Support tip: Targeting apps and policies with Windows Autopilot

I learned the hard way to configure Autopilot with the bare minimum needed for a device to be able to connect to our VPN in order to complete the hybrid AD join. I initially attempted to to have Autopilot install the 11 applications every company issued device requires. Autopilot deployment failed time and time again. I had to take a step back and re-assess the situation. Why did I need Autopilot? To join a new remote employee's device to be joined to our on-premises AD without having to be on-premises. We have several ways to automate remote deployment of applications, but they all require the device to be joined to our domain.

I asked myself what applications were necessary for a remote employee to connect to our VPN, completing the offline domain join used by Autopilot. Only 3 of the 11 were absolutely necessary, Cisco AnyConnect VPN client, the Cisco Start Before Logon module, and our endpoint security software that must be installed before a device can access the VPN. I added our remote management application so the Help Desk could assist the user if necessary. I had to make Cisco AnyConnect a dependency for the SBL module so they would be installed in the right order, and Voila! Success.

When new devices are enrolled in Intune they are assigned to a New Device group using their serial number. The deployment profile is assigned to this group. Once the user logs in and the device completes the on-site AD domain join it is removed from the New Device group and is added to a group that all domain joined devices belong to. The remaining apps are assigned to this group and within 20 minutes or so after the user logs in they can begin work. The amount of time Autopilot saves me going forward was worth the effort. I use it to deploy the devices of employees that work at corporate office where I work as well. I sign in let it do the rest.