Event banner
Event details
128 Comments
- Is it possible to assign some specific permission for an IT admin to register the device for Autopilot without assign the Intune Administrator role?
- Hi, device enrollment requires Intune Administrator or Policy and Profile Manager permissions. You can also create a custom Autopilot device manager role by using role-based access control. Here are a few docs that can help: - https://docs.microsoft.com/en-us/mem/autopilot/add-devices#required-permissions - https://docs.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control - https://techcommunity.microsoft.com/t5/intune-customer-success/role-based-access-control-in-intune-identifying-tenant-wide-and/ba-p/1441249
Autopilot registrations were designed to be done at purchase time. Dell does this for us. Other OEMs and resellers also offer Autopilot registration as a service.
If you have Configuration Manager managed PCs, the hardware information has already been gathered for you and can be imported in bulk (small batches or they time out). Doing this will create an Autopilot object and an Azure AD Joined object for each. Once the device has enrolled using Autopilot, its AD + Azure AD Hybrid + Configuration Manager objects can be deleted.
select bios.SerialNumber0 as 'Serial Number' , os.SerialNumber0 as 'Windows Product ID' , mdm.DeviceHardwareData0 as 'Hardware Hash' , 'Default' as 'Order ID' from v_GS_PC_BIOS bios inner join v_GS_OPERATING_SYSTEM os on bios.ResourceID=os.ResourceID inner join v_GS_MDM_DEVDETAIL_EXT01 mdm on os.ResourceID=mdm.ResourceID
- Hopefully this is a better question...Will there be a much easier way to re-assign a user to a machine that's enrolled without having to wipe the machine? For example: during the on-prem days, you could easily delete a profile and have anyone within the network log in and they were good to go.
You might be interested in an Autopilot Reset.
However, I find most people do not understand the nuanced difference between each of the various reset/wipe options. Also, a full reset cures many ills. So, I require my team to always perform a full protected wipe (checking the "wipe until clean" box), as soon as it is known that a device will no longer be in service, or its role / user will change. With only wiped devices on the shelf, they are at the ready for their next life.
In order for this workflow to succeed, everything must be managed (or eliminated) and synchronized (OneDrive, Enterprise State Roaming, Edge sync, etc). Such that a new user can follow the prompts, then use the Company Portal, to get their PC into a working state.
Sorry, I misread your question. Hung is correct, once a device is enrolled, anyone can log in.
You might also be interested in Self-Deploying enrollment profiles and Shared PC policy. Though, using this model you will want to use device licensing for Office and Windows Enterprise, then assign any exceptions to your base configuration using device groups.
https://docs.microsoft.com/en-us/mem/autopilot/self-deploying
- Hung_Dang
Microsoft
Autopilot has shared device mode that ends the device up on the Windows logon screen where any AAD user can logon, although users on the device have Standard User access. Are there other functional requirements you'd like to see added to that mode?
- Heather_Poulsen
Community Manager
We're halfway through today's Windows Autopilot enrollment AMA. Keep your questions—and suggestions on future feature prioritization—coming. Thanks!
- When will we see a Microsoft Full LAPS Support in Endpoint Management? For some organizations this is the the last step to fully move away from Hybrid.
I would like to see the "need" for local administrator access eliminated. I have never needed root access to my phone.
Through simplifying our configurations and attempting to manage everything through Intune (and the Company Portal), we have come close.
There are still hardware vendors not publishing drivers through Windows Update (*cough* Logitech) and software vendors not publishing their software in the Microsoft Store (*cough* Adobe). I think we as an industry need to push back on these vendors. What exactly is their resistance? Could there be a need that Microsoft has not accounted for, are these companies being lazy, or could they be taking advantage of the full-control admins grant to their PCs?
- Jason_SandysWindows and iOS are vastly different OSes with vastly different purposes and capabilities, so the comparison is not in any way equivalent, however, we have offered much more locked down and constrained commercial versions of Windows previously and these have not had any sort of significant success -- Windows RT and S Mode.
- Azure AD LAPS is in private preview now for Windows 11 insider builds. See https://blogs.windows.com/windows-insider/2022/06/22/announcing-windows-11-insider-preview-build-25145/
- Chad will this be backported to Windows 10?
- I support of a lot of customers who have MEM/Intune as their only management solution. Will servers ever be eligible for management with MEM?
- Jason_SandysThere are no current plans (nor have there ever been) to support Windows server OSes in Intune or MEM (apart from ConfigMgr). For Windows server OS management from Azure and the cloud, please see Azure ARC: https://docs.microsoft.com/en-us/azure/azure-arc/overview.
- Is there a process to move Endpoint registered devices (both Windows 10/11 and iPhones) to a different tenant without wiping and registering them. My client has purchased a new out of state company and has over 500 devices to move. Thanks
- Jason_SandysThis depends upon a lot of factors not evidence, but the short answer is that no, there is no direct way to do this as Intune enrollment also relies on device identity in AAD which would also have to "migrated" and there are no, formal, built-in tools to accomplish either of these. There are paths though to facilitate this type of migration but as implied, this more than just running a set of tools. I suggest you contact your account team and/or Microsoft Consulting Services (or the consultant of your choice) for help with this.
- Hello to all. thank you for this session. Would it be possible to ask 2 questions please. - Are there any furture plans to allow Bitlocker pin options to be applied during the autopilot setup. set to set a pin ? - Are there any further plans when requesting device event logs to pull down the entire event logs or specific event logs. IE I need to apply Controlled folder manager this is being blocked instead of me remoting into a device i could request the logs.
