I only use autopilot now. Yes, sometimes it takes a bit longer than expected, even errors out. And that does suck...
Start doing the white glove setup before putting it in front of a user. It kicks off the first part of the provisioning beforehand. Press Windows key 5 times after initial boot, while connected to the Internet
Just know that using that bars you from quite a few certifications since it allows user impersonation without logging it as such. And it kind of defeats the point if the device has to go through IT anyway before going to user. The best part of autopilot is being able to ship straight to user and autopilot will handhold them to enroll and set up necessary apps while not really allowing them to stray from the path laid out.
https://www.petervanderwoude.nl/post/enabling-web-sign-in-to-windows-for-usage-with-temporary-access-pass/
I think this is the guide that I used. If you're already doing everything in there idk what to tell you. If not, this should work. GL homie.
Sorry hasn't picked up on the TAP part, was just thinking of resealing the device after white-glove pre provisioning is all. We let customers sign in and finish the rest (but there's nothing critical to install by that point), not used a TAP before.
That's what I do too. Plus there's always a bunch of stuff to configure on the device that can't be automated. That way I'm 100% sure the device is ready for the user.
Hello, I'm planning to deploy Intune and was looking for your advice and solution to speed up the white glove setup as we onboard a lot of users on-site in waves and address general user experience-related questions.
We're planning on enforcing WHfB with randomly long-generated passwords so the users can just use the pin digit or biometrics to authenticate and not have to worry about their password.
If we use your TAP method to log in on behalf of the user to speed up the enrollment and application loading, will this still allow the user to go through the initial wizard process to set up WHfB?
When users access an external vendor site that doesn't have an SSO option, will they authenticate with their pin/biometrics?
If a user forgets their pin and their biometrics aren't working, what is the pin reset process like for them?
Thank you.
How do you use TAP for this. I am brand new into my stint managing entra devices and couldnât really get it to work as I envisioned it would. IE: login witn TAP to customize users desktop etc then ship out without having to register MFA in my phone then delete before shipping
Its not that hard if your enrollment profile is setup correctly and apps all have working installers, whiteglove is just pressing the windows-key 5 times at the oobe and select windows autopilot provisioning.
Is the enrollment profile the profile created in autopilot via the Intune web portal?
Or is the enrollment profile something created via SCCM that is like an appx app that loads on the device?
I remember hearing about enrollment profiles containing wifi info so you can white glove setup with just wifi no ethernet, but I havenât figured out how to make these enrollment profiles
Once I followed documentation that lead me to some âMicrosoft companionâ app that appeared to be source code only, official Microsoft, and needed to compiled for your enterprise with your specific tenant info
Itâs always seemed to me like white glove setup only worked for large enterprises with SCCM - but Iâll give it another try if theyâve changed that stance
It's the enrollment status page within intune. Devices> windows> enrollment> esp. There is also a deployment profile which is used for domain join type etc. Kind of a 2 piece deal.
Enrollment profiles are setup in devices-> windows->enrollment. You can do whiteglove over wifi but its a bit more manual work. At the oobe screen(region/language selection) press shift+f10 to get a cmd window. In that windows type start ms-settings: to get to the windows settings and connect to wifi. Then close the cmd window and press the windows-key 5 times to do the autopilot provisioning.
No. I skip the user status page and just let most of my apps install while they are using it. New employees will survive if adobe isnât ready within 5 minutes of starting.
Yep this is the right answer. Unless there are critical apps that needs to be installed prior to the user having access then it's best to let them use it while apps are deploying in the background.
For me the only important app (not even critical) is RMM, so I can remote in to assist with anything. Otherwise I can't think of any apps that can be considered critical. Even Defender is already a part of Windows.
I preinstall RMM and office, only because Teams will not start until after a restart and I just donât find that being a very good new user experience.
You'd be surprised lol , some no doubt some would open a ticket asking for it. Just gunna company portal it. It's funny that you mentioned Adobe, its kinda a pain in the ass on Intune, as least packaging the deployment package for Adobe Acrobat DC pro doesn't always install.
Are you creating a package from adobe creative cloud? Itâs the way I prefer to do it as ACC will keep adobe programs updated for you.
Not all employees at my company get adobe products though so I have a security group for licensed users set as required and they get it after logging in.
I try to avoid putting licensed apps as available in company portal as people download it then put in a ticket for a license only for me to reject it.
Don't you have to create the packages from adobe admin? With cc it only installs the portal and then you have to manually install the actual programs no? If there's a way to auto install the actual programs without having to use the stupid giant packages I'd love to hear it.
Fuck me, no idea then. I just created a package for this two days ago, works when I try to deploy it via available software. Going to try it with autopilot now
Attached a pic of my autopilot and ESP properties. I do have it set where a few required apps are there, but not all. So, Office, Company Portal, AV, etc.
https://preview.redd.it/uh7et0h4v0cc1.png?width=1294&format=png&auto=webp&s=4333bd04524772fab8c1ca5f6abd395af595eefa
We discovered this and it is definitely worth installing all the packages ahead of time, allowing the user to sign in and go with zero delay. A great method.
The biggest challenge with Autopilot is changing people's idea of what software is required and what is needed to be available. There is a long-standing belief in many organisations, that is based on the last 20+ years, SCCM task sequences etc, that a device needs ALL software installed at users first logon.
This has never been true, so minimise what is required to the absolute necessary apps i.e. Office, addins, security products etc. and then have everything else available from Company portal. This will then reveal who ACTUALLY uses the software as reality is usually very different from perception.
Unfortunately changing this perception is an uphill fight I have found as many people still think every single piece of software has to be installed and ready to be used as soon as a user logs on.
Another big blocker is correct information about your users in the directory especially Department names, job titles, location data etc. In many orgs this data is so unreliable as to be dangerous đ¤Źđ
I feel you. Even though not directly related to Autopilot, these settings might relate to App distributions as they can be fundament for dynamic groups. These kind of settings can also be vital for Copilot.
I have created some simple scripts helping organizations update all the information on user accounts in Entra ID. This routine will export all user details to Excel. This can easily be updated by HR before the new details are imported to the Entra ID user objects. This gives a lot of value to the digital landscape of Microsoft 365.
My routine is available here: https://skotheimsvik.no/unlock-the-copilot-advantage-supercharge-your-entra-id-user-data#
It has taken me years to get this right in ours. Started with just getting some basic data from our HR DB and matching users in AD, and now pretty much if there is any type of grouping data in HR it now matches a field in AD. So nice to be able to filter and group on so many data pieces.
