Forum Discussion
Windows Autopilot and Configuration Management Client Installation Methods
I'm using Windows Autopilot to build my machines with AzureAD hybrid join. Currently as part of the ESP we deploy the configuration manager client and our VPN software (both Win32 apps) to them so we can get them co-managed ASAP. We also do this in ESP as blocking apps to control the device availability to users until they are completed. Our implementation partner advised us to install the Configuration Manager client in this manner to speed up co-management.
Autopilot works (albeit slow at _ 60 mins).
I am confused though on whether or not adding the configuration manager client into the autopilot build in this manner is supported? Reading this (https://learn.microsoft.com/en-us/mem/configmgr/comanage/how-to-prepare-win10) it states:
You can't deploy the Configuration Manager client while provisioning a new computer in Windows Autopilot user-driven mode for hybrid Azure AD join. This limitation is due to the identity change of the device during the hybrid Azure AD-join process. Deploy the Configuration Manager client after the Autopilot process. For alternative options to install the client, see https://learn.microsoft.com/en-us/mem/configmgr/core/clients/deploy/plan/client-installation-methods.
So reading this it seems what we are doing is invalid. So question 1:
- Is it incorrect/unsupported to install the configuration manager client as a Win32 app during autopilot (ESP or otherwise)?
Furthermore I read here (https://learn.microsoft.com/en-us/mem/configmgr/comanage/how-to-prepare-win10) that it appears there is no longer a need to to deploy configuration manager client as an app at all but it can simply be configured in it via Home -> Device -> Enroll Devices -> Windows Enrollment > Co-management Authority
You no longer need to create and assign an Intune app to install the Configuration Manager client. The Intune enrollment policy automatically installs the Configuration Manager client as a first-party app. The device gets the client content from the Configuration Manager cloud management gateway (CMG), so you don't need to provide and manage the client content in Intune.
Is this method only valid post autopilot?
Since we are Hybrid joined I did the following:
- Create a custom Win32 app in tune and delivery as a blocking app in ESP phase of autopilot
- This app creates a scheduled task that runs on next reboot and installs the MECM agent on next boot then disables itselfWorks great!
10 Replies
Literally no answers/explanation/insight to the original questions laid out. Gone are those days I guess lol.
- SameerMSFT
Microsoft
Please refer this if it helps:
Co-management settings: Windows Autopilot with co-management | Microsoft Community HubAnother hidden value
If your organization has complex applications, you can also add a property in the above command line "PROVISIONTS." When the device gets to the "Device Setup" phase of the ESP (Enrollment Status Page), the task sequence called from on-premises will run and be tracked as one application. For the sake of clarity, if your task sequence installs 10 applications, the ESP will still track the task sequence as one app, because it is watching the task sequence, not each item in the task sequence.
Still want to use the supported MSI line-of-business (LOB) deployment if you choose to install the Configuration Manager agent using MSI LOB deployment? Here's what to keep in mind.
If you choose configuration A shown above, the expectation should be:
- Intune is the authority.
- All workloads are managed by Intune.
- Authority value will be 1.
If you choose configuration B shown above, the expectation should be:
- Configuration Manager will be the management authority.
- Workload management will come from Configuration Manager.
- Make the Configuration Manager agent installation "required" as part of the ESP profile.
Remember, the key defaults to the value of 1. Your authority is still going to be Microsoft Intune, and you will not experience the previous flip-flop issue. If you want the authority to be Configuration Manager, so you can choose which individual workloads come from Configuration Manager or Microsoft Intune, make sure the "Advanced" slider is set to "No." That will make the value become 2 and configuration manager sliders come into effect at that point.
- Is you AP provisioning dependent on anything getting installed from ConfigMgr under Co-management? If not, then you can install the ConfigMgr agent right at the end by assigning to a user based group. Alternatively, since the device is being Hybrid joined, you can push the agent either using a GPO startup script or automatic push through ConfigMgr (Will depend on your current configuration of course).
- I do the same as the suggestion above in the few times we use AutoPilot for Hybrid Join one of the reasons is your question here. We add the CM client using a startup script as we don't want to make the autopilot time longer.
Moved all required apps to Intune added then as blocking apps in ESP.
Regards,
Jörgen- As a GPO startup script? Have you tried deploying it through Intune somehow? I'm about to try adding it as a script in Intune that creates a scheduled task that triggers at logon. Would be nice having the deployment in Intune if possible 🙂
- shockotechcom, Did you find any solution on this yet? I am running into same issue.
Since we are Hybrid joined I did the following:
- Create a custom Win32 app in tune and delivery as a blocking app in ESP phase of autopilot
- This app creates a scheduled task that runs on next reboot and installs the MECM agent on next boot then disables itselfWorks great!
Would you mind sharing your code for this? 😁I tried the same route but through scripts in Intune instead. Your solution sounds more stable.
- What route did you end up picking?
I used shockotechcom solution: - Create a custom Win32 app in tune and delivery as a blocking app in ESP phase of autopilot
- This app creates a scheduled task that runs on next reboot and installs the MECM agent on next boot then disables itself. It works. But, knowing Config Manager, of some reason it fails, you have to make sure that you review logs and verify that client gets installed. I had couple of issues where it failed with task scheduler to install and I had to run a manual install then. Seems like your environment has to be perfect, firewall rules, DNS, all the prereq. etc.
