Event banner
Event details
- I know it is good to spread the wealth and every OEM has a way to remove bloatware (at a cost) but why is it that MS does not provide a clean OS for Enterprise version? We are not buying Pro, you would think Enterprise would be a cleaner OS.
- Actually DELL does. We buy our Windows 11 SKU with a included Self-Healing Image Recovery : https://www.dell.com/support/manuals/en-us/self-healing-image-recovery/shir_saosr_ug/introduction?guid=guid-ea57f10e-92c9-46c5-9b92-728a5e87f6bc&lang=en-us Should be available for you - take contact to your nearest DELL vendor :)
- I agree 1,000,000%
- Do you see a possibility of adding the capability of adding a feature for manual enrolled user change? For example, we have many shared devices that have been joined/enrolled with whatever user happened to be on that device at the time of enrollment. Right now our best option is to autopilot and reenroll using the DEM account. It would be very helpful to make that change in the console.
This is already an option. See the "Change primary user" or more appropriate for a shared device "Remove primary user" buttons on the device's Properties blade.
Also, if Configuration Manager is in the mix, you will see strange results for the "Primary owner. Based on how it determines/guesses who the primary owner might be.
Is there a reason you are not using a self-deploying enrollment profile for shared devices?
- Max_Stein
Microsoft
Thanks for the feedback, Ian! Definitely add this over on our Feedback Portal via: aka.ms/IntuneFeedback so that other customers can comment and vote on the same!
Edit: wrong chat
- Has the stability of the AP service been discussed at MS? Sometimes we run into issues with the AP process failing randomly, and the only answer/cause, seems to be service issues.
- Same here. Some times we just see that it fails - and cant find any reason why in the : Service health and message center - but then, waiting some time - it suddenly works agian. No idea why. Sometimes we have hade issues when doing Co-Management, and that will fail in the Device Preparation - but then we simply do run the "Connection Analyzer" for the Cloud Management Gateway - and then often its one of our Management Points that for some reason needs a "reboot". But still - we experience issues now and then, and if its around the first of the month where we typically onboard alot of new employees, then it becomes critically. 😞
- Hung_DangMany, many times. 🙂 That's why our mantra to customers is: Keep it simple. We've found that the largest companies that use Autopilot have very high success rates because of the simplicity of their deployments (e.g., low number of apps deployed). The Autopilot flow is a very complex flow involving soooo many components. The typical randomizing inhibitors to success that we've found include: unreliable networks (e.g., schools, home) that can't take the number of apps configured by the IT admin; the number of apps configured for a user/device; very complex networking/security infra (e.g., proxies); country-specific network latencies.
- Heather_Poulsen
Community Manager
Up next for Tech Community Live: Ask Microsoft Anything about Endpoint analytics
- Heather_Poulsen
We'll continue answering questions here in the Comments until the end of the hour - and post a recap soon. What do you think of this event? Please take this 2-minute survey and let us know!
- Heather_Poulsen
Fifteen minutes left in today's Windows Autopilot AMA. We'll be hosting Tech Community Live events for Microsoft Endpoint Manager quarterly so if you have suggestions for future AMA topics, let us know!
- Would be nice to discuss more on best practices regarding Endpoint Security during Autopilot, some list of features from Endpoint Security that needs to be configured from the start with Autopilot like BitLocker, etc
- Jason_SandysNothing *needs* to be configured at all. What you and your org should configure should be based on your org's requirements. The security baselines within Intune provide Microsoft's guidance for orgs to secure their devices and lacking anything else, you should start with these.
- We have device that we would like to add in Intune device, We have mix off co-managed, hybrid joined. For this specific site that we would like to enroll the Device to Intune, Would AutoPilot be solution if yes how
- Jason_SandysAutopilot is for provisioning new Windows endpoints and is unrelated to changing the configuration on previously provisioned endpoints. For existing devices, using co-management or group policy will enroll the endpoints in Intune.
- This is not an AutoPilot question, but since you were talking about co-management sliders, I thought I'd ask. 🙂 The Windows Update co-mgmt slider is fairly "easy" to switch over to Intune to start using WUfB. However, the Device Configuration slider isn't as easy and has a lot more considerations before switching to Intune. However, in order to properly get Update Compliance telemetry for WUfB, a configuration profile needs to be deployed to machines to enabling telemetry & tenant ID. But that configuration profile wouldn't apply until the Device Configuration slider is also moved to Intune. So there's a possibility of WUfB patching "blind" without any compliance data until the second slider is moved. Are there any suggestions here? Will ConfigMgr still report compliance on a system even if it's patched via WUfB?
- Same setup on my side (WU in Prod, DevConfig in Pilot), but your devices are still domain joined, so most of those telemetry settings are included in the latest Win10 ADMX templates and can be passed via legacy GPO to the clients
- We are using Autopilot in HAADJ mode. We see an issue during enrollment where the bitlocker recovery key is NOT being uploaded to Azure AD, but it does get uploaded to the onprem AD. Is there any way to enforce the key to upload to Azure AD? Maybe this is down to some timing issue during the bitlocker/enrollment process?
- Jason_SandysGoing to be a broken record here, but A, begin exploring and using Azure AD join instead of hybrid Azure AD join. There are many caveats, nuances, and "headaches" with HAADJ particularly for new Windows endpoint provisioning. See aka.ms/cloudnativeendpoints. For the specific question, note that saving the key to AD and AAD is the responsibility of the OS and that it only attempts to do this at the time the recovery password is set on the endpoint. Also, on an HAADJ endpoint, if it succeeds in storing to one location or the other (AAD or AD), then it considers the operation successful and moves on. With HAADJ during Autopilot, the HAADJ process doesn't actually complete until the user logs on which is after BitLocker gets enabled and thus there's no path for it to actually store the password in AAD at that time. To address this, you can use a PowerScript (run via a proactive remediation) to store the password in AAD. There are lots of sample scripts on the web for this, but ultimately, it's a one or two line PowerShell command. As noted though, this is one of those "headaches" with attempting to use HAADJ for new endpoint provisioning. and choosing AADJ, while more work in the short run, offers a large number of advantages in the long run including that it aligns with our engineering direction.
- Thanks for the response. Our customer is committed to sticking with HAADJ at the moment so we are where we are. And yep, I already identified all the other content you replied with so it seems our only fallback is the PS script to confirm/enforce the upload of the key. Thanks again.