- Marco, this would be great if the PIN was fully supported. At the moment, through searching the interwebs. we came across a blog where you can prompt the user to enter the PIN using serviceUI and some PowerShell scripts, we also made sure that it has a level of security. We then took that and took it a step further. We made it so that when the system get's encrypted via Intune during or after AutoPilot it prompts the user for a pin and then the user is able to set the PIN, if the user doesn't and closes the window it prompts the user every 1 hour until the PIN is set. It works flawlessly for our use and also satisfies our security departments needs.
- Hi Jessie. Thank you for your response. This has been mentioned to me as well when i logged a call with MS support that the Pin feature is not fully supported. Unfortunately our org has requested for this option to be enabled. I have trolled the net and have come accross a few sites which i've tried to replicate their steps and there are issues one way our another. So i have had to come up with my own little plan idea. If you have the opportunity to share the steps that you have taken i would be more then happy to replicate this on my end as well. This will be really appreciated as well.
- Jason_SandysHi Marcos, For the BitLocker PIN, it's an item of interest for the Windows team as the limitation isn't really specific to Intune. Also, the PIN, as it exists today has other limitations that present challenges to many orgs. With that in mind, there is a solution being designed to address the actual business case here (adding an additional protector to mitigate hardware-based attacks on the TPM). For collecting additional logs, we consider adding items regularly. Which log specifically are you looking for? I'll pass this feedback onto the feature PM responsible. Keep in mind though that there is balance of what we can and should collect as we don't want to collect everything as there is a resource impact and cost associated with this activity.
- Hi Jason. thank you for your response and for taking the time to look into this. During the call it was mentioned that we should setup and config Windows Hello. Our current Enviroment is a Hyrbid we did attempt to setup the windows hello but caused other issues so we have disabled this. Our company Sec team requests that the device does have a bitlocker pin. I have been able to create a "workaround" but was hoping that this would be something MS could possibly inplement. Logs - I agree that the need to collect every log is unecessary Fully agree. The logs that i'm more specifically looking for are is. Logname - Microsoft-Windows-Windows Defender/Operational Source - Windows Defender When controlled folder access is configured to audit all the audit logs are located in the above location. This log file basically logs ASR attempts. It would be ready uselless if at all possible to include this in the system diagnostics download. Orgs that wants to enble Controlled folder access need to run the audit first. Thank you for your assistance.
- Rachelle_Blanchard
Admin response: This question was answered live. Please refer to the recording for more details.
We are new to AutoPilot, Can you help us with link, tips and trick so that we achieve success in this Zero Touch Journey?
- Rachelle_Blanchard
Admin response: This question was answered live. Please refer to the recording for more details.
Will there be an option (assuming there isn't) to force endpoint to update the manufacturer drivers during or post OS install? Either by getting the drivers directly from the Dell website or by allowing us, on the admin side, to manually update those drivers.
Hardware vendors are supposed to now publish their drivers through Windows Update, using https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/. Though OEMs are allowed to inject drivers into their image, it is preferred that boot-start devices can use a generic Windows driver, that is later replaced through Windows Update. Drivers for new device are installed by Plug and Play, from Windows Update. If the driver has a user interface, it will automatically be installed and maintained by the Microsoft Store. As the vendor releases updates to their drivers, they are QA flighted through Parter Center and installed through Windows Update.
We have had fair success with Dell drivers. After a couple incidents, we have received a promise from support that we can hold them accountable if we find any new devices without drivers published in this way.
Where on the other hand, Lenovo refuses to publish their drivers through Windows Update and requires us to use their own update mechanisms.
Though my company is fine with drivers updating whenever hardware vendors make them available, some time ago, the Intune team announced they will have a mechanism for controlling when device drivers are made available. Haven't seen it yet.
Here are two links to bookmark for finding devices with drivers published in the modern way before purchasing them. Wish there was a more reliable way to make this determination. Maybe the community should create a list of PCs (and devices) that really are "Autopilot ready".
- https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/windows-certified-products-list
- https://www.catalog.update.microsoft.com/Home.aspx
We're relying on Windows Updates for Business (incl. drivers) for approx three years now
70% Lenovo, 30% Dell machines across the globe.
Vendor tools like Lenovo ThinkVantage and Dell Command Update aren't allowed due to its often vulnerabilities and they become removed if found.
Contribution
- Lenovo is contributing to WUfB, even BIOS and Firmware updates
We haven't bricked any device yet ... and we have up-to-date BIOS across Lenovo devices - Dell isn't contributing
Drivers
Lenovo and Dell devices are receiving the OEM drivers like Intel, Realtek, ELAN, Synaptics, NVidia via WUfB quite nicely. We neither need the vendor update tools nor their driver packages
NVidia surprised us twice in the past, they offered a driver through WU which caused black screen on some Dell CAD machines and rollback to an older driver was needed.
For NVidia scenario I'm desperately waiting for the public preview of the driver management via Intune portal (right now there is only the Microsoft Graph implementation)
Deployment service for driver updates public preview coming soon - Microsoft Tech Community
- Lenovo is contributing to WUfB, even BIOS and Firmware updates
- HP has a tool that does this if I remember correctly. It uses proactive remediation. I haven't seen a solution yet from within Intune itself.
- Hi Rachelle, I'm not sure this was fully answered. Danny Guillory Jr said he assumed it would... it would be good to get this clarified please.
- In the Hybrid AD join, I am seeing two device names whenever we try to add manually in any sec group or anywhere, but I know one is for Intune with GID and another one is for Azure AD (GID), can you please explain why do you need two GID and how we can solve this duplication?
- Rachelle_Blanchard
Admin response: This question was answered live. Please refer to the recording for more details.
- Hung_DangI'm assuming you're referring to seeing two AAD objects at the end of Autopilot HAADJ flow? If so, that's a technical constraint due to the design. One object is precreated when you register the device into Autopilot, and the subsequent one is created when the device gets AAD-registered near the end of the process. Both have their purposes, and it's on our backlog to combine them into one.
