Event banner
Event details
- Any plans on evolving the AutoPilot ESP with things such as application ordering, running scripts, or allowing for user input (for example asking a user to set a bitlocker pin for power on).
- Hung_Dang
Microsoft
Scripts can actually be run now during Autopilot, but aren't really displayed on the ESP explicitly. It's run right after the Intune Management Extension is installed during the ESP under the category that says "Preparing your device for mobile management". NOTE: The installation time and the scripts run time have a max before the ESP times out (20 minutes, I think?), and so be very careful how long those scripts run. Thanks for participating in today's Windows. Cloud. Management. Your questions answered! For reference, the panel covered this topic at around 42:05.
- Great question!!!
Conflict resolution is sometimes not reporting the conflicting policy. Even Windows OS and Defender for Endpoint baselines have conflicting policies.
It would be great to see better conflict reporting. CoPilot will help in a major way I believe.
Also a report with all issues (Compliancy not in order, conflicting policies, application deployment issues, etc.) in one dashboard like view that can be exported would be realy nice.
- Will we soon be able to access remediations from the Devices (preview) blade in Intune. Currently have to switch back to get to remediations. Apart from that am loving the Devices preview.
- Are there any recommendations on how to do bare-metal OS deployments, when you're on Intune + Autopilot? Going through the OEM is not always possible and MDT is not supported for Windows 11. Running ConfigMgr just for OS Deployment does not make much sense either.
- Who is the dude from Houston that has a MDT alternative? Can anyone point me to that solution?
- Some of the vendors like HP has some OEM recovery options where you can reload the device through BIOS or even setup a a custom solution hosted in Azure.
- Hung_DangFor bare-metal OS deployments, you have two options for getting devices registered into Autopilot: 1) manually pull each device's hardware hash from the device itself, and upload it into the Intune portal, or 2) create an Autopilot profile (assigned to the All Devices virtual group) with the option enabled to "convert" devices to Autopilot (i.e., register those devices). Option #1 is time consuming. Option #2 means that the first time the device boots up, it doesn't have the Autopilot experience (except, if you use the "Autopilot for existing devices" feature). Hope this helps, Justin! -- Hung
- Is there an easier UI/UX to configure mass storage devices access rather than OMA-URI? The Microsoft documentation instruction is not very clear as well.
- Jason_SandysHi Vicky, assuming you are referring to removable storage here, have you tried the steps documented at https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune?view=o365-worldwide#deploy-removable-storage-access-control-by-using-intune-user-interface? Here's a supplemental blog post as well that should help with using OMA-URI: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806
- Are there any plans to add the ability for prerequisites to MS store apps? Or the ability to buy/bulkbuy MS Store apps to distribute to managed devices since MS store for business is deprecated?
- Joe_Lurie
frwhite1290 Intune only allows Store apps that are free, so there is not now, nor will there be, an option to deploy in bulk "paid" apps. For something like that, you'd have to reach out to the ISV and deploy the app as an LOB or Win32 app. Alternatively, if there is a free option available, you can install that with Intune and then enter the subscription information however the ISV has that configured.
- Any plans to enhance / add hierarchical administration? For example, the ability to automatically and dynamically group devices by physical site / office location so we can assign admin permissions to the local IT resources at those locations without giving them admin access to the entire fleet.
- Joe_Lurie
Travis Port Thanks for the feedback. This is a common ask and something we are investigating. Keep your eyes open to https://aka.ms/IntuneInDev and https://aka.ms/M365Roadmap as these are where it'll be posted once we start building such a solution.
- When testing using Autopilot for Hybrid devices I am seeing two devices entries get created in Entra ID for the one Device. How do we properly maintain those? Only one of them is managed by Intune and the other one is not, but the Entries are linked together in a backend way. So if you have any Device base groups its hard to know which entry to add to the group, since you can't see which one is manages on the Member Add screen inside intune. Also it seems to make some features like wiping a device more complicated as you have to do other steps then just click wipe in intune and it reenrolls it self with no issues...
- We have hybrid devices coming in from AD connect and were initially imaged with SCCM. We show multiple entries but there is an entry that is an empty Join type. Then there is another entry that is Hybrid Join without a user account attached. What is the empty Join type entry?
Thanks for participating in today's Windows. Cloud. Management. Your questions answered! For reference, the panel covered this topic at around 39:15.
- Hung_DangThat's correct that there are two Entra ID device objects at the end of Autopilot into Hybrid. The first object is the one for device registration into Autopilot in the first place. The intent is that that device object is joined to specific groups before the device is deployed, and then the policies assigned to the group are applied during deployment. The second object is created that reflects the device object in AD (primarily for authentication purposes). That second object should be joined to the same groups as the first object, and so the policies still apply. In general, if you change groups for the device AFTER deployment, the best practice is to move BOTH device objects, since that device could be reset at any time, at which time the first object takes effect (and this assumes you want the new group's policies to apply even after reset). Hope this helps, Dylan! -- Hung
- Is it entirely a pipe dream to hope that management of server OS will ever come under Intune?
Thanks for participating in today's Windows. Cloud. Management. Your questions answered! For reference, the panel covered this topic at around 28:00.
- The free developer tenants (the last I checked) didn't have all of the Defender licenses available. Will we ever see that change? It would be nice to have a way to do some testing with MDE. We can get a 30 day trial, but it can be a pain to set everything up from scratch every time.
