Windows Autopilot is a set of technologies that is built to simplify the process of deploying, setting up, and configuring new devices. By using this technology, users can avoid going through the traditional imaging process and save countless productive hours.

However, Autopilot is not without its faults. One of the more common instances of running into problems occurs when using Managed Installer policies with Win32 app deployment during the Autopilot device preparation phase. As an issue that can cause quite a headache, this blog will help you better understand this problem as well as provide you with solutions for addressing it.

Windows Autopilot Explained

Windows Autopilot gives organizations a solution that eliminates the challenges that come with building, maintaining, and generally applying custom images. IT admins can use this service to set up new desktops to join pre-existing configuration groups and apply profiles to the desktops. What this does is give users the opportunity to access fully functional desktops from their first login.

Importance of Managed Installer Policies

Managed Installer policies are useful for dictating which applications can be installed on your organization’s devices. Once enabled, Managed Installer uses a special rule collection in AppLocker to designate binaries. These are trusted by your organization as an authorized source for application installation.

The problem IT admins will run into is that currently Windows Autopilot device preparation doesn’t guarantee the delivery of the Managed Installer policy before trying to install Win32 apps. Because of this, you may end up with deployment failures during the App Installation phase of Autopilot.

INVESTIGATING THE PROBLEM

A regular deployment scenario follows a series of steps that begins with the launch of the Autopilot Device Preparation process. Following this, Win32 apps are then scheduled for installation as part of the device preparation policy.

At this point, the Managed Installer policy won’t yet have been installed. The reason why you may see the Win32 app installations failing is because the policy is set up to block apps from unverified sources.

WHAT TO EXPECT With Windows Autopilot

One of the things you can expect to see because of this issue is the Autopilot deployment process stopping at the app installation phase. You will also get error messages showing application deployment failures. Another thing to expect is that deployment reports will show failed Win32 app installations. Lastly, end-users may receive incomplete or improperly configured devices.

How has Microsoft addressed the issue?

Microsoft is fully aware of the issue at hand and has offered some recommendations that provide a temporary solution. IT admins can start by removing Win32 apps from all Autopilot device preparation policies.

Also, devices should be left to complete Autopilot and reach the desktop. Furthermore, Win32 apps and Managed Installer policies need to be applied after the user gets to the desktop.

In October 2024, Microsoft announced service release 2410 that introduced some new changes that will see Win32 and Microsoft Store apps being automatically skipped during device preparation and instead continuing to the desktop. To implement these solutions, you’ll need to follow the steps below:

AUDIT YOUR EXISTING Windows AUTOPILOT DEVICE PREPARATION POLICIES

For this process, organizations need to identify all device preparation policies configured in Intune. You’ll also need to verify any Win32 apps included in these policies. With all this done, make sure to document these apps as well as their purpose.

REMOVE WIN32 APPS FROM DEVICE PREPARATION POLICIES

Navigate to Microsoft Intune and edit your existing device preparation policies. Then, proceed to remove all Win32 apps from these policies. Once these tasks are complete, save and apply the updated policies.

MONITOR DEPLOYMENT STATUS

Use the updated policies to deploy your devices. You can track the progress of this process using the Autopilot Deployment Report. Make sure that you check that devices reach the desktop without app installation failures.

DEPLOY WIN32 APPS POST-ENROLLMENT

Once a device has reached the desktop, you can reassign your Win32 apps to deploy. You’ll need to use Required or Available for enrolled devices deployment settings in Intune. The success of app installation can be monitored using Intune’s reporting tools.

Alternative Options

In addition to the recommendations by Microsoft, there are other options that organizations can consider to address the above-mentioned issue. These include:

PRE-STAGE CRITICAL APPLICATIONS

One thing that organizations can consider doing is pre-staging key apps that are required to be on the device at deployment. This can be done using offline methods such as:

• Injecting apps into the Windows image using tools like OSDCloud or Configuration Manager.
• App deployment using PowerShell scripts post-Autopilot.

CONDITIONAL ACCESS AND APP PROTECTION POLICIES

If your organization is worried about security, then using Conditional Access policies will help block access to corporate resources until the necessary apps have been installed. An example of this would be enforcing Conditional Access policies to ensure that non-compliant devices are prevented from accessing the organization’s resources.

Optimize Enrollment Status Page (ESP) Configuration

The Enrollment Status Page plays a key role in controlling app deployment during Windows Autopilot. This is done by dividing the deployment into several stages, thus allowing you to prioritize the apps you consider more important.

USER VS DEVICE ASSIGNMENTS

With device-based deployments, there is a greater likelihood of encountering problems with Managed Installer policies. Because of this, it’s worth considering changing your app deployment from device-based to user-based assignments.

PILOT AND TEST NEW CONFIGURATIONS

Before rolling out new deployment configurations to the entire organization, it’s always wise to test them on a small pilot group. Doing it this way gives you the opportunity to identify problems and address them early.

Monitoring and Troubleshooting

The availability of Autopilot Deployment Reports in Microsoft will provide organizations with key information concerning the deployment process. This allows them to evaluate skipped apps, failed deployments, and device readiness status.

Additionally, organizations should also use Intune Diagnostics and Event Viewer to analyze deployment logs. By evaluating these logs, IT admins can pinpoint specific app failures and then determine whether they’re related to the Managed Installer policy.

If all else fails and your deployment issues are still yet to be resolved, you’ll have the option of reaching out to Microsoft Support for any help you need. Alternatively, engaging with the Intune community on X may yield assistance from those who have dealt with the issues you may be confronting.

Wrap Up

Windows Autopilot offers organizations a powerful tool to help simplify the process of deploying and setting up devices. Processes are made simpler and faster, thus helping businesses operate more efficiently. And although there may be issues with Wind32 app deployment during device preparation, there are ways to deal with it.

But, in addition to the workaround, we can look forward to Microsoft developing a more permanent solution to this challenge. Updates are sure to be forthcoming and we will be keeping an eye on what Autopilot will bring us next.