — a unique fingerprint generated from the serial number, hardware IDs, and other identifiers. The service matches it to your tenant and returns the deployment profile. The device then contacts Intune, begins MDM enrollment, and starts pulling down policies and apps — all before the user reaches the desktop.
V2 (Device Preparation) changes this flow. Instead of relying on a hardware hash, the user’s authentication event during OOBE triggers enrollment. The device is immediately added to a pre-defined security group, which already has apps and policies assigned to it. No pre-registration needed.
Part 1: Autopilot Profile (V1)
When to Use V1
V1 is the more established and feature-rich option. It’s the right choice when you need:
- Hybrid Entra join (on-premise domain join via Autopilot)
- Self-deploying mode for kiosks or shared devices with no user affinity
- White Glove / pre-provisioning for IT to pre-stage apps before the device reaches the user
- Custom device naming templates
- Windows 10 device support
- More than 25 apps deployed during OOBE
Configuring the Profile
Navigate to Devices → Enrollment → Windows → Deployment Profiles → Create Profile → Windows PC.
Basics
Give the profile a clear name and description. Enable Convert all targeted devices to Autopilot. This registers any device in the targeted group with the Autopilot service and ensures that future device resets automatically re-enter the Autopilot OOBE — even for devices that weren’t originally enrolled via hash upload. There’s no downside to enabling this.
Out-of-Box Experience (OOBE) Settings
This is the core of the profile. Here’s what each setting means and what to choose:
- Deployment mode — Set to
User-drivenfor standard provisioning where a user signs in during setup. UseSelf-deployingonly for kiosk or shared devices that require no user interaction or affinity - Join type — Set to
Microsoft Entra joined(cloud-only). Hybrid join is technically possible but introduces dependency on line-of-sight to a domain controller during OOBE. Avoid it for new tenants - User account type — Always set to
Standard. Never provision local admin rights through Autopilot. Use Windows LAPS, Endpoint Privilege Management, or Entra ID roles for elevation when needed - Allow pre-provisioned deployments (White Glove) — When enabled, an IT admin can press the Windows key five times during OOBE to pre-install all device-targeted apps and policies before the device reaches the user. The user then only completes the user-phase steps. Useful for heavy deployments or low-bandwidth offices — but devices that sit pre-provisioned for too long may arrive with stale apps
- Language — Sets the OOBE locale. This is how you differentiate profiles for international rollouts. Combined with group tags and dynamic Entra groups, you can automatically route
en-GB,fr-FR, orde-DEdevices to the right profile - Device naming template —
%SERIAL%is the most common choice. You can also use%RAND:x%for a random numeric suffix. Device names carry less operational weight in modern management than they did historically, but consistent naming still helps with log correlation and support
Assignment
Assign the profile to your Autopilot Devices group. This is typically a dynamic Entra group scoped by group tag — so as soon as a device is registered with a specific group tag, it’s automatically picked up by the right profile.
Click Review + Create to save.
Part 2: Device Preparation (V2)
Device Preparation reached general availability in June 2024. It removes the hardware hash requirement entirely and merges the classic Autopilot profile and the Enrollment Status Page (ESP) into a single policy. It’s faster, simpler, and better suited for cloud-native environments.
How Enrollment Time Grouping Works
The key mechanism behind V2 is Enrollment Time Grouping (ETG). When the user authenticates during OOBE, the Intune Provisioning Client automatically adds the device to a pre-defined static security group in real time — before policies and apps begin deploying.
Because apps and policies are already assigned to this group, Intune doesn’t need to wait for dynamic group membership evaluation. Dynamic groups can take several minutes to process. ETG is instant.
Pre-Requisite: Create the ETG Group
Before creating the policy, you need a dedicated static security group in Entra ID with the Intune Provisioning Client set as its owner. This owner relationship is what gives Intune permission to add devices to the group automatically during OOBE.
- Go to Groups → New Group
- Set Group type to
Securityand Membership type toAssigned - Name it clearly — e.g.,
Autopilot-DevicePrep-Devices - Click No owners selected, search for
Intune Provisioning Client(app ID:f1346770-5b25-470b-88bd-d5744ab7952c), and add it as owner - Click Create and note the group ID — you’ll need it when configuring the policyImportant: If the Intune Provisioning Client doesn’t appear in your search, it hasn’t been provisioned in your tenant yet. You’ll need to create the service principal manually before proceeding.
