Forum Discussion

Dr_Snooze's avatar
Dr_Snooze
Brass Contributor
Jun 21, 2022

Truly Remote Wiping and Setup

I'm looking for a way to wipe and re-configure my Win10/11 endpoints without losing remote access afterward. My endpoints are all AAD-joined and Intune (MEM)-managed with remote access through ConnectWise Control. Yet for all that, I'm unable to complete a device wipe and reconfigure remotely. When I wipe, I choose the "keep enrollment state and associated user acct" option, but the device is incommunicado until someone does something on the box itself. This "someone" is usually me and "something" usually involves driving an hour into the office to do the something. I feel like truly remote mgmt should be possible, but I can't seem to get there. I've tried deploying the agent through Intune, deploying a PS script through Intune, etc., but Intune won't work until someone actually logs into the refreshed device for the first time. Advice? 

PS: We are a cloud-only shop. There is no server in the office. 

  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor
    Hi,

    Few questions:

    So when you go there, do you see the device waiting for user to sign in?

    Do you have Enrollment Status Page enabled? This might be the problem, Enrollment Status Page restricts users from accessing the desktop until all their apps and settings are installed.

    Moe


    • Dr_Snooze's avatar
      Dr_Snooze
      Brass Contributor

      Thanks Moe.

       

      So the Enrollment Status Page looks like this and yes, it's set up to allow the user to bypass it and go to the desktop. 

       

      My frustration is the loss of remote access during the process. If I do a format and clean install, the computer will start at the Out-Of-Box-Experience, then proceed to the Enrollment Status Page after the user first signs in. So remote access is lost until someone either sits down at the machine and installs my remote agent, or sits down at the machine and logs in to get the Intune deployments going. Either way, someone needs to sit down at the machine. 

       

      If I initiate a device wipe from Intune, the computer will start with a default Windows sign in screen, and again, proceed to the desktop after the user first signs in. And again, my remote access is lost until someone sits down at the machine to re-install my remote access agent, or sits down at the machine to log in and get the Intune deployments started. Again, someone has to sit down at the machine either way, which is the step I'm trying to eliminate. 

       

      Surely there is a way around this. ?

  • Dr_Snooze's avatar
    Dr_Snooze
    Brass Contributor
    I'm also using a Win32 app packaged with the Intune App Wrapper. It's a simple installer. One double-click and it does the rest. No login is required for the app. All my apps are deployed to device groups, not user groups.

    I set up a VM for testing this yesterday because it's starting to sound like I'm the only one having this problem. I'll watch my VM carefully today to make sure I'm not imaging things. In my experience, no Intune magic happens, no apps get installed, no policies get applied, until someone sits down at the machine and performs that first Windows login following a device wipe. After that, Intune kicks in and everything is good. Is that not how it works for everyone else? I'll confirm on my VM today and report back.

    Thanks
  • Dr_Snooze's avatar
    Dr_Snooze
    Brass Contributor
    I've confirmed the issue. I sent a Wipe request from Intune to my VM yesterday morning. The VM wiped and came to rest at the Windows login screen with the old username prefilled. I left it sit like that overnight and this morning there was still no remote access. After I logged the VM in today, however, Intune immediately began deploying policies, doing app installs and even processing the 2 reboot requests I had sent to the VM yesterday afternoon. My remote agent was also installed and my access returned within 10 minutes. I'm not sure why my setup acts this way, unless it's because I'm not using AutoPilot, but I doubt it.

    What's the way around this? I run a data entry department where productivity is all important. Having my users wait around while Intune configures the device is not ideal. Asking someone to stop what he is doing and go fiddle with a machine for me is also not ideal, and I'd rather avoid the hour's drive into the office (or the user's house for that matter).
    • NielsScheffers's avatar
      NielsScheffers
      Iron Contributor

      I think we all were (incorrectly) assuming you were using Autopilot. At least I was :smile:.

       

      The ESP will only start through OOBE with AAD-join or during the Autopilot process (see Set up the Enrollment Status Page in the admin center - Microsoft Intune | Microsoft Docs). That probably explains why you need to sign in before anything happens. With Autopilot, the device configuration is applied before the first sign-in.

      • Dr_Snooze's avatar
        Dr_Snooze
        Brass Contributor
        That's an exceedingly important distinction. You'd think that would be spelled out more clearly in the documentation. We're coming up on a hardware upgrade cycle here, so I'll look into transitioning my devices over at that time. Thank you for your help!

Resources