Learn about Device Preparation (Autopilot v2) with Microsoft Intune

Understand and set up the newer Autopilot flow that enrolls Windows devices without hardware hash registration

← Back to Home
📅 March 10, 2026 | ⏱️ 6 min read | ✍️ By Allester Padovani | 🏷️ Windows Autopilot, Windows

Device Preparation (Autopilot v2) in Microsoft Intune is a newer way to get Windows devices into your tenant and ready for users. Unlike classic Windows Autopilot, it does not require you to collect or upload hardware hashes: devices can be recognized and enrolled after the user signs in, which simplifies procurement and handoff. You create a security group for prepared devices, a device preparation policy that defines join type, deployment mode, and optional apps or scripts, and assign the policy to the users who will run the flow. This post explains what Device Preparation is, how it differs from traditional Autopilot, and how to set it up in Intune.

What Is Device Preparation (Autopilot v2)?

Device Preparation is a user-driven enrollment path that:

  • Does not use hardware hashes . You do not need to capture or upload device hashes before shipment. Devices are associated with your tenant when the user goes through the preparation flow and signs in.
  • Uses a policy-driven flow . You define deployment mode (e.g. user-driven), join type (e.g. Microsoft Entra joined), user account type (standard or administrator), and optional apps or scripts that run during preparation.
  • Puts enrolled devices into a group . Enrolled devices are added to a security group you specify, so you can assign apps, configs, and scripts to that group.

Because there is no pre-registration by hash, the device is not “known” to your tenant until the user starts the flow and signs in. The out-of-box experience (OOBE) can look like a normal consumer setup until the user chooses work or school sign-in and completes the preparation steps.

Considerations and Trade-offs

Device Preparation removes hash collection but has some trade-offs compared to classic Autopilot:

  • OOBE and tenant branding . The device does not show your tenant branding or “corporate device” experience until after the user signs in. Users could set up the device as personal if they do not follow the intended flow.
  • Device naming . There is no built-in device naming in the policy; you may need scripts or other mechanisms to apply a naming convention after enrollment.
  • Timing of setup . Users might reach the desktop before all apps or scripts have finished; consider communication and optional lock-down so setup completes before heavy use.

Evaluate whether the simpler onboarding (no hashes) outweighs these limitations for your scenarios. For strict control and guaranteed corporate OOBE, classic Autopilot with hash registration may still be preferable.

What You’ll Do

You will (1) create a security group that will hold devices that complete the preparation flow. And assign your apps, configs, and scripts to this group. And (2) create a device preparation policy in Intune that specifies deployment mode, join type, user account type, OOBE options, and optional apps/scripts, then assign the policy to the users who will run device preparation.

Step 1: Create a Security Group for Prepared Devices

When devices complete the preparation flow, they are added to a group you choose. Create a dedicated security group and assign your device policies, apps, and scripts to it so prepared devices receive the right configuration.

In the Microsoft Intune admin center (or Microsoft Entra admin center), go to GroupsNew group.

Creating a new security group in Intune

Set Group type to Security, Group name to something like “Autopilot device preparation” (or your naming convention), and optionally a Description. Set Membership type to Assigned. For Owners, add the Intune Device Check-in app (e.g. search for the app by name such as “Intune DeviceCheckIn Confidential client Application” or by application ID if needed so the service can manage the group). Click Create.

Configuring security group type, name, and owners Security group created successfully

Assign your device configuration profiles, apps, and scripts to this group so that devices that complete the preparation flow receive them.

Step 2: Create and Configure the Device Preparation Policy

In the Intune admin center, go to DevicesEnrollment. On the Windows tab, open Device preparation policies. Click Create.

Navigating to Device preparation policies in Intune Creating a new device preparation policy

On the introduction page, click Next. On Basics, enter a Name (e.g. “Device preparation – User-driven”) and optionally a Description. Click Next.

Device preparation policy introduction Naming the device preparation policy

On Device group, add the security group you created in step 1. Devices that complete this policy will be added to that group. Click Next.

Adding device group to the device preparation policy

On Configuration settings, set:

  • Deployment settings . Deployment mode: User-driven; Deployment type: Single user; Join type: Microsoft Entra joined; User account type: Standard User (or Administrator if you want local admin).
  • Out-of-box experience (OOBE) . Minutes allowed before showing installation error: e.g. 60 (adjust as needed); Custom error message (optional); Allow users to skip setup after multiple attempts: Yes or No per policy; Show link to diagnostics: Yes or No.
  • Apps and Scripts . You can add up to 10 managed apps or PowerShell scripts to install or run during preparation. Assign those apps/scripts to the same security group you used in step 1 so they apply to prepared devices.

Click Next.

Configuring deployment and OOBE settings for device preparation

Set scope tags if your tenant uses them. On Assignment, choose which users can use this device preparation policy (e.g. a group or All users). These users will see the option to run device preparation when they set up a new device. Click Next, then Review + create, and Create.

Assigning the device preparation policy to users

User Experience

When a user receives a new Windows device and goes through OOBE, they can sign in with their work or school account. The device preparation flow then runs according to the policy: the device is joined to Microsoft Entra, added to the security group you specified, and receives the apps and scripts assigned to that group. The exact steps and timing depend on your policy (deployment mode, OOBE options, and app/script assignments). You can document the flow for your users or record a short walkthrough so they know what to expect.

Wrap-up

Device Preparation (Autopilot v2) in Microsoft Intune lets you enroll Windows devices without hardware hash registration. You create a security group for prepared devices, a device preparation policy that defines deployment mode, join type, user account type, OOBE behavior, and optional apps/scripts, and you assign the policy to the users who will run the flow. Devices that complete preparation are added to the group and receive whatever you assign to it. Consider the trade-offs. No hash collection but less control over OOBE and naming. And use Device Preparation where simplified onboarding is a priority, or stick with classic Autopilot where you need strict, hash-based pre-registration and corporate OOBE.