Also make sure your apps and PowerShell scripts are already assigned to this device group with a required deployment before you create the policy — otherwise the policy creation may error when you try to reference apps or scripts that aren’t scoped to it.
Configuring the Policy
Navigate to Devices → Enrollment → Device Preparation Policies → Create → User Driven.
Basics
Add a name and description, then click Next through the introduction screen.
Device Group
Search for and select the ETG device group you created. This is the group devices will be added to at enrollment time. Click Next.
Settings
- User account type — Set to
Standard user. Same reason as V1 — standard rights by default, elevate via policy when needed - Join type —
Microsoft Entra joinedonly. Hybrid join is not an option in V2 - Timeout — 120 minutes is a safe ceiling. More importantly, enable Allow users to skip after multiple failures. This ensures a stuck deployment lands the user at the desktop in a recoverable state rather than looping endlessly in OOBE
Apps and Scripts
You can add up to 25 apps and 10 PowerShell scripts to deploy during OOBE. A few important rules:
- Apps must be assigned to the ETG device group with a required deployment — not available
- Scripts must also be assigned to the ETG device group
- Keep the list lean. Only include what the user genuinely needs before they can start working — endpoint protection, security baselines, critical LOB apps. Every additional item extends provisioning time
Assignment
Unlike V1, the policy itself is assigned to a user group, not a device group. The device-side targeting is handled entirely by ETG. Select your Intune Users group and click Next → Save.
V1 vs. V2: Which Should You Use?
| V1 (Autopilot Profile) | V2 (Device Preparation) |
|---|
| V1 (Autopilot Profile) | V2 (Device Preparation) | |
|---|---|---|
| Hardware hash required | Yes | No |
| Hybrid Entra join | Yes | No |
| Self-deploy / kiosk mode | Yes | No |
| White Glove pre-provisioning | Yes | No |
| Device naming template | Yes | Not supported |
| App limit during OOBE | No hard limit | 25 |
| Script limit during OOBE | No hard limit | 10 |
| OOBE + ESP | Separate policies | Single merged policy |
| Windows 10 support | Yes | Windows 11 only |
| Average provisioning time | ~25–35 mins | ~10–20 mins |
| Real-time deployment status | Limited | Per app and script |
Use V1 for hybrid join environments, kiosk devices, White Glove deployments, Windows 10, or when you need more than 25 OOBE apps.
Use V2 for new cloud-native, Windows 11 tenants where speed and simplicity matter and you don’t need hardware pre-registration.
Both can coexist in the same tenant. Use group tags to route devices to the correct profile automatically — a clean way to support multiple deployment scenarios without manual intervention.
Windows Autopilot Enrollment Profiles — Key Points
How Autopilot Works
- Devices use a hardware hash to identify themselves to the Autopilot service on first boot
- The service matches the device to your tenant and returns the correct deployment profile
- Intune then handles MDM enrollment, policy deployment, and app installation — all before the user hits the desktop
Autopilot Profile (V1)
- The mature, feature-rich option — best for complex or mixed environments
- Supports hybrid Entra join, self-deploying kiosk mode, White Glove pre-provisioning, and Windows 10
- Always set User Account Type to Standard — never provision admin rights through Autopilot
- Use
%SERIAL%for device naming — consistent, unique, and requires no manual input - White Glove (Win key × 5 during OOBE) lets IT pre-stage apps before device reaches the user — but stale apps are a risk if devices sit too long after pre-provisioning
- Use group tags + dynamic Entra groups to route devices to the right profile automatically
Device Preparation (V2)
- No hardware hash required — user authentication during OOBE triggers enrollment
- Autopilot Profile and ESP are merged into a single policy
- Requires a static security group with Intune Provisioning Client as owner — this is mandatory, not optional
- Enrollment Time Grouping (ETG) adds the device to the security group instantly at sign-in — faster than waiting for dynamic group evaluation
- Apps (up to 25) and scripts (up to 10) must be pre-assigned to the ETG group with required deployment before policy creation
- Policy is assigned to a user group — not a device group
- Windows 11 only — no Windows 10 support
V1 vs V2 — When to Use Each
- Use V1 for hybrid join, kiosks, White Glove, Windows 10, or more than 25 OOBE apps
- Use V2 for new cloud-native Windows 11 tenants — faster (~10–20 mins vs ~25–35 mins), simpler, no pre-registration
- Both can run side by side in the same tenant using group tags for routing
