Windows Autopilot: What's new

Device rename occurs during technician phase for pre-provisioning

Starting in 2303, a new functional change forces the device rename to occur during the technician phase for pre-provisioning for Azure AD join devices. After the technician selects the provision button, we'll immediately perform the device rename and reboot the device, then transition to the device ESP. During the user flow, the device rename is then skipped keeping resources that depend on device name (such as SCEP certs) intact. To apply this change, for Windows 10, install quality update KB5023773 or newer. Windows 11 update is pending and will be posted as soon as it is available.

Install required apps during pre-provisioning

A new toggle is available in the Enrollment Status Page (ESP) profile that allows you to select whether you want to attempt to install required applications during pre-provisioning (white glove) technician phase. We understand that installing as many applications as possible during pre-provisioning is desired to reduce the end user setup time. To help you achieve installing as many applications as possible during pre-provisioning, we've implemented an option to attempt the installation of all the required apps assigned to a device during technician phase. If there's app install failure, ESP continues except for the apps specified in the ESP profile. To enable this function, edit your Enrollment Status Page profile by selecting Yes on the new setting entitled Only fail selected apps in technician phase. This setting only appears if you have blocking apps selected. For more information, see Update to Windows Autopilot pre-provisioning process for app installs.

New Microsoft Store apps now supported with the Enrollment Status Page

The Enrollment Status Page (ESP) now supports the new Microsoft store applications during Windows Autopilot. This update enables better support for the new Microsoft Store experience and should be rolling out to all tenants starting with Intune 2303. For related information, see Set up the Enrollment Status Page.

Win32 App Supersedence ESP improvements

Starting in January 2023, we're currently in the process of rolling out Win32 app supersedence GA, which introduces enhancements to ESP behavior around app tracking and app processing. Specifically, admins may notice a change in app counts. For more information, see Win32 app supersedence improvements and Add Win32 app supersedence.

Support for Temporary Access Pass

Starting with 2301 Windows Autopilot, Autopilot supports the use of Temporary Access Pass for Azure AD joined user driven, pre-provisioning and self-deploying mode for shared devices. A Temporary Access Pass is a time-limited passcode that can be configured for multi or single use to allow users to onboard other authentication methods. These authentication methods include passwordless methods such as Microsoft Authenticator, FIDO2 or Windows Hello for Business.

For more information on supported scenarios, see Temporary Access Pass.

Autopilot automatic device diagnostics collection

Starting with Intune 2209, Intune automatically captures diagnostics when devices experience a failure during the Autopilot process on Windows 10 version 1909 or later and with Windows 11. When logs are finished processing on a failed device, they're automatically captured and uploaded to Intune. Diagnostics may include user identifiable information such as user or device name. If the logs aren't available in Intune, check if the device is powered-on and has access to the internet. Diagnostics are available for 28 days before they're removed.

For more information, see Collect diagnostics from a Windows device.

Updates to Autopilot device targeting infrastructure

With Intune 2208, we're updating the Autopilot infrastructure to ensure that the profiles and applications assigned are consistently ready when the devices are deployed. This change reduces the amount of data that needs to be synchronized per-Autopilot device and leverages device lifecycle change events to reduce the amount of time that it takes to recover from device resets for Azure AD and Hybrid Azure AD joined devices. No action is needed to enable this change, it's rolling out to all clients starting August 2022.

Update Intune Connector for Active Directory for Hybrid Azure AD joined devices

Starting in September 2022, the Intune Connector for Active Directory (ODJ connector) requires .NET Framework version 4.7.2 or later. If you're not already using .NET 4.7.2 or later, the Intune Connector may not work for Autopilot hybrid Azure AD deployments resulting in failures. When you install a new Intune Connector, don't use the connector installation package that was previously downloaded. Before you install a new connector, update the .NET Framework to version 4.7.2 or later. Download a new version from the Intune Connector for Active Directory section of the Microsoft Intune admin center. If you're not using the latest version, it may continue to work, but the auto-upgrade feature to provide updates to the Intune Connector doesn't work.

Enroll to co-management from Windows Autopilot

With the Intune 2205 release, you can configure device enrollment in Intune to enable co-management, which happens during the Autopilot process. This behavior directs the workload authority in an orchestrated manner between Configuration Manager and Intune.

If the device is targeted with an Autopilot enrollment status page (ESP) policy, the device waits for Configuration Manager. The Configuration Manager client installs, registers with the site, and applies the production co-management policy. Then the Autopilot ESP continues.

For more information, see How to enroll to co-management with Autopilot.

Improvements to the enrollment status page

With the Intune 2202 release, the enrollment status page has improved functionality. The application picker for selecting blocking apps has the following improvements:

  • Includes a search box for easier selection of apps.
  • Fixes an issue where it couldn't differentiate between store apps in online or offline mode.
  • Adds a new column for Version to see which version of the application is selected.

The enrollment status page application picker.

One-time self-deployment and pre-provisioning

We made a change to the Windows Autopilot self-deployment mode and pre-provisioning mode experience, adding in a step to delete the device record as part of the device reuse process. This change impacts all Windows Autopilot deployments where the Autopilot profile is set to self-deployment or pre-provisioning mode. This change only affects a device when it's reused or reset, and it attempts to redeploy.

For more information, see Updates to the Windows Autopilot sign-in and deployment experience

Update to the Windows Autopilot sign-in experience

Users must enter their credentials at initial sign-in during enrollment. We no longer allow pre-population of the Azure Active Directory (Azure AD) user principal name (UPN).

For more information, see Updates to the Windows Autopilot sign-in and deployment experience

MFA changes to Windows Autopilot enrollment flow

To improve the baseline security for Azure Active Directory (Azure AD), we changed Azure AD behavior for multi-factor authentication (MFA) during device registration. Previously, if a user completed MFA as part of their device registration, the MFA claim was carried over to the user state after registration was complete.

Now the MFA claim isn't preserved after registration. Users are prompted to redo MFA for any apps that require MFA by policy.

For more information, see Windows Autopilot MFA changes to enrollment flow.

Windows Autopilot diagnostics page

When you deploy Windows 11 with Autopilot, you can enable users to view detailed troubleshooting information about the Autopilot provisioning process. A new Windows Autopilot diagnostics page is available, which provides a user-friendly view to troubleshoot Windows Autopilot failures.

The following example shows details for Deployment info, which includes Network Connectivity, Autopilot Settings, and Enrollment Status. You can also Export logs for detailed troubleshooting analysis.

Windows Autopilot diagnostics page expanded to show details.

To enable the diagnostics page, go to the ESP profile. Make sure Show app and profile configuration progress is selected to Yes, and then select Yes next to Turn on log collection and diagnostics page for end users.

The diagnostics page is currently supported for commercial OOBE, and Autopilot user-driven mode. It's currently available on Windows 11. Windows 10 users can still collect and export diagnostic logs when this setting is enabled in Intune.

Next steps

What's new in Microsoft Intune

What's new in Windows client