AdminSignal logoAdminSignal

Reviewed and updated Mar 7, 2025.

Microsoft IntuneIntermediate

Understanding Autopilot v2: Enrollment Profiles, ESP, and Common Failure Modes

AdminSignal Editorial16 min read

What Changed in Autopilot v2

Windows Autopilot v2 (also known as Device Preparation) changes the enrollment architecture in ways that affect how you design profiles, handle the Enrollment Status Page, and diagnose failures. The legacy Autopilot flow remains available, but new deployments should target v2.

The key architectural differences:

  • Device Preparation policy replaces the Autopilot deployment profile for v2 flows
  • Provisioning package is delivered more efficiently — fewer API calls during OOBE
  • ESP replacement: The Enrollment Status Page still exists in v2, but the tracking mechanism differs from v1
  • Autopilot device registration is now through Entra ID direct registration rather than hardware hash CSV upload in the preferred path

Prerequisites for v2

  • Windows 11 23H2 or later (24H2 recommended)
  • The device must be registered in Autopilot via one of:
    • Entra ID device registration (preferred)
    • Partner Center / OEM integration
    • PPKG/CSV (still supported but not the v2-native path)
  • Intune tenant on September 2024 service release or later

Enrollment Profile Design

In v2, the Device Preparation policy (under Devices > Windows > Enrollment > Device Preparation policies) controls the OOBE experience. Unlike v1, you do not assign this directly to a device group — it applies based on device registration attributes.

Key settings in the Device Preparation policy

User-driven vs Pre-provisioned: For most enterprise deployments, User-driven is appropriate. Pre-provisioned (Technician Flow) is for environments where devices must be partially configured before reaching end users.

Deployment mode:

  • Microsoft Entra joined: Cloud-only, no on-premises domain join
  • Microsoft Entra hybrid joined: Requires line of sight to a domain controller and the Hybrid Entra Join connector

Enrollment Status Page assignment: Assign your ESP profile to the same groups as your Device Preparation policy. If the ESP is not assigned, devices will proceed through provisioning without blocking on app install completion.

ESP Configuration for v2

The ESP still serves its core function in v2: blocking the desktop from being presented until a defined set of applications are installed and policies are applied.

What to block on

Only add apps to the ESP tracking list that are truly required before the user can work. Every app in the blocking list is a potential failure point. A practical blocking list might include:

  • Microsoft 365 Apps for Enterprise
  • Your endpoint security agent (CrowdStrike/Defender)
  • Any VPN client required to reach internal resources

Do not add optional apps, drivers, or configuration packages to the blocking list.

Timeout settings

The default ESP timeout is 60 minutes. For environments with large app payloads, increase this to 90–120 minutes. A device that times out will either continue past the ESP (if configured) or enter a failed state that requires re-enrollment.

Diagnosing ESP Failures

When the ESP hangs or fails, the first step is always to check the logs before re-imaging.

Event log locations

Applications and Services Logs\Microsoft\Windows\DeviceManagement-Enterprise-Diagnostics-Provider\Admin
Applications and Services Logs\Microsoft\Windows\ModernDeployment-Diagnostics-Provider\Autopilot
Applications and Services Logs\Microsoft\Windows\AAD\Operational

MDM diagnostic log

Press Ctrl+Shift+J at the ESP screen to view the current provisioning status. This is the fastest way to see which step is hanging.

For a complete MDM diagnostic report, press Windows+I > System > Troubleshoot > Other troubleshooters > MDM Agent or run:

PowerShell
mdmdiagnosticstool.exe -area Autopilot -cab c:\temp\autopilot-diag.cab

Common failure points

SymptomLikely causeFix
ESP stuck at 0% for >10 minutesDevice cannot reach Intune endpointsCheck proxy/firewall for required Intune URLs
App install hangingWin32 app dependency conflictCheck Intune app install logs in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
"Identifying your device" loopDevice not registered in AutopilotVerify registration via Entra portal
Domain join fails (hybrid)No DC line of sightVerify ODJC connector and subnet coverage
"Something went wrong" after user sign-inConditional Access blocking OOBECheck CA policies for exclusions during provisioning

Microsoft Intune

Recommended

Manage, secure, and report on all your endpoints from a single cloud-native console.

Try it

AdminSignal Editorial

Editorial Staff

Written and reviewed by the AdminSignal editorial team. All content is independently verified for technical accuracy against official Microsoft documentation.

AdminSignal content is produced independently. Editorial policy

Related tutorials

Tutorial

Migrating Intune Administrative Templates to Settings Catalog Without Breaking Policy Behaviour

A practical migration guide for moving Intune Administrative Templates and older configuration profiles to Settings Catalog, covering inventory, duplicate settings, assignments, Graph PowerShell checks, conflict detection, pilot design, validation, reporting, rollback, and prevention controls.

Read
Tutorial

Deploy Windows 11 25H2 with Intune + Autopilot v2 (Zero-Touch, Production-Ready)

A production-grade walkthrough for deploying Windows 11 25H2 across existing x86/x64 fleets using Autopilot v2 Device Preparation policies. Covers tenant readiness, ESP configuration, app tiering, update rings, a phased rollout sequence, and a PowerShell pre-flight toolkit.

Read
Tutorial

Deploying Windows LAPS with Microsoft Intune: A Complete Walkthrough

A step-by-step guide to rolling out Windows Local Administrator Password Solution across your Intune-managed fleet, including policy configuration, reporting, and migration from legacy LAPS.

Read