Event details
110 Comments
Thank you for answering my question about REQUIRED apps and using the ESP Block list Maggie.
I've read on the MS forum, and other blogs, that this block list does not prevent all REQUIRED apps installing, whether they're on the block list or not. Hence we haven't implemented this method. Is there any truth in this please?e.g. https://call4cloud.nl/autopilot-delay-apps-installation/
Thank you everyone, and for responding to my question in the AMA recording, it is much appreciated 🙂
- Pearl-Angeles
Community Manager
In addition to Maggie's comment below, she also covered this question during the live AMA around 42:44.
- Maggie_Dakeva
Microsoft
Take a look at this: https://learn.microsoft.com/en-us/intune/intune-service/enrollment/windows-enrollment-status?source=recommendations#block-access-to-a-device-until-a-specific-application-is-installed. The behavior defers based on the mode and type of app. Hope this helps!
Hello Team,
With Autopilot Device Preparation, I always recommend customers disable personal devices from enrolling to Intune and thus Device Preparation requires these Corporate Device Identifiers to be uploaded to Intune. Is this the recommended approach? If so, would there be any easier ways to get the Corporate Device Identifiers uploaded to Intune? Right now, it requires that you manually pull it (similar to Hardware Hash) and requires device intervention.
Appreciate it in advance!- Pearl-Angeles
Thanks for your participation in today's AMA. The panelists covered this topic around 44:13.
We previously used QuickCreate HyperV wizard with offline JSON provisioning (the JSON file injected into the Windows folder inside the VMDK). Today, we cannot offer this service any longer, because this offline JSON provisioning is no longer supported. We were told to use Corporate Identifiers, but it requires device intervention as YesaitRavanty said, because you need to pass the Corporate Device Identifier to the Intune Admin so that he/she adds it to Intune.
YesaitRavanty : there is no recommended approach as of today, as Device Prep seems still in early days : no device renaming (MS : yes, we understood that labeling on device name is bad. It is however useful when talking to your IT colleagues about A-devices, T-devices and C-devices, for Admins/Teachers/Classmates for example), no GroupTag (means there is no persistent variable, that is kept across new Windows OS reinstallations, like for example creating rings of devices using EntraID groups), no OOBE customization to bypass the privacy questions, and no much ability to recognize some basic company branding when device boots for first time so that you feel welcome.
Hello Joe, it's been too long my friend. Intune/Autopilot/Azure has object IDs. When scripting processes, object IDs is a bit of a challenge. are there any plans to make working with device objects easier?
- Pearl-Angeles
We appreciate your participation in today's AMA. This question was covered around 36:08.
I'm referring to using Microsoft Graph and sorting out Autopilot object ID/Intune object ID/ Azure object ID.
Are there any plans for implementation on creating the dynamic group based on the ESP profile name.
- Pearl-Angeles
Thanks for participating in today's AMA! This question was answered at 33:00.
When using Autopilot for Entra-only devices I can select to rename the device using the %serial% variable. That option isn't available when using Autopilot for hybrid joined devices. I have to rename using %random% and then rename the device which creates multiple objects in Entra.
Is this something that's on the drawing board?
- Pearl-Angeles
This question was covered in today's AMA around 29:12. For more information, go to aka.ms/CloudNativeEndpoints
- Hung_Dang
The device actually is renamed to %serial% before MDM enrollment, but unfortunately is overwritten later when the device is hybrid-joined. This is a known pain point that's on our backlog.
I have trouble on what I should and shouldn't be pushed in AutoPilot. Do you have a Best Practice article or template for this?
Also what are your tips for troubleshooting Autopilot issues? What Logs and sources should I look at?- EricMoe
A few years back, Jon Callahan posted this blog that walks through recommendations for what apps to push in Autopilot, Selecting Required Apps for your Enrollment Status Page | Microsoft Community Hub In terms of troubleshooting, check out https://learn.microsoft.com/en-us/autopilot/troubleshooting-faq
Any plans of integrating asking the user for a Bitlocker pre-boot PIN in the device prep process?
- Hung_Dang
Could you clarify the flow you're thinking of? It's not clear what "pre-boot" PIN here means.
Pre-boot PIN: A PIN you need to provide before Windows actually can start. As this is user-defined, solutions like this one here are used quite often: https://oliverkieselbach.com/2019/08/02/how-to-enable-pre-boot-bitlocker-startup-pin-on-windows-with-intune/
How do we know if we need to delete a device from Intune before running Autopilot on it again? This is in regards to using self-deploying mode, with the https://learn.microsoft.com/en-us/autopilot/self-deploying mentioning this as a requirement, but then a later article mentions certain hardware manufacturers have fixed this?
- Pearl-Angeles
The panelists covered this topic around 22:27. They also encouraged you to go to aka.ms/AutopilotDocs for more information.
- Hung_Dang
You can have successive self-deploying (or pre-provisioning) deployments on devices from certain OEMs by selecting the device on the Autopilot Devices page and clicking Unblock between deployments. Hope this helps.
How can we set Intune apps to REQUIRED without them installing during Autopilot (v1) please - i.e. so they don't try to install before Autopilot has finished?
Each time an app is set to REQUIRED we would have to re-test our Autopilot sequence, as sometimes apps cause issues with/break Autopilot. Also, sometimes, we do not want very big apps (e.g. AutoCAD) attempting to install during, and holding-up, Autopilot. Also, not all apps are REQUIRED for all users/devices, so we wouldn't be able to test each conceivable combination of REQUIRED apps etc. with our Autopilot sequence.
Could we have an option in the app settings for WHEN AUTOPILOT HAS FINISHED please? Or something similar?Thank you everyone, and for responding to my question in the AMA recording, it is much appreciated 🙂
- Pearl-Angeles
This question was covered at 24:48 during the AMA.
Thank you. We do set most of our apps to AVAILABLE however some mandatory security or app updates we cannot leave to/rely on the users to self-serve from Company Portal (because they won't do it...). Maggie - I read in a few places that the Autopilot "Block list" still lets other REQUIRED apps install during Autopilot, which is why we haven't implemented this method. Is there any truth to this?
Are there any plans for capturing the custom log paths post autopilot enrollment failure. Currenly it captures only pre-defined logs by MS.
- Hung_Dang
There's a slew of logs captured today, and it'd be surprising you won't be able to use them. :) Configurability of auto-logs collection logs paths is on the backlog.