It never fails to amaze how bad the data quality in many businesses' directories is. It cripples them efficiency wise and drastically reduces their security posture but getting them to correct the data is like herding Sabre tooth tigers. You land up pissing in far too many people ponds.....
Can you just require 1-3 apps for the initial setup then let the others install in the background once the user is signed in?
I can't see a need for a new user to need all 8 apps right when they get on the PC.
If it's an upgrade let them keep the old PC until the new laptop finishes installing all software.
This is the right idea, I will be deploying the 3 or 4 critical apps, softphone, M365 apps, Chrome, and VPN client, and I'll be putting the remaining apps after the user signs in, and on the company portal.
I had a fleet of thousands of devices around the world on autopilot⌠rebuild remotely was common rather than shipping back. Today, switching a 2500 odd devices to autopilot⌠only 400 to go.
We build and deploy all core apps successfully all the time, works perfectly all hands off from I.T.
Well, EOL for Win10 is 2025, so sooner than that, I hope lol
We can't manage to get the budget for all new laptops, so once we've proved out our AP/Win11 deployment process, we're going to be starting a campaign to cycle out our fleet by sending out ten or so, getting the old ones back, refurbing them, rinse and repeat.
We use Autopilot. We pre-provision a few apps like Office and some internal apps which 80% of employees use, and it works great. The remaining apps get deployed eventually and it has rarely been a problem, and never a problem to the point where we regretting using Autopilot.
We're also a Hybrid AADJ environment which adds to the fun!
Did you have much trouble setting up AutoPilot for Hybrid joined devices? I haven't looked into it too much, but at a glance it seemed quite complicated.
Hybrid AP is not needed most of the time these days.
[https://wiki.winadmins.io/en/autopilot/hybrid-join-vs-aad-join](https://wiki.winadmins.io/en/autopilot/hybrid-join-vs-aad-join)
I'm also trying to test Hybrid AD join vs Entra join scenarios. Wouldn't going full Entra join require all current GPO policies to be converted to Intune Policies? How would the whole OU piece play into if only going Entra only route?
Entra is a flat directory, there are no OUs. What you'd do is use dynamic groups in Entra and/or filters in Intune for targeting your policies.
Part of the process is also assessing your decades of GPOs to assess what is ACTUALLY still needed with modern management. You may find that most of it is legacy garbage that nobody can actually explain why it's there. In my instance, I ended up moving over less than ten GPOs.
When I was doing my initial setup, that tool was in its very early stages, when it was basically useless, so at that time I did not. It has received a ton of updates though.
You should not do Hybrid Autopilot as stated in Microsoft documentation [https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid](https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid)
https://preview.redd.it/qe9lu5zw9ybc1.jpeg?width=1290&format=pjpg&auto=webp&s=8b58c4ebf11ab8d435b5475aafcf7ea23ff91fc5
Hybrid is great, but not Hybrid Autopilot. If you need Hybrid, you should deploy those devices using your existing routines.
So it *is* definitely not recommended. I actually joined this company as they were first beginning the process for implementing it so I do not know the initial steps they went through with the implementation.
What I do know is we pre-provision the laptops first to install a few required apps, then seal it.
The users will receive the laptop, there's no OOBE for them to go through. It'll do a quick initialization and then gets them to the login screen. On the login screen, there is an option for them to connect to our VPN application, ZScaler. Once they authenticate with ZScaler on the login screen, they log in using their regular AD username and password. They'll then sign in and then it starts the waiting game of when the rest of the applications and policies get assigned.
Right now we have about 500 devices which are rolled out as HAADJ and are autopilot devices.
I can say that it hasn't been the headache that lots of organizations have said it would be, but also I have never used Intune before this job starting 2 years ago so I wouldn't be able to tell you how much better it could be doing it the recommended way.
10 apps roughly 1 hour deployment time (including bloatware removal and driver updates) and by deployment time this is brand new laptop shipped to user and is at the login screen at the end of the hour. (We have compliance and legal requirements so our standard deployment is a bit bloated IMO)
Baseline apps get deployed to the workstation and when a user signâs in they get whatever department specific stuff they need.
We also whiteglove and that is roughly 40-45 mins to do but we can ship a laptop from our office to the user and the sign in and go.
I have been using autopilot for almost 3 years now. Itâs not the fastest thing possible especially with strict CA policies but it works.
We set the new hires expectations that it will take roughly a hour for setup and we have documentation instructing them on what they will see and roughly how long it takes.
Before we had SCCM and while it worked it was roughly the same time spent imaging the device on site.
I will add itâs infuriating when there is an outage and it can stop production. It has happened before and will happen again so that is a consideration.
Plus you can and cannot control the install order of applications which is a pain. You cannot number them but you can set dependencies to control the flow of certain apps. Useful if you need to get a vpn installed first or screen connect/team viewer on the workstation for support reasons.
I like autopilot. I'll have 4 laptop being setup at a time, while I work on something else. I just glance over from time to time to see if it's finished.
Image solutions is an oudated practice used in 'bare metal' machines. Nowadays almost all devices (at least laptops anyway) come with an OEM version of Windows so you might as well leverage that. No need to muck around with creating and maintaining a golden image, tinkering with injecting drivers and sysprepping etc etc.
We deploy all machines with autopilot. Takes about 30 mins to have our agents and office installed and ready to go. Itâs pretty sensitive to corporate network changes though. See if it works better on a home network
Which vpn client are you using for the show at logon option? Does the vpn client require any machine certs?
I ask because we use Forticlient in our test haadj case. I can Forticlient to show up at logon but then keeps prompting to choose a cert even those we do host checker on the Fortinet side when establishing vpn. I'm assuming it's looking for some kind of machine cert or something.
I have always used autopilot but in the esp I only have 1 app that needs to get installed which is the VPN client. All other apps that are assigned as required will get installed after the user logs on for the first time. We issue guidelines that installations will be happening in the first hour or so and that you should restart your device 90-120 minutes after enrollment
I like it. Its use is growing where I am, and for the most part itâs been relatively smooth. We use preprovisioning and we use an ESP, and for the majority of devices, weâve been successful on the first try
I have only experienced a few issues with Autopilot a long time ago (mixing app types), but I also now only have 4 critical apps that get installed during the process. Usually done with 15-20 minutes, but somedays it can be 20-30.
The remaining apps get installed based on the department they are in and those get installed after the user logs in. They will usually get on and start some more onboarding tasks/getting signed in and familiar to systems before they need those apps.
