Close Menu
    Intune

    Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs

    Peter KlapwijkBy Updated:4 Mins Read

    In this blog post, we take a look at the possibility of using Windows Autopilot device preparation together with Windows 365 Frontline shared mode.

    Windows Autopilot device preparation is used to set up and configure new devices, getting them ready for productive use. Windows Autopilot device preparation aims to simplify device deployment by delivering consistent configurations, enhancing the overall setup speed, and improving troubleshooting capabilities.

    Using Windows 365 cloud PCs in combination with device preparation makes sure the device is ready for the end-user when the user signs in for the first time to the Cloud PC. Device preparation prohibits the user from signing in to a recently provisioned Cloud PC before the required applications and platform scripts are applied to the device. This provides a better user experience, as the user has all required applications immediately available.

    Conceptual diagram of Autopilot Device Preparation Policy integrating into Windows 365 Provisioning Policies to provision and prepare Cloud PCs. Source.

    This is a welcome addition to setting up Windows 365 cloud PC, as using the original Windows Autopilot/ enrollment Status Page feature didn’t work (well) with cloud PC.

    So let’s see how we can set this all up to give our end-users a better user experience.

    Set up the Windows Autopilot device preparation policy

    We start by setting up the device preparation (DP) policy first, as we need to select the DP policy later in the Windows 365 Frontline shared provisioning policies.

    We first need to create a static (assigned) Entra ID device group to which the DP policy adds the provisioned cloud PCs. We need to assign the service principal Intune Provisioning Client as an owner to the group, to allow the service to add members to the group.

    In some tenants, this service principal is called Intune Autopilot ConfidentialClient.

    When the Entra group is created, we switch to the Intune admin center to set up the device preparation policy.

    Browse to Devices, Windows, Enrollment, and select Device preparation policies. Here, click on Create and select Automatic (Preview).

    Add a Name and Description (optional) to the policy.

    On the Device group tab, search for the previously created Entra ID device group and add it to the policy.

    On the Configuration settings tab, we add the applications and scripts that need to be tracked by the DP policy. These apps and scripts need to be applied to the cloud PC before the user is allowed to sign in to the cloud PC.

    Under the Apps section, click Add and start adding the applications.

    Note; make sure these applications are assigned as required to the previously created Entra group.

    Repeat this step for the scripts the DP policy should track.

    There is no need (and no option) to assign the device preparation policy to an Entra group.

    Set up the Windows 365 Frontline Cloud PC provisioning policy

    Now that the device preparation policy is set up, we can configure our Windows 365 Frontline Cloud PC provisioning policy.

    Browse to Device, Windows, Windows 365, Provisioning policies.

    Here, select Create policy.

    Enter a Name and Description (optional) for the provisioning policy.
    Select Frontline as the license type and select Shared as the Frontline type.

    Make your choice for Language & Region and Device name template.

    And most importantly, select the previously created Autopilot device preparation policy.

    On the Assignments tab, add an Entra ID group that holds your Frontline users and select the available Cloud PCs. Add an Assignment name and enter the number of cloud PCs for this assignment.

    Our provisioning policy is ready.

    The end-result

    By finishing the setup of the provisioning policy, our cloud PCs start provisioning.

    After some time the status of the cloud PC will change to Preparing.

    When we click on Preparing, we are redirected to the Windows Autopilot device preparation deployments report (this report can also be found under Devices, Monitor).

    Here we see the status of the deployment. We can track the installation status of the tracked applications.

    The applications are installed.

    And the script is executed.

    And when the user signs in to the Frontline cloud PC for the first time, we see the applications are installed.

    After testing device preparation and Frontline shared cloud PCs, I can say, this works very well! We finally have a way to ensure that, also on our cloud PCs, we have a good option to ensure the installation of applications is done before the user signs in for the first time. Let’s hope device preparation will also become available for the other cloud PC modes.

    One thing to be aware of is this bug in device preparation, in case you want to edit the device preparation policy.

    Thanks for reading!

    Share.

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    Add A Comment
    Leave A Reply