During Microsoft Ignite 2025, Microsoft announced that Windows Autopilot Device Preparation for Windows 365 Enterprise and Frontline is now in Public Preview. In my blog post “Windows Autopilot Device Preparation: Faster, Simpler Provisioning“, I showed how to use and configure Windows Autopilot Device Preparation for your physical Windows 11 devices.
In this blog post, I will guide you through configuring Windows Autopilot Device Preparation for Windows 365 Enterprise. I’m not going into detail on what Windows Autopilot Device Preparation is; you can read that in my blog post here.
How to configure?
Microsoft Entra ID
The first thing we need is two Microsoft Entra ID groups, one user group, and one assigned device group, based on Enrollment Time Grouping. If you want to know more about Enrollment Time Grouping, please check my blog here.
Microsoft Entra ID – Device Group
First, we will create our Microsoft Entra ID security group for Enrollment Time Grouping. This is an assigned device group where we will make the Intune Provisioning Client (Enterprise application) the owner of.
INFORMATION: Chances are, this Enterprise Application has a different name in your tenant. It is important, then, that you make sure the one with AppID f1346770-5b25-470b-88bd-d5744ab7952c is the one you designate as the owner of the group.
Also, make sure you create an assigned group. Dynamic groups are NOT supported!
Go to Microsoft Entra admin center | Groups and choose New group. Create a group with the following settings and select Create.
- Group type: Security
- Group Name: CPC – DVC – Windows Autopilot Device Preparation
- Group Description: Enrollment Time Grouping – Windows Autopilot Device Preparation for Cloud PC
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Assigned
- Owner: Intune Provisioning Client (f1346770-5b25-470b-88bd-d5744ab7952c)
Microsoft Entra ID – User group
Next, we need to create a Microsoft Entra ID group for our Windows 365 Enterprise licensed user. Go to the Microsoft Entra admin center | Entra ID | Groups, and choose New group.
Create a group with the following details:
- Group type: Security
- Group name: WIN – USR – Windows 365 Enterprise Users
- Group description: This group contains users with an active Windows 365 Enterprise license
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Assigned
Make sure you add our licensed user as a member to this new group, and choose Create. Our group is now ready to use.
Windows Autopilot Device Preparation Policy
Next up is our Windows Autopilot Device Preparation policy. Go to the Microsoft Intune admin center | Devices | Windows | Enrollment | Windows Autopilot Device Preparation and choose Device preparation policies.
Choose Create, and we are going to create an Automatic (preview) policy.
Like any well-trained administrator, we first read the Introduction and then select Next.
In the Basics screen, set the following, and choose Next.
- Name: CPC – Windows Autopilot Device Preparation
- Description: This profile will enable Windows Autopilot Device Preparation for Cloud PCs
In the Device group screen, make sure to select our “Enrollment Time Grouping” device group. Don’t use a regular assigned group; it will fail. After selecting your group, choose Next.
If you are familiar with Windows Autopilot Device Preparation for physical Windows 11 devices, you’ll notice that the deployment settings and OOBE experience part is missing here. In the Configuration settings screen, we only see the Apps and Scripts section. Choose your desired apps and scripts, and choose Next.
After you choose your desired apps and scripts, choose Next.
INFORMATION: Make sure that our Enrollment Time Grouping device group is assigned to all applications and scripts we want to deploy during enrollment.
You can skip Scope Tags for now, and in the Review + create blade, review your settings and choose Save.
Your Windows Autopilot Device Preparation Policy for Windows 365 is now ready.
Microsoft Intune
Provisioning Policy
Next up, let’s create our Provisioning policy for our Cloud PC. Go to the Microsoft Intune admin center | Devices | Device onboarding | Windows 365 and choose the Provisioning policies blade and choose Create policy.
In the Create a provisioning policy screen, choose the following and then choose Next.
- Name: CPC – WIN365 – Provisioning Windows 365 Enterprise with Device Preparation
- Description: This policy controls the automated provisioning of Windows 365 Enterprise Cloud PCs with Windows Autopilot Device Preparation
- Experience: Access a full Cloud PC desktop
- License type: Enterprise (if you have a Frontline license, make sure you choose Frontline)
- Join type: Microsoft Entra join
- Network: Microsoft Hosted network
- Geography: Europe
- Region groups/regions: All region groups and regions selected (this only applies to regions based on your choice of geography)
- Use Microsoft Entra single sign-on: Check.
At the Image blade, we can choose between a Gallery Image and a Custom image. In this procedure, we choose a Gallery image. Now choose Selected. Let’s go for the Windows 11 Enterprise 25H2 and choose Select.
After selecting the image type, choose Next.
In the Configuration blade, choose the following:
- Language & Region: English (United States)
- Apply device name template: Check
- Enter a name template: CPC-%RAND:5%
- Autopilot Device preparation policy: choose the one we’ve created in the previous part
- Minutes allowed before device preparation fails: 60
- Prevent users from connection to Cloud PC upon installation failure or timeout: Check
We will skip the Windows Autopatch option for now. Choose Next and skip Scope Tags.
In the Assignments blade, we are going to assign our provisioning policy to our created user group. Assign the user group and choose Next.
Review the settings and choose Create.
The provision policy is set and ready to go.
If we go back to the All Cloud PCs blade, you’ll see that the provision status is changed to “Provisioning”. Now we have to wait until our Cloud PC is provisioned. Be aware that this can take a while.
Once our Cloud PC is provisioned, we are ready to connect.
End-user Experience
As already shown in my previous blog post, we need to use the Windows App to connect to our Cloud PC.
Monitoring
Go to the Microsoft Intune admin center | Device | Monitor and then choose for Windows Autopilot device preparation deployment status.
If you open the Status screen, you’ll notice that our newly provisioned Cloud PC has a Deployment status of Success. This means that our Cloud PC is deployed with a Windows Autopilot Device Preparation policy.
Conclusion
The integration of Windows Autopilot Device Preparation with Windows 365 Enterprise represents a significant advancement in delivering scalable, predictable, and cloud‑native provisioning for modern organizations. By linking Device Preparation policies directly to Cloud PCs, IT teams can ensure that essential Intune applications, scripts, and configurations are applied during the Windows 365 provisioning process, resulting in a more consistent and reliable onboarding experience for end users.