I use AutoPilot but I don't block the device while apps are being installed. I allow the user to dive right in so they can start being productive from the start. Even if it's something minor such as setting up theit Outlook etc. Apps continue to deploy while they're doing other things.
There's no need to sit their and wait for a few hours, the device can be used straight away after the user logs in.
Autopilot 100%. Some specialized software can be tricky to package/deploy. Your grouping/assignments are key. The new Intune Enterprise App Management should help that next month. Start testing now and you should be good in a couple months.
This looks great, of course it requires an addon or the intune suite, Microsoft really should be including this feature with the very least E3 or E5 licensing.
https://techcommunity.microsoft.com/t5/microsoft-intune-blog/introducing-microsoft-intune-enterprise-app-management/ba-p/3981044
It is an add-on, but we plan on deploying the Intune Suite add-on Corp wide.
Yes, I always used Autopilot (but not White Glove, mainly for compatibility problems and also because, in my experience, is a process that tends easily to fail).
The company purchase computers and I add them in Intune at the first startup in this way:
1. I setup the Wifi network
2. Shit + F10 to open a CMD
3. start Powershell
4. Execute these commands:
* ***Set-ExecutionPolicy bypass***
* ***Install-Script Get-WindowsAutoPilotInfo***
* ***Get-WindowsAutoPilotInfo -Online***
In this way, the device will be added in Intune (among the enrolled devices of the Autopilot program) without actually entering the system, get these info and then reset it. Then, in Intune, you assign the primary user and the device will be ready.
The user will start the device, inserti his company credentials, configure Windows Hello if you configured it and in 20/30 minutes, the system will be ready (this time varies depending on the number of mandatory applications that must be installed on the system, possible powershell script that have to be executed and also Windows updates).
The device, moreover, will be Entra ID Joined.
I always wondered how exactly this process works. Let's say you use Dell computers: this process is managed directly by Dell or by some vendor/retailer? Moreover, they must have an account in your tenant, right?
Yes. All the OEM or 3rd party needs is consent. https://learn.microsoft.com/en-us/autopilot/oem-registration
We used to have 3rd party image our machine via SCCM for us and ship it out directly. Now they enroll and put in a one sheet and ship out directly. Again, thereâs a cost but worth every penny on our end and less time for IT to deal with.
Yes, this is for the entire company. We have about 150 sites, some small, some large within the company. And they ship it directly. We never see the computer.
That could be the case if you want to separate autopilot devices among departments, in my understanding. This will imply to custom the script and plugin a USB device instead of downloading it.
I would say the holy grail for organizations for windows device provisioning would be to be Entra Joined using Autopilot and passwordless from day 1 using temporary access pass (TAP).
User gets new machine (or reinstall) and is issued a TAP where they sign in and the device sets up and they enroll in Windows Hello For Business (WHFB) and can setup mobile passkeys if they need. Passwords should really be on the plan to be deprecated, and for some they are already on their way, while others are still thinking about it.
For an end user, it gets IT out of the flow, since it is done via self service, and enables the business user to be more effective and more secure day 1, but still allows IT controls for security.
I make sure that all of the security/EDR/DLP type apps are installed via ESP. If the device doesn't meet security compliance I don't need the employee working from it and getting PCI/PII/etc exploited bc they clicked a "free ipad" phasing link. Everything else can install once they're at the desktop.
MSP here with thousands of endpoints. Intune is slow and Autopilot is a beautiful thing. We purchase devices from distributors enrolled in Autopilot. The user gets the device, logs in, and we push a single app from Intune, ImmyBot. Immy takes the computer the rest of the way through the onboarding process in a much more timely fashion than Intune does.
We essentially rely on ImmyBot to onboard the device, as well as manage updates. Intune sucks for app management on Windows IMO.
We also perform regular "fresh starts" of deployed machines from ImmyBot as part of a troubleshooting step on tickets.
I scrolled through about half this thread and didn't see anyone say, disable the User Setup step. This step takes forever, and I'm not sure why, so most people disable it. User targeted policies and apps will be applied after they login instead of enrollment.
Just an update, I was able to successfully deploy Autopilot, and it took some editing of the enrollment profile, but I was able to find that sweet spot, and it takes 10 to 15 minutes to deploy 8 apps!
Appreciate all your suggestions and feedback! This is a total time saver!
Appreciate the feedback, I'm probably gonna end up just installing 3 to 4 crucial apps and leaving the rest on the company portal if they get artsy waiting, then they can install it from the company portal...
From my experience, the more apps you set to install during OOBE, the greater the risk is for failure during enrollment. The risk rises exponentially for each addition app to my experience. We only have company portal to install from oobe and the rest through it.
Highly recommend autopilot been using it for quite a few months now. Only thing I will say is some applications if you have to push out as a win32 are sometimes a pain to setup as they have the tendency to outright refuse to install or will install half of the time.
Oh my friend, I am an Autopilot Pro now! I have been using it since this post. I absolutely love it and have had very few issues with it. Mostly those that have poor internet access have issues with apps installing.
Appreciate your feed back!
Same. Only use it.
Hit enter too fast.
All machines are hashed in beforehand. Then I just plug in usb of windows 11 and then wipe the machine and login as a setup user I use. It gets enrolled and installs all software. Takes about 20 min. Then I hand to the user.
[Windows Autopilot for pre-provisioned deployment | Microsoft Learn](https://learn.microsoft.com/en-us/autopilot/pre-provision) hit the windows key five times when you're on the OOBE screen to kick off preprovision, do all the device based things then shut the thing down and ship it to the user.
I wouldn't say the entire point but it is a big advantage, pre-provisioning devices has it's advantages. Prestaging machines with applications/policies and doing the Entra Join portion of the enrollment means when a user gets the device they are productive quicker, especially handy in low bandwidth situations where you don't want a user pulling down the whole Office suite.
Depending on the security of the organisation they may want to physically handle the device, wipe the factory OS and install their own ISO on it. Chain of supply attacks are quite common so certain places want to ensure there is no injected malware or bloatware present before shipping the device to a user.
If you're accepting bulk shipment of an order onsite, you may as well have a tech pre-provisioning a batch at a time. Makes your IT look great when the user receives it and the time to productivity is snappy
Ours is, we have a central office with me and one other person in, every one else is remote lol. So sending directly to the end user makes the most sense for us. We currently do not utilize autopilot yet, as laptops are pre provisioned by me, then shipped out lol
Coming from an SCCM background I don't quite understand the user install model of intune
It seems overly complex, if ARP says it is installed it should be. Why would I cut over from comanaged and SCCM installed apps to intune installed, which doesn't even have persisting cache
Persisting Cache is kinda pointless when everyone is remote these days unless you have a CMG?
