Rudy Ooms wrote a nice blog post on block pre-provisioning of devices with an outdated OS version using the default device restriction. Windows Autopilot: Bypassing the Platform Enrollment Restriction But what if you cannot change that policy as other services still need to enroll Windows 10 22H2 devices? In our case there is another team managing Teams Rooms Systems in the same tenant. My colleague Lukasz Herod built a solution based on a separate ESP, an application and a device filter after we had a brainstorming session on this a few weeks ago. As of this week we implemented it in production. This is what we have built. The Device filter We started by creating a device filter to filter on Windows 10 (all versions) and Windows 11 21H1 like below: Rule syntax: (device.osVersion -startsWith "10.0.1") or (device.osVersion -startsWith "10.0.22000") The Application Next we created an application using the PowerShell App Deployment Toolkit (PSADK). The code part itsel...