Autopilot Device Preparation – 3 steps to configure

This will be the second post on the “Autopilot Device Preparation” series.

During this post we will go through the configuration from admin perspective to prepare for the “ADP”

Will go through the 3 steps needed to be ready to provision a device using “ADP”

On the next posts, we will go through Device provisioning flow, when the user power on the device.

 For the first article please check this post

Autopilot Device Preparation – Overview

Autopilot Device Preparation – Preparation

What needs to be prepared before starting to create the ADP policy?

• Enrollment Time Group “Device Group”
• User group
• Assign Apps and policies to the Enrollment time group.

Device group and user group, which one I will use with Autopilot Device Preparation profile.

Let us talk about this concept, as it causes some confusion.

1. The ADP profile is assigned to a user group … why?
   1. As we explained on the first blog about “ADP,” there is no device registeration needed, so once the user login with his credential, the profile will be delivered if the user has “ADP” profile assigned.
2. During the creation of the profile, it asks for a Device group … what is this?
   1. This is called “Enrollment Time grouping,” it is a static device group that all apps, policies and script will be assigned to it.
   1. During the enrollment, the device will be added to this group automatically, then all apps, policies and scripts assigned to it will be deployed to the device during provisioning.
   1. Direct assignment of devices to the device group allows the applications, scripts, and policies assigned to the device group to deploy quicker and more efficiently versus when using a dynamic device group.

Step1: Create Enrollment Time Group “Device Group”

1. Create a static device security group with the Intune Provisioning Client configured as the group owner.
   1. In some tenants, the service principal might have the name of Intune Autopilot Confidential Client instead of Intune Provisioning Client. As long as the AppID of the service principal is f1346770-5b25-470b-88bd-d5744ab7952c, it’s the correct service principal.
   2. If the Intune Provisioning Client or Intune Autopilot Confidential Client service principal with AppId of f1346770-5b25-470b-88bd-d5744ab7952c isn’t available either in the list of objects or when searching, see Adding the Intune Provisioning Client service principal.

Step2: Create User group.

1. Create a user group, the one that will be assigned to the Autopilot device preparation profile.
2. Add users as a member to this group.

Step3: Autopilot Device Preparation – Configuration

Now, let us start to create the policy.

Go to Devices –> Enrollment –> Device preparation policies.

In Introduction tab Click Create and Next

Enter a name for the Windows ADP policy.

Add the Device group we created “Enrollment Time Grouping.”

Configuration settings

As we mentioned with ADP there is no ESP, so with configuration settings we will see a combination of settings between profile settings and old ESP settings.

• Deployement settings:

The only change we can do is the “User account type” either standard user or administrator.

Out-of-box experience settings

• Apps & Scripts

Here we can add up to 10 apps “LOB, Win32, and Winget.”

And up to ten scripts

Scope tags:

Add scope tags fi needed.

Assignments: Will add the user group we created to be assigned to the profile

For the next post on the “Autopilot Device Preparation” series we will talk about when the user starting to power-on the device, what is the experience, what is the flow, and how to troubleshoot.

Stay tuned!

And for more post about Autopilot , please check the following in IntuneBytes