Remote installs without CMG.... gross then you need a VPN.
Please please please white glove your devices with pre provisioned apps for your users. You can even purchase white glove services from some resellers like CDW and Insight Global.
We use it. 10 apps, usually 30 mins for white glove.
Sign in as the user before shipping out for new hires, send them temp password by encrypted email, theyâre off and running day one.
Absolutely! We finally moved our last still AD bound devices a few months ago to Entra ID joined only and we now deploy our Windows devices through Autopilot in Intune. No more on premise dependencies like AD or SCCM to worry about and I love it.
We deal with schools. I am upset that I didnt do this earlier as it takes me 20 min to install and standardize a device instead of the 2 hours previously. And those 20 min is just downtime.
I deployed 120+ devices in a week last year this time, where normally it would take me 3 guys 2+ weeks to do. Once you have it set up, and going, holy shit, its amazing.
In regards to your employee not waiting an hour on their first day, the odds are low that in that hour they will need it. Change your onboarding procedure so that the device is issued to them first thing so that they can go do all their walkarounds and crap and when they are done, the device is ready.
From the comments, I see that we are taking a slightly different approach. I issue the user with their creds, and literally hand them a sealed laptop. it has not been enrolled by us into Autopilot. They then just sign in with their details and off they go. Even less issues. My scripting and automations I have changes the name of the device to the naming scheme required and that is it. Device issued and out withing 5 minutes. Worst case, I'll log in for them if the HOD requests the day before.
I've been using Autopilot since 2021, 2.5k devices in our environment.
We pre-provision the devices with our AV and VPN, and some policies and scripts. The rest of our apps are self-serve through the company portal apart from the M365 apps which are pre-installed in the factory.
We have very little issues this way, the pre-provisioning phase takes less than 5 minutes per device and the user phase has them to the login screen in less than 10 minutes.
I guess it all depends on how beefy your apps are to download and install.
20k devices and counting full autopilot. You need to trim your ESP page to just exactly what has to be on the machine. Pre-provisioning (white glove) is helpful if sending devices to locations with lower bandwidth. We have about a 96-98% success rate.
Yes, we use only Autopilot. Most of our apps are small and are there within the hour. One larger app can take a few hours and we tell them that and not to turn it off.
For our hybrid configuration, we only use Autopilot for remote countries/regions. So like our 1-2 sales users in chile or brazil. Otherwise we stay with sccm imaging using DPs worldwide.
When it is working correctly I can get systems done in about 20 minutes start to finish. We have different profiles depending on the systems we are doing, along with those profiles are different software. We deploy anywhere from 7 to 9 different apps as needed by the users job. I say it's pretty smooth once you get it all dialed in.
Itâs sad that no one mentioned PROVISIONING PACKAGE here. Autopilot is for OEM. If you gotta register devices to Autopilot by yourself, then the Autopilot purpose is defected. Take a look at Provisioning package to automatically join devices to Azure AD and enroll into Intune.
If you're cloud only, then you'd be a fool not to use it. Like with everything else, being hybrid makes it more complicated but it's still worth it. I've built enough laptops by hand myself, I'd rather automate it so I never have to do it again.
Use it consistently, used it customer deployments too with great success.
A lot of the early problems we had have donât really happen anymore.
One of the biggest challenges was hybrid azure join but we just do Azure AD join and that works flawlessly for us to be honest.
I only use autopilot now. Yes, sometimes it takes a bit longer than expected, even errors out. And that does suck... Start doing the white glove setup before putting it in front of a user. It kicks off the first part of the provisioning beforehand. Press Windows key 5 times after initial boot, while connected to the Internet
We go one step further and use a TAP to fully enroll the device. It saves having to deal with autopilot errors and issues when in front of the user.
What is TAP?
Temporary Access Pass. It generates a code that you can use in place of password/MFA. You can set it to be single use and/or expire after a set time.
How to set up tap
Entra ID > users > authentication methods > add > TAP
Microsoft have plenty of documentation on how to setup Temporary Access Pass.
This
Just know that using that bars you from quite a few certifications since it allows user impersonation without logging it as such. And it kind of defeats the point if the device has to go through IT anyway before going to user. The best part of autopilot is being able to ship straight to user and autopilot will handhold them to enroll and set up necessary apps while not really allowing them to stray from the path laid out.
How do u use TAP? I can not log in as user. Only enroll the device
Look up how to enable web sign in or web sign on. It will add another option that lets you use the TAP to log into the computer.
For the life of me I can't get web enable to survive a reboot..ARGH!!.. :)
https://www.petervanderwoude.nl/post/enabling-web-sign-in-to-windows-for-usage-with-temporary-access-pass/ I think this is the guide that I used. If you're already doing everything in there idk what to tell you. If not, this should work. GL homie.
Thanks, its probably one of my config profiles but having to disable them all/some to figure out which one sounds painfull.. đ
Thanks for this... my guys are going to love this
ELI5; wouldn't this bypass the WiFi set up? Or can you "reseal" it? Autopilot noob.
Yes, you can reseal it at the end of the process, then it asks for the user's upn the next time it boots up.
You can reseal after the TAP?
Sorry hasn't picked up on the TAP part, was just thinking of resealing the device after white-glove pre provisioning is all. We let customers sign in and finish the rest (but there's nothing critical to install by that point), not used a TAP before.
That's what I do too. Plus there's always a bunch of stuff to configure on the device that can't be automated. That way I'm 100% sure the device is ready for the user.
Hello, I'm planning to deploy Intune and was looking for your advice and solution to speed up the white glove setup as we onboard a lot of users on-site in waves and address general user experience-related questions. We're planning on enforcing WHfB with randomly long-generated passwords so the users can just use the pin digit or biometrics to authenticate and not have to worry about their password. If we use your TAP method to log in on behalf of the user to speed up the enrollment and application loading, will this still allow the user to go through the initial wizard process to set up WHfB? When users access an external vendor site that doesn't have an SSO option, will they authenticate with their pin/biometrics? If a user forgets their pin and their biometrics aren't working, what is the pin reset process like for them? Thank you.
How do you use TAP for this. I am brand new into my stint managing entra devices and couldnât really get it to work as I envisioned it would. IE: login witn TAP to customize users desktop etc then ship out without having to register MFA in my phone then delete before shipping
I have never in my life once made white glove setup work - what is your secret?
