Admins now can use Windows Autopilot device preparation to provision Windows 365 Frontline shared devices as best practice

Admins can use Windows Autopilot device preparation to provision Windows 365 Frontline shared devices, with a few important clarifications.

What this means in practice

• Windows Autopilot device preparation (WADP) is the lightweight Autopilot method (cloud-native, faster than traditional Autopilot).
• It works well for Windows 365 Frontline shared mode, where multiple users sign in to the same physical device and get Cloud PCs dynamically.

How it fits together

Physical device

Provisioned using Autopilot device preparation

Azure AD join

Intune enrollment

Minimal ESP, faster readiness

User sign-in

Frontline users sign in to the same device

Each user gets access to their Windows 365 Frontline Cloud PC (shared license model)

Key requirements/considerations

• Device must be:
  • Entra joined
  • Intune-managed
• Supported with:
  • Windows 11 (recommended)
  • Modern authentication (no Hybrid AAD Join)
• You configure:
  • Shared device settings in Intune
  • Windows 365 Frontline policies separately
• No domain join, no VPN dependency → ideal for frontline scenarios

Why this is useful (especially for Frontline)

• Faster provisioning for kiosks / shared desks
• Lower operational overhead than classic Autopilot
• Aligns perfectly with Frontline shared access and shift-based workers

Common pitfalls to avoid

• Trying to use Hybrid Autopilot (not supported with device preparation)
• Expecting per-user device customization (this is device-first, user-light)
• Mixing traditional Autopilot ESP-heavy profiles

What’s next?

For organizations adopting Windows 365 Frontline shared mode, the success of the solution depends less on Cloud PC sizing and more on how the physical access devices are provisioned.
Microsoft’s Windows Autopilot device preparation (WADP) represents the recommended and modern approach for onboarding shared frontline devices — replacing traditional, ESP-heavy Autopilot flows that were designed for single-user knowledge workers.

This document also outlines why Autopilot device preparation is the best practice and how it should be implemented for Windows 365 Frontline scenarios.

Design Principle: Device-First, Session-Light, Cloud-Centric

Windows 365 Frontline is fundamentally different from dedicated Cloud PCs:

Best practice: Treat the physical device as a secure access terminal, not a personalized workstation.

Why Autopilot Device Preparation is the Right Choice

1️⃣ Faster Time-to-Productivity

Traditional Autopilot:

• ESP
• App dependency chains
• User-context installs
• Frequent enrollment delays

Autopilot Device Preparation:

• Cloud-native
• Minimal ESP
• Device-only configuration
• Login-ready within minutes

Frontline impact:
✔ Devices can be deployed or re-imaged between shifts
✔ No IT presence required onsite

2️⃣ Designed for Shared Device Scenarios

Autopilot device preparation aligns naturally with:

• Azure AD–joined devices
• Intune-driven shared device policies
• Stateless user experiences

This matches Frontline shared mode, where:

• Users rotate
• Sessions must cleanly reset
• No user data should remain on the endpoint

3️⃣ Reduced Operational Complexity

From an IT operations standpoint:

This directly reduces L1/L2 support load — a key customer KPI.

Conclusion

Windows Autopilot device preparation is not just supported — it is the recommended best practice for Windows 365 Frontline shared devices.

It reflects a broader architectural shift:

Endpoints are becoming disposable, identity is cloud-based, and the workspace lives in Windows 365.

Organizations that design with this mindset achieve simpler operations, happier frontline workers, and more secure environments.