Windows Autopilot: Moving to v2 (Device Preparation)
Checkout my other blogs about Windows Autopilot
For years, IT administrators have relied on Windows Autopilot to transform “off-the-shelf” hardware into fully managed corporate machines. However, the landscape has shifted. Microsoft has introduced a re-architected version, commonly referred to as Autopilot v2 (officially known as Windows Autopilot Device Preparation), to address long-standing pain points regarding speed, reliability, and the hassle of hardware hashes.
The Timeline: A Tale of Two Versions
Understanding where we are requires looking at where we started. Microsoft has maintained a steady cadence of innovation in the deployment space:
- Windows Autopilot (v1): Generally Available (GA) in late 2017. It revolutionized the “imaging” process by replacing it with “provisioning.”
- Windows Autopilot Device Preparation (v2): Generally Available (GA) in May 2024. This version was built from the ground up to utilize modern cloud-native enrollment flows.
Comparison: v1 vs. v2
While both aim to get a user to a productive desktop, the underlying plumbing is very different.
| Feature | Classic Autopilot (v1) | Device Preparation (v2) |
| Registration | Requires Hardware Hash (CSV/OEM) | None (or Corporate Identifiers) |
| Identity Support | Entra ID or Hybrid Join | Entra ID Join only |
| OS Requirement | Windows 10 & 11 | Windows 11 only (22H2+) |
| Reporting | Basic status in Intune console | Near real-time deployment tracking |
| Deployment Logic | Device-based targeting | User-based targeting |
| App Limit | No hard limit (often slow) | Optimized for up to 25 “essential” apps |
What is the Corporate Identifier List?
One of the biggest hurdles in v1 was the “Hardware Hash”—a 4,000-character string unique to the motherboard. v2 eliminates the mandatory requirement for this hash.
To ensure security and block personal devices (BYOD) from enrolling, IT admins now use the Corporate Identifier List. Instead of a complex hash, you identify corporate hardware using three simple strings often found on the shipping manifest or the device box:
- Manufacturer (e.g., Dell Inc.)
- Model (e.g., Latitude 7440)
- Serial Number (e.g., ABC1234)
When a user signs in, Intune checks these three pieces of data. If they match your list, the device is flagged as “Corporate” and allowed to proceed with the v2 workflow.
There is a way to import a CSV file into this section of the portal:
- Open the Microsoft Intune admin center.
- Navigate to Devices > Enrollment.
- Select Corporate device identifiers.
- Click Add > Upload CSV file.
- Browse for your file and click Add.
SAMPLE CSV FILE:
Dell Inc.,Latitude 7440,ABC1234
Microsoft,Surface Laptop 6,0123456789
Lenovo,ThinkPad T14,XYZ5678- No Headers: Do not include a row for “Manufacturer” or “Model” at the top.
- Three Columns: Each line must contain exactly three values in this order: Manufacturer, Model, and Serial Number.
- Plain Text: Save the file as a standard
.csv(Comma Separated Values).
Can They Coexist?
The short answer is yes. You do not need to switch your entire organization to v2 overnight. Many enterprises are currently running both versions simultaneously.
The Priority Hierarchy
When a user signs into a new Windows 11 device, Intune looks for instructions in a specific order to decide which “lane” to put the device in:
| Priority | Scenario | Outcome |
| 1 | Hardware Hash is registered in the v1 service | Classic Autopilot (v1) wins |
| 2 | No Hash found + User is assigned a v2 Policy | Device Preparation (v2) wins |
| 3 | No Hash + No v2 Policy | Standard MDM Enrollment |
Important Note: If you want a device to use the new v2 experience, you must ensure its hardware hash has been deleted from (or was never uploaded to) the classic Autopilot registration list.
Script to Delete Windows Autopilot v1 Device Entries
To delete Windows Autopilot (v1) entries from your tenant, you can use the Microsoft Graph Intune PowerShell module. This script targets the hardware hashes registered in the classic Autopilot service to “clear the lane” for Autopilot v2.
SAMPLE PowerShell Script: Remove Autopilot v1 Device Entries
# SAMPLE SCRIPT USE AT YOUR OWN RISK - MODIFY AS NEEDED!
# 1. Install and Import the necessary module
if (-not (Get-Module -ListAvailable Microsoft.Graph.DeviceManagement.Enrollment)) {
Install-Module Microsoft.Graph.DeviceManagement.Enrollment -Scope CurrentUser -Force
}
Connect-MgGraph -Scopes "DeviceManagementServiceConfig.ReadWrite.All"
# 2. Get all registered Autopilot devices
$autopilotDevices = Get-MgDeviceManagementWindowsAutopilotDeviceIdentity
if ($autopilotDevices) {
foreach ($device in $autopilotDevices) {
Write-Host "Deleting Device: $($device.SerialNumber) - ID: $($device.Id)" -ForegroundColor Cyan
# 3. Remove the device entry
Remove-MgDeviceManagementWindowsAutopilotDeviceIdentity -WindowsAutopilotDeviceIdentityId $device.Id
}
Write-Host "Cleanup complete." -ForegroundColor Green
} else {
Write-Host "No Autopilot v1 entries found." -ForegroundColor Yellow
}Important Considerations
- Permissions: You must have Intune Administrator or Global Administrator rights to execute these changes.
- The “v1 Win” Rule: Remember that if a hardware hash exists in the v1 service, it will always take priority over a v2 (Device Preparation) policy. Running this script is a common step when migrating a pilot group from v1 to v2.
- Sync Time: After running the script, it may take a few minutes for the Intune portal to reflect that the devices are gone.
- Targeted Deletion: If you only want to delete specific devices rather than wiping the whole list, you can filter the
$autopilotDevicesvariable bySerialNumberorGroupTag.
Why this is necessary for v2
Autopilot v2 (General Availability May 2024) is designed to be “hash-less”. If you are moving toward using Corporate Identifiers (Manufacturer, Model, and Serial Number), the presence of the old v1 hardware hash will “hijack” the enrollment process and prevent the newer v2 logic from triggering.
Verdict: Which should you use?
If you are a cloud-first organization moving exclusively to Windows 11 and Entra ID Join, Autopilot v2 is the superior choice due to its speed and the removal of hardware hash management.
However, if you still require Hybrid Join, Self-Deploying Mode (for kiosks), or Pre-provisioning (White Glove), you must continue to use v1 for those specific use cases for now.