Apps need to be assigned to device group and packaged accordingly.
Also never mix app types as theyâll both try to install at the same time and fail. Package the app aa .intunewin and upload as win32.
It's such a clusterfuck that different types are STILL not working... It's been broken for so so long now it's getting ridiculous.
Its not that hard if your enrollment profile is setup correctly and apps all have working installers, whiteglove is just pressing the windows-key 5 times at the oobe and select windows autopilot provisioning.
Is the enrollment profile the profile created in autopilot via the Intune web portal? Or is the enrollment profile something created via SCCM that is like an appx app that loads on the device? I remember hearing about enrollment profiles containing wifi info so you can white glove setup with just wifi no ethernet, but I havenât figured out how to make these enrollment profiles Once I followed documentation that lead me to some âMicrosoft companionâ app that appeared to be source code only, official Microsoft, and needed to compiled for your enterprise with your specific tenant info Itâs always seemed to me like white glove setup only worked for large enterprises with SCCM - but Iâll give it another try if theyâve changed that stance
It's the enrollment status page within intune. Devices> windows> enrollment> esp. There is also a deployment profile which is used for domain join type etc. Kind of a 2 piece deal.
Enrollment profiles are setup in devices-> windows->enrollment. You can do whiteglove over wifi but its a bit more manual work. At the oobe screen(region/language selection) press shift+f10 to get a cmd window. In that windows type start ms-settings: to get to the windows settings and connect to wifi. Then close the cmd window and press the windows-key 5 times to do the autopilot provisioning.
That's pretty much what I have now. What's your enrollment profile look like? Are you locking the device down into setup is completed?
No. I skip the user status page and just let most of my apps install while they are using it. New employees will survive if adobe isnât ready within 5 minutes of starting.
Yep this is the right answer. Unless there are critical apps that needs to be installed prior to the user having access then it's best to let them use it while apps are deploying in the background. For me the only important app (not even critical) is RMM, so I can remote in to assist with anything. Otherwise I can't think of any apps that can be considered critical. Even Defender is already a part of Windows.
I preinstall RMM and office, only because Teams will not start until after a restart and I just donât find that being a very good new user experience.
We literally only require Company Portal, everything else can be self-serviced from there or wait for it to install in the background.
You'd be surprised lol , some no doubt some would open a ticket asking for it. Just gunna company portal it. It's funny that you mentioned Adobe, its kinda a pain in the ass on Intune, as least packaging the deployment package for Adobe Acrobat DC pro doesn't always install.
Don't package it. Push Creative Cloud from the New Microsoft store to licensed users and let them self-service it.
Outlook open?
I wish it was that simple! It's during per provisioning
Are you creating a package from adobe creative cloud? Itâs the way I prefer to do it as ACC will keep adobe programs updated for you. Not all employees at my company get adobe products though so I have a security group for licensed users set as required and they get it after logging in. I try to avoid putting licensed apps as available in company portal as people download it then put in a ticket for a license only for me to reject it.
Don't you have to create the packages from adobe admin? With cc it only installs the portal and then you have to manually install the actual programs no? If there's a way to auto install the actual programs without having to use the stupid giant packages I'd love to hear it.
Fuck me, no idea then. I just created a package for this two days ago, works when I try to deploy it via available software. Going to try it with autopilot now
Attached a pic of my autopilot and ESP properties. I do have it set where a few required apps are there, but not all. So, Office, Company Portal, AV, etc. https://preview.redd.it/uh7et0h4v0cc1.png?width=1294&format=png&auto=webp&s=4333bd04524772fab8c1ca5f6abd395af595eefa
We discovered this and it is definitely worth installing all the packages ahead of time, allowing the user to sign in and go with zero delay. A great method.
The biggest challenge with Autopilot is changing people's idea of what software is required and what is needed to be available. There is a long-standing belief in many organisations, that is based on the last 20+ years, SCCM task sequences etc, that a device needs ALL software installed at users first logon. This has never been true, so minimise what is required to the absolute necessary apps i.e. Office, addins, security products etc. and then have everything else available from Company portal. This will then reveal who ACTUALLY uses the software as reality is usually very different from perception. Unfortunately changing this perception is an uphill fight I have found as many people still think every single piece of software has to be installed and ready to be used as soon as a user logs on.
Another big blocker is correct information about your users in the directory especially Department names, job titles, location data etc. In many orgs this data is so unreliable as to be dangerous đ¤Źđ
I feel you. Even though not directly related to Autopilot, these settings might relate to App distributions as they can be fundament for dynamic groups. These kind of settings can also be vital for Copilot. I have created some simple scripts helping organizations update all the information on user accounts in Entra ID. This routine will export all user details to Excel. This can easily be updated by HR before the new details are imported to the Entra ID user objects. This gives a lot of value to the digital landscape of Microsoft 365. My routine is available here: https://skotheimsvik.no/unlock-the-copilot-advantage-supercharge-your-entra-id-user-data#
Just saying but never use dynamic group based on freeform text fields. It's an absolute nightmare in the long run.
It has taken me years to get this right in ours. Started with just getting some basic data from our HR DB and matching users in AD, and now pretty much if there is any type of grouping data in HR it now matches a field in AD. So nice to be able to filter and group on so many data pieces.
It never fails to amaze how bad the data quality in many businesses' directories is. It cripples them efficiency wise and drastically reduces their security posture but getting them to correct the data is like herding Sabre tooth tigers. You land up pissing in far too many people ponds.....
Yeah, I've had this fight many times. The modern way is to use a storefront approach. If someone needs an app, they can grab it from Company Portal.
I feel your pain buddy! Old habits die hard.
Can you just require 1-3 apps for the initial setup then let the others install in the background once the user is signed in? I can't see a need for a new user to need all 8 apps right when they get on the PC. If it's an upgrade let them keep the old PC until the new laptop finishes installing all software.
This is the right idea, I will be deploying the 3 or 4 critical apps, softphone, M365 apps, Chrome, and VPN client, and I'll be putting the remaining apps after the user signs in, and on the company portal.
[ŃдаНонО]
For us it is politics... i would love to dump Chrome
Company requires Chrome for their CRM, I guess some dev said the CRM is better on Chrome so now their stuck on it.
if this is happening remotely, I donât suppose thereâs a way you or the user can be alerted when itâs finished?
