Forum Discussion
Moving from MDT/WDS to Autopilot – Real-World Lessons, Wins & Gotchas
Hi all,
We’ve been moving away from an ageing WDS + MDT setup and over to Windows Autopilot, and I thought I’d share a few key lessons and experiences from the journey. In case anyone else is working through the same transition (...or about to).
Why the change? MDT was becoming unreliable, drivers/apps would randomly fail to install, WDS is on the way out, and we needed a more remote-friendly approach. We also wanted to simplify things for our small IT team and shift from Hybrid Azure AD Join to Azure AD Join only.
We’re doing this as a phased rollout. I harvested existing device hashes using a script from a central server, and manually added machines that weren’t online at the time (most of which were just unused spares, we haven't introduced new hardware yet).
If you want a copy of this auto-harvest, please see my next post, this script is useful as it'll just go off and import the hardware hashes into Intune, and can run against multiple computers at a time. (I will add the link to the post once made).
Some of the biggest hurdles:
• 0x80070002 / 0x80070643 errors (typically due to incomplete registration or app deployment failures)
• Enrollment Status Page (ESP) hangs due to app targeting issues (user vs device) and BitLocker config conflicts
• Wi-Fi setup with RADIUS (NPS) was complex, Enterprise Certificates and we're still using internal AD for authentication, so user accounts exist there and sync over to Azure.
• Legacy GPOs had to be rebuilt manually in Intune, lots of trial and error
• Some software (like SolidWorks) wouldn’t install silently via Intune, so I used NinjaOne to handle these, along with remediation scripts in Intune where needed
We also moved from WSUS to Windows Autopatch, which improved update reliability and even helped with driver delivery via Windows Update.
What’s gone well: Device provisioning is more consistent, updates are more reliable, build time per machine has dropped, and remote users get systems faster. It’s also reduced our reliance on legacy infrastructure.
What I’m still working on: Tightening up compliance and reporting, improving detection/remediation coverage, figuring out new errors that may occur, and automating as much manual processes as possible.
Ask me anything or share your own experience! I’m happy to help anyone dealing with similar issues or just curious about the move. Feel free to reply here or message me. Always happy to trade lessons learned, especially if you’re in the middle of an Autopilot project yourself.
Cheers,
Timothy Jeens
5 Replies
Here is the link to the post I made for gathering and importing the Hardware Hashes automatically into Intune:
Automated import of Hardware Hashes into Intune | Microsoft Community Hub
Thanks,
Tim
Thanks for sharing this. We are about to begin our pilot of Autopilot. We use Intune for iPhones/Tablets today. Haven't configured Intune for use with Windows Devices at all. Blank Canvas.
We are a hybrid org, mostly on prem, traditional MDT/WDS imaging, local domain joining, GPOs, login scripts, all the traditional bells and whistles. We do use O365 heavily and do a partial AD->Entra Sync, mostly for user objects RE: Exchange Online, Teams, et al. Most of our org resources are still legacy (on prem)...think DCs, File & Print, NPS, et al. WE use WSUS, and Endpoint Central now, along with GPOs for device & configuration management. Our WPA2/3 is using NPS->DCs for RADIUS/AAA.
So it would seem we are in a place where you were before your initiative to adopt Intune for WIndows Endpoint Management.
We'll need to evaluate whether it makes sense to go pure cloud managed devices. I've done it before at another org. Pros/Cons.
Later this month, we'll begin to setup Intune for device enrollment and see what we see. Love to go pure cloud managed, but so much of our infrastructure is legacy still. It'll be a much larger project to plan out all layers of the infrastructure which would need to be touched to lean more cloud vs hybrid on prem.
GOing to be interesting to figure out our way forward.
Thanks for that, that sounds exactly where I was a while ago. Don’t worry about going full cloud. We are still hybrid, and it’s likely it will remain that way for a while, it has its benefits having both ways.
and moving Radius I have found is not possible, other than just having a windows server in azure with it on..
with the GPOs there is a handy import function where you can import your existing policies, and then it will tell you if you can migrate them or not, and tells you what can’t be..
I started with syncing all users over to entra, and migrated my local exchange users all over to exchange online. It was scary turning off the on site exchange, but it was running all online for a while before I did that and verified the on site was not in the path for email flows.
you can PM me if you want any advice, or reply here and I will reply, so others can see the journey.
good luck
How long approx is the deployment time now using Autopilot? How many apps do you have forced in your ESP? Are you using user-driven mode with or without pre-provisioning, in that case are you yourself or an external part performing the pre-provisioning?
Kind regards,
FridaGosh the autopilot bit itself depends on your internet speed but it’s about 25-35mins from boot up. But really depends on what policies you have and software you are pushing from intune. We also use NinjaOne to push out some software that isn’t compatible with intune as well. About 15-20 apps, depending the users membership.
we still do a curated set up though for our users, takes a lot of the frustrations away from them, and we know then it’s set up correctly.
We’re still using old laptops, so no pre provisioning yet.
