Event banner
Event details
128 Comments
- We recently found several models of our deployed Dells, with old school drivers injected, which break when wiped. Is there a way to determine what Manufactures and their Models have clean copies of Windows with modern boot drivers?
- JuanitaBaptiste
Microsoft
Hi Nathan, we currently don't have a method to do this in Intune but driver updates are something that we are looking into but with that line of thinking it would mostly be for IT pros to apply updates during the device lifecycle.
- Is there a list of settings which could cause a reboot during ESP? I learned Win32 apps only should be installed and not mixed with MSI, but security settings via Endpoint Protection section or config profiles can have an impact.
- Hung_DangHere are some: https://docs.microsoft.com/en-us/mem/autopilot/policy-conflicts But it doesn't contain a full set, I think. I'll take a follow-up to publish the full set.
- This isn't a complete list I'm sure, but here are a couple of blog posts I used when struggling through this issue. The main one that gets most admins is Windows Update Rings. Our main issue regarding the reboot was the loss of the MFA token. We had previously blocked user ESP and decided to unblock this as user ESP will re-prompt for MFA if the token does not exist. https://ccmexec.com/2020/01/autopilot-esp-and-extra-login-reboots/ https://workplaceascode.com/2021/01/13/unexpected-autopilot-restart/
jedial19 19 , I read those posts and cannot bring myself to assign device-wide configurations to users. Over two-thirds of our PCs are either shared or kiosks. These would not get the policies assigned until a user logs-in, most of our device-wide configurations are specific to the device's role, not the user, and I can see a situation where wandering users might apply configurations in places it doesn't make sense.
I feel like the better solution would be to create https://feedbackportal.microsoft.com/feedback/forum/ef1d6d38-fd1b-ec11-b6e7-0022481f8472 entries for anything that breaks the enrollment flow and have the community pile on the up votes for them. I'll vote for them.
Ironically, we have many of those types of configurations assigned and never knew we were suffering. For us, that was just the way it worked. 😃
- Thanks for hosting the AMA! Will we ever be able to build an AAD group based on more detailed inventory data such as "Application X version 12.3 is installed" or is this something that will remain in MECM? This is one of the biggest limitations in Intune.
- Hung_DangThat's something I've never heard a request for. Could you elaborate on the use case for such a feature?
- It would be an analog to a Device Collection with a query rule in MECM. If we could build an AAD group, for example, that includes any devices that have "Adobe Reader version 12.3" installed, we could use it to target an upgrade to "Adobe Reader version 12.4".
almost every part of Endpoint and CA are getting templates, such as the CA templates for creating MFA profiles, which are common best practices now. Will there be something like that coming to Autopilot?
- Hung_DangTemplates are a good idea in general for starting. Autopilot is a special beast; it's a flow that aggregates policies and apps from across the spectrum of such content. So as such, it's an aggregator of templates, if you will. That's not different than the MEM default model that one creates profiles and assigns them to users or devices.
- Is there any way for me to go and check who are all the OEM partners granted my tenant concerns access to enroll devices?
- Hanna, Can you please be more specific that where can I get the details? my bad I am not able to find it.
- JuanitaBaptisteYou should be able to check this is Microsoft Store for Business, log in with admin credentials. https://businessstore.microsoft.com/ > Manage > Partners tab on the left.
- Hung_DangTry looking on the Microsoft Admin Center, since it holds the record of such relationships.
- For three years, our biggest problem with Autopilot has been Enrollment Profile assignment via Group Tags. We would prefer there was a drop-down to select a profile, as is available in the Store for Business and in Intune for iOS/iPadOS, and most of all.... wish Enrollment Profiles would assign and change faster.
- Hung_DangWe wish dynamic group evaluations were faster, too. 🙂 The core reason for the latency is scalability. While what's fast for one person could be slow for another, depending on usage, we're always looking for opportunities to improve latency.
- I wouldn't blame it all on Azure AD. Though we have seen periodic delays (upwards of 24-hour) in dynamic updates, most of the time we are waiting for the Enrollment Profile assignment to happen, long after the device's dynamic groups have updated.
We are using Hybrid Join with our Autopilot (i know! i know!) That said, we tend to see the enrollment error 80180005 pretty frequently with no real pattern towards cause. Our Domain Join naming is very simplified as well. Any other tricks to look at to identify why we see this error so much?
- Hung_DangThat's a pretty generic error. You could try to look in the device's event logs for events that reference that error code, and see if the events around it provide the detailed reason.
- So for additional context we have worked with our Fast Track team for over a month to really dig in to this issue and as of yesterday they still don't have a solid answer for our configuration. At first were able to delete the Autopilot pc object as well as the AAD object related to and then reupload the device hash and reassign all our profiles, and several devices that previously would fail could then complete. But now we have devices that wont work even after the above steps done several times. We use Lenovo as our OEM, and a pretty much "retail" Enterprise ISO Win 10/Win 11.
- Can application installs be weighted or prioritized? For example we only install minimal applications during the Autopilot process, such as security apps, and would like the first application installed by Intune to be Office after the initial AP deployment.
- Hung_DangThis is the purpose of the Enrollment Status Page. In it you have the ability to select specific Win32 apps to be tracked during the ESP in OOBE. Those apps are installed first before others.
- Yes, but as per the AMA discussion when asked about deploying to machines on slow internet connections or when you want the quickest 'to the desktop' experience. Office is a large install and could affect the end user experience or slow down completion of the 'app deployment' phase during the Enrollment Status Page process. So after getting to the desktop we want to prioritize applications that are essential to the user workflow.
- Jason_SandysWe are currently investigating adding some lightweight-type orchestration to app deployment during Autopilot. There's nothing specific to share other than this generic statement at this time, however, if you could supply the core business-centric reason for why you need this, that will help us design the feature better as well as justify its need.
- Given the hybrid & remote working that is widely prevalent, this also means potentially interrupted network connectivity (e.g. switching wifi access points). Are there plans to make AutoPilot robust & sensitive to such a user environment so that it does get into any retry modes in an extended manner ?
- Hung_DangWe always try make the Autopilot flow robust to network blips. Since the flow is so complex and spans a ton of components, there may be some portions that aren't as resilient as it could be. Having said that, we do have some ideas on our backlog to improve network resilience.
- In a co-managed device environment, is it possible for the patches be deployed from SCCM when in domain and via Internet when connected remotely simultaneously ?
As Danny mentioned, this is a 2 part question and there isn't a simplistic answer.
1) Where is the update scan coming from? ConfigMgr/WSUS or Windows Update for Business?
WUfB policies can be configured from Intune, ConfigMgr, or GPO/registry keys. ConfigMgr will use the Software Update Point, but dual-scan can be allowed so the answer can be both.
2) Where is the update content coming from?
ConfigMgr can allow clients to use Microsoft Update for content missing from distribution points or force the traffic to be within the network (Distribution Points and P2P).
WUfB (Delivery Optimization) will utilize Microsoft Update for content but can also use P2P and the Microsoft Connected Cache (DO in-network cache).
If you want to get really specific with a scenario, please post comment with as much detail as possible.
- Rachelle_Blanchard
Admin response: This question was answered live. Please refer to the recording for more details.
- Jason_SandysYes. This is the entire point of using a Cloud Management Gateway: https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/overview. There are other possibilities as well. Here's a nice blog we posted a couple of years back discussing this: https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444