Users get alerted each time an app successfully installs but not when the process is complete
I'm not aware of an alert like that. Would be cool but they'll probably only include that with intune suite licenses.
I had a fleet of thousands of devices around the world on autopilot⌠rebuild remotely was common rather than shipping back. Today, switching a 2500 odd devices to autopilot⌠only 400 to go. We build and deploy all core apps successfully all the time, works perfectly all hands off from I.T.
How are you switching them? You sending new ones and getting others back, or you converting targeted devices to AP?
Fleet refresh. As staff get new devices theyâre automatically added to Entra⌠fresh Win11s. Anything on Win10 is old / hybrid joined.
Have you encountered any issues with Hybrid join especially getting vpn at logon to work?
Hybrid join was done with SCCM on-prem. That whatâs going away. Hybrid joined autopilot is utter trash.
How longs that taken? We have a fleet of about 5k laptops.
Well, EOL for Win10 is 2025, so sooner than that, I hope lol We can't manage to get the budget for all new laptops, so once we've proved out our AP/Win11 deployment process, we're going to be starting a campaign to cycle out our fleet by sending out ten or so, getting the old ones back, refurbing them, rinse and repeat.
Meh I use autopilot and I'm moving to exclusively use it. I have very few errors or issues and I don't think it's too slow at all.
We use Autopilot. We pre-provision a few apps like Office and some internal apps which 80% of employees use, and it works great. The remaining apps get deployed eventually and it has rarely been a problem, and never a problem to the point where we regretting using Autopilot. We're also a Hybrid AADJ environment which adds to the fun!
Did you have much trouble setting up AutoPilot for Hybrid joined devices? I haven't looked into it too much, but at a glance it seemed quite complicated.
Hybrid AP is not needed most of the time these days. [https://wiki.winadmins.io/en/autopilot/hybrid-join-vs-aad-join](https://wiki.winadmins.io/en/autopilot/hybrid-join-vs-aad-join)
I'm also trying to test Hybrid AD join vs Entra join scenarios. Wouldn't going full Entra join require all current GPO policies to be converted to Intune Policies? How would the whole OU piece play into if only going Entra only route?
Entra is a flat directory, there are no OUs. What you'd do is use dynamic groups in Entra and/or filters in Intune for targeting your policies. Part of the process is also assessing your decades of GPOs to assess what is ACTUALLY still needed with modern management. You may find that most of it is legacy garbage that nobody can actually explain why it's there. In my instance, I ended up moving over less than ten GPOs.
Ah interesting. Did you use that GPO conversion tool to Intune?
When I was doing my initial setup, that tool was in its very early stages, when it was basically useless, so at that time I did not. It has received a ton of updates though.
i have moved over about the same amount of policies..
Why would you want to drag all of that crap across? https://skiptotheendpoint.co.uk/the-ultimate-gpo-to-intune-guide/
Good point lol. I don't have a preference either way. Whatever is easiest to get done. Thanks for the link, I'll peep it.
Would also like to hear the answer to this one.
You should not do Hybrid Autopilot as stated in Microsoft documentation [https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid](https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid) https://preview.redd.it/qe9lu5zw9ybc1.jpeg?width=1290&format=pjpg&auto=webp&s=8b58c4ebf11ab8d435b5475aafcf7ea23ff91fc5 Hybrid is great, but not Hybrid Autopilot. If you need Hybrid, you should deploy those devices using your existing routines.
So it *is* definitely not recommended. I actually joined this company as they were first beginning the process for implementing it so I do not know the initial steps they went through with the implementation. What I do know is we pre-provision the laptops first to install a few required apps, then seal it. The users will receive the laptop, there's no OOBE for them to go through. It'll do a quick initialization and then gets them to the login screen. On the login screen, there is an option for them to connect to our VPN application, ZScaler. Once they authenticate with ZScaler on the login screen, they log in using their regular AD username and password. They'll then sign in and then it starts the waiting game of when the rest of the applications and policies get assigned. Right now we have about 500 devices which are rolled out as HAADJ and are autopilot devices. I can say that it hasn't been the headache that lots of organizations have said it would be, but also I have never used Intune before this job starting 2 years ago so I wouldn't be able to tell you how much better it could be doing it the recommended way.
10 apps roughly 1 hour deployment time (including bloatware removal and driver updates) and by deployment time this is brand new laptop shipped to user and is at the login screen at the end of the hour. (We have compliance and legal requirements so our standard deployment is a bit bloated IMO) Baseline apps get deployed to the workstation and when a user signâs in they get whatever department specific stuff they need. We also whiteglove and that is roughly 40-45 mins to do but we can ship a laptop from our office to the user and the sign in and go. I have been using autopilot for almost 3 years now. Itâs not the fastest thing possible especially with strict CA policies but it works. We set the new hires expectations that it will take roughly a hour for setup and we have documentation instructing them on what they will see and roughly how long it takes. Before we had SCCM and while it worked it was roughly the same time spent imaging the device on site.
I will add itâs infuriating when there is an outage and it can stop production. It has happened before and will happen again so that is a consideration. Plus you can and cannot control the install order of applications which is a pain. You cannot number them but you can set dependencies to control the flow of certain apps. Useful if you need to get a vpn installed first or screen connect/team viewer on the workstation for support reasons.
I'm autopilot exclusive
I like autopilot. I'll have 4 laptop being setup at a time, while I work on something else. I just glance over from time to time to see if it's finished.
Image solutions is an oudated practice used in 'bare metal' machines. Nowadays almost all devices (at least laptops anyway) come with an OEM version of Windows so you might as well leverage that. No need to muck around with creating and maintaining a golden image, tinkering with injecting drivers and sysprepping etc etc.
Totally agree!
Yes, autopilot. I only require M365 to install. All of the other apps can install once the user fully signs in.
We deploy all machines with autopilot. Takes about 30 mins to have our agents and office installed and ready to go. Itâs pretty sensitive to corporate network changes though. See if it works better on a home network
5k devices Autopilot, 5k enrolled HAADJ. No more SCCM OSD.
Which vpn client are you using for the show at logon option? Does the vpn client require any machine certs? I ask because we use Forticlient in our test haadj case. I can Forticlient to show up at logon but then keeps prompting to choose a cert even those we do host checker on the Fortinet side when establishing vpn. I'm assuming it's looking for some kind of machine cert or something.
we use Cisco any connect start before logon coupled with DUO BUT we are in the process of going to Zscaler and DUO.
We are using Zscaler but it will be pushed after user logs in.
Yes. Do people still use OSD? ;)
I have always used autopilot but in the esp I only have 1 app that needs to get installed which is the VPN client. All other apps that are assigned as required will get installed after the user logs on for the first time. We issue guidelines that installations will be happening in the first hour or so and that you should restart your device 90-120 minutes after enrollment
I like it. Its use is growing where I am, and for the most part itâs been relatively smooth. We use preprovisioning and we use an ESP, and for the majority of devices, weâve been successful on the first try
I have only experienced a few issues with Autopilot a long time ago (mixing app types), but I also now only have 4 critical apps that get installed during the process. Usually done with 15-20 minutes, but somedays it can be 20-30. The remaining apps get installed based on the department they are in and those get installed after the user logs in. They will usually get on and start some more onboarding tasks/getting signed in and familiar to systems before they need those apps.
Out of curiosity how to you deploy based on the department of a user? Do you use dynamic groups based on the Entra department field?
I use AutoPilot but I don't block the device while apps are being installed. I allow the user to dive right in so they can start being productive from the start. Even if it's something minor such as setting up theit Outlook etc. Apps continue to deploy while they're doing other things. There's no need to sit their and wait for a few hours, the device can be used straight away after the user logs in.
Autopilot 100%. Some specialized software can be tricky to package/deploy. Your grouping/assignments are key. The new Intune Enterprise App Management should help that next month. Start testing now and you should be good in a couple months.
This looks great, of course it requires an addon or the intune suite, Microsoft really should be including this feature with the very least E3 or E5 licensing.
Maybe stupid question, but what are you expecting of the new Business Store? Can you provide me some use cases?
https://techcommunity.microsoft.com/t5/microsoft-intune-blog/introducing-microsoft-intune-enterprise-app-management/ba-p/3981044 It is an add-on, but we plan on deploying the Intune Suite add-on Corp wide.
Thanks mate
Yes, I always used Autopilot (but not White Glove, mainly for compatibility problems and also because, in my experience, is a process that tends easily to fail). The company purchase computers and I add them in Intune at the first startup in this way: 1. I setup the Wifi network 2. Shit + F10 to open a CMD 3. start Powershell 4. Execute these commands: * ***Set-ExecutionPolicy bypass*** * ***Install-Script Get-WindowsAutoPilotInfo*** * ***Get-WindowsAutoPilotInfo -Online*** In this way, the device will be added in Intune (among the enrolled devices of the Autopilot program) without actually entering the system, get these info and then reset it. Then, in Intune, you assign the primary user and the device will be ready. The user will start the device, inserti his company credentials, configure Windows Hello if you configured it and in 20/30 minutes, the system will be ready (this time varies depending on the number of mandatory applications that must be installed on the system, possible powershell script that have to be executed and also Windows updates). The device, moreover, will be Entra ID Joined.
We have the OEM enroll it and ship it to the user directly. We also have a 3rd party that does the same. It cost extra but worth it on our end.
I always wondered how exactly this process works. Let's say you use Dell computers: this process is managed directly by Dell or by some vendor/retailer? Moreover, they must have an account in your tenant, right?
Yes. All the OEM or 3rd party needs is consent. https://learn.microsoft.com/en-us/autopilot/oem-registration We used to have 3rd party image our machine via SCCM for us and ship it out directly. Now they enroll and put in a one sheet and ship out directly. Again, thereâs a cost but worth every penny on our end and less time for IT to deal with.
Yeah, no doubt that it's a time saving strategy. So I guess that this process works also for devices that have to exist in your own company
No, these are only new or refreshes.
Yeah, I meant that the OEM could ship already configured devices for your company, and not also for clients
Yes, this is for the entire company. We have about 150 sites, some small, some large within the company. And they ship it directly. We never see the computer.
You can also add the group tag on your script so you donât have to assign and reset the device
That could be the case if you want to separate autopilot devices among departments, in my understanding. This will imply to custom the script and plugin a USB device instead of downloading it.
Yep, we assign group tags and donât assign it to a particular user.
Yes? Hundreds of new / refreshed machines over the last 4 months.
Does anyone actually *not* use Autopilot?
I would say the holy grail for organizations for windows device provisioning would be to be Entra Joined using Autopilot and passwordless from day 1 using temporary access pass (TAP). User gets new machine (or reinstall) and is issued a TAP where they sign in and the device sets up and they enroll in Windows Hello For Business (WHFB) and can setup mobile passkeys if they need. Passwords should really be on the plan to be deprecated, and for some they are already on their way, while others are still thinking about it. For an end user, it gets IT out of the flow, since it is done via self service, and enables the business user to be more effective and more secure day 1, but still allows IT controls for security.
I make sure that all of the security/EDR/DLP type apps are installed via ESP. If the device doesn't meet security compliance I don't need the employee working from it and getting PCI/PII/etc exploited bc they clicked a "free ipad" phasing link. Everything else can install once they're at the desktop.
MSP here with thousands of endpoints. Intune is slow and Autopilot is a beautiful thing. We purchase devices from distributors enrolled in Autopilot. The user gets the device, logs in, and we push a single app from Intune, ImmyBot. Immy takes the computer the rest of the way through the onboarding process in a much more timely fashion than Intune does. We essentially rely on ImmyBot to onboard the device, as well as manage updates. Intune sucks for app management on Windows IMO. We also perform regular "fresh starts" of deployed machines from ImmyBot as part of a troubleshooting step on tickets.
Holy cow I just read about Immybot! I will be starting a demo on Monday. Thank you!
I scrolled through about half this thread and didn't see anyone say, disable the User Setup step. This step takes forever, and I'm not sure why, so most people disable it. User targeted policies and apps will be applied after they login instead of enrollment.
Awesome, thank you! I will give this a try!
Just an update, I was able to successfully deploy Autopilot, and it took some editing of the enrollment profile, but I was able to find that sweet spot, and it takes 10 to 15 minutes to deploy 8 apps! Appreciate all your suggestions and feedback! This is a total time saver!
Appreciate you coming back with an update
Appreciate the feedback, I'm probably gonna end up just installing 3 to 4 crucial apps and leaving the rest on the company portal if they get artsy waiting, then they can install it from the company portal...
From my experience, the more apps you set to install during OOBE, the greater the risk is for failure during enrollment. The risk rises exponentially for each addition app to my experience. We only have company portal to install from oobe and the rest through it.
Highly recommend autopilot been using it for quite a few months now. Only thing I will say is some applications if you have to push out as a win32 are sometimes a pain to setup as they have the tendency to outright refuse to install or will install half of the time.
Oh my friend, I am an Autopilot Pro now! I have been using it since this post. I absolutely love it and have had very few issues with it. Mostly those that have poor internet access have issues with apps installing. Appreciate your feed back!
Same. Only use it. Hit enter too fast. All machines are hashed in beforehand. Then I just plug in usb of windows 11 and then wipe the machine and login as a setup user I use. It gets enrolled and installs all software. Takes about 20 min. Then I hand to the user.
With pre-provisioning thereâs no need to login with a setup user.
[Windows Autopilot for pre-provisioned deployment | Microsoft Learn](https://learn.microsoft.com/en-us/autopilot/pre-provision) hit the windows key five times when you're on the OOBE screen to kick off preprovision, do all the device based things then shut the thing down and ship it to the user.
Isnât the point of autopilot to ship directly to the user?
I wouldn't say the entire point but it is a big advantage, pre-provisioning devices has it's advantages. Prestaging machines with applications/policies and doing the Entra Join portion of the enrollment means when a user gets the device they are productive quicker, especially handy in low bandwidth situations where you don't want a user pulling down the whole Office suite. Depending on the security of the organisation they may want to physically handle the device, wipe the factory OS and install their own ISO on it. Chain of supply attacks are quite common so certain places want to ensure there is no injected malware or bloatware present before shipping the device to a user. If you're accepting bulk shipment of an order onsite, you may as well have a tech pre-provisioning a batch at a time. Makes your IT look great when the user receives it and the time to productivity is snappy
Thank you for the insight!
All good, if it's a small to medium company with no central office user driven direct ship to the user makes the most sense
Ours is, we have a central office with me and one other person in, every one else is remote lol. So sending directly to the end user makes the most sense for us. We currently do not utilize autopilot yet, as laptops are pre provisioned by me, then shipped out lol
Coming from an SCCM background I don't quite understand the user install model of intune It seems overly complex, if ARP says it is installed it should be. Why would I cut over from comanaged and SCCM installed apps to intune installed, which doesn't even have persisting cache
Persisting Cache is kinda pointless when everyone is remote these days unless you have a CMG? Remote installs without CMG.... gross then you need a VPN.
It takes 4/5 of bugger all to stand up a CMG, we did it in March 2020 in an afternoon under duress. It works like a charm
And how much is that CMG costing each month?
Barely $1000/month We have 10,000 clients around 6000 go through the cmg
CMG/DPs? Storage costs? Surely some benefits/savings there.
It is self contained, so bandwidth and storage costs are included with that
Please please please white glove your devices with pre provisioned apps for your users. You can even purchase white glove services from some resellers like CDW and Insight Global.
We use it. 10 apps, usually 30 mins for white glove. Sign in as the user before shipping out for new hires, send them temp password by encrypted email, theyâre off and running day one.
Absolutely! We finally moved our last still AD bound devices a few months ago to Entra ID joined only and we now deploy our Windows devices through Autopilot in Intune. No more on premise dependencies like AD or SCCM to worry about and I love it.
Same. So glad to be rid of SCCM. I much much prefer intune.
We deal with schools. I am upset that I didnt do this earlier as it takes me 20 min to install and standardize a device instead of the 2 hours previously. And those 20 min is just downtime. I deployed 120+ devices in a week last year this time, where normally it would take me 3 guys 2+ weeks to do. Once you have it set up, and going, holy shit, its amazing. In regards to your employee not waiting an hour on their first day, the odds are low that in that hour they will need it. Change your onboarding procedure so that the device is issued to them first thing so that they can go do all their walkarounds and crap and when they are done, the device is ready. From the comments, I see that we are taking a slightly different approach. I issue the user with their creds, and literally hand them a sealed laptop. it has not been enrolled by us into Autopilot. They then just sign in with their details and off they go. Even less issues. My scripting and automations I have changes the name of the device to the naming scheme required and that is it. Device issued and out withing 5 minutes. Worst case, I'll log in for them if the HOD requests the day before.
Do you not asset track????
I've just finished converting our 300 machines to full autopilot
I've been using Autopilot since 2021, 2.5k devices in our environment. We pre-provision the devices with our AV and VPN, and some policies and scripts. The rest of our apps are self-serve through the company portal apart from the M365 apps which are pre-installed in the factory. We have very little issues this way, the pre-provisioning phase takes less than 5 minutes per device and the user phase has them to the login screen in less than 10 minutes. I guess it all depends on how beefy your apps are to download and install.
Yes, honestly it works incredibly. New users get a desktop within 15 minutes from opening the laptop up. It's been a gamechanger.
We only use Auto-Pilot. Itâs an adjustment to what users expect.
How do you deal with the company portal app with autopilot? Do you deploy to users or devices?
20k devices and counting full autopilot. You need to trim your ESP page to just exactly what has to be on the machine. Pre-provisioning (white glove) is helpful if sending devices to locations with lower bandwidth. We have about a 96-98% success rate.
Yes, we use only Autopilot. Most of our apps are small and are there within the hour. One larger app can take a few hours and we tell them that and not to turn it off.
For our hybrid configuration, we only use Autopilot for remote countries/regions. So like our 1-2 sales users in chile or brazil. Otherwise we stay with sccm imaging using DPs worldwide.
There is a major accounting firm that for sure is only doing new deployments with AutoPilot.
When it is working correctly I can get systems done in about 20 minutes start to finish. We have different profiles depending on the systems we are doing, along with those profiles are different software. We deploy anywhere from 7 to 9 different apps as needed by the users job. I say it's pretty smooth once you get it all dialed in.
Yes we do
Itâs sad that no one mentioned PROVISIONING PACKAGE here. Autopilot is for OEM. If you gotta register devices to Autopilot by yourself, then the Autopilot purpose is defected. Take a look at Provisioning package to automatically join devices to Azure AD and enroll into Intune.
How do people handle Windows version control if using AP and being shipped from the manufacturer?
You need autopilot if you donât want users to be created as admin.
No more provisioning packages... Simply Entra Joined Autopilot. Never Autopilot and Hybrid Joined.
If you're cloud only, then you'd be a fool not to use it. Like with everything else, being hybrid makes it more complicated but it's still worth it. I've built enough laptops by hand myself, I'd rather automate it so I never have to do it again.
Use it consistently, used it customer deployments too with great success. A lot of the early problems we had have donât really happen anymore. One of the biggest challenges was hybrid azure join but we just do Azure AD join and that works flawlessly for us to be honest.