Event details
110 Comments
Clarify my question not only a mindset SCCM.
Is there a simple way in Intune to deploy an app only to newly enrolled devices via Autopilot, without using scripts during the Autopilot ? like script install apps from this specific data etc cit: "intune-app-ps-script-based-enrollment-date" or create another autopilot profile ....
I’d like to avoid installing the app on existing devices and keep the process clean and automatic ,because the requirement for install app on ESP page status you shoud an app in "Required"
Regards . I hope maybe you have an advice ... Thank you a lot in advance
+1 for this. It's a challenge we face too because whenever we want to amend something on our Autopilot (v1) sequence (e.g. change an app version deployed via it), there is no way to prevent it also deploying to every computer in our live estate. As all Autopilot devices (and therefore all devices in our live estate built by Autopilot) are dynamically added to a group based on the Group Tag during Autopilot. We have had to get creative in the past by using the group filters or creating a new Autopilot sequence with a new dynamic group based on Group Tag - but then this doubles up our admin overhead etc.
How do se make sure that device cannot be used for personal perpose and any other tenant just like Windows Autopilot by uploading hash value.
- Jason_Sandys
Microsoft
Hi ArunKumar-3819. Is this question specific to Windows Autopilot device preparation? Assuming so, there is no way to do this today, however, we are close to releasing a feature to enable this in the near future. Keep in mind though, that Autopilot registration along with this new feature are not security features and provide no guarantee that a specific device cannot be repurposed against your org's wished. We make no explicit statement about this and cannot. At most, they are "best effort" controls to deter those with non-malicious intentions from doing something against an org's wishes.
We need to install apps in a particular order. This isn't a complicated ask, why make it complex? As it is, we have to use dependencies, which is a pain in the backside. Just give each blocking app a priority order, that's not task sequences. Examples, we need to prep the powershell environment before installing modules, we want to script updates at the end after all apps are installed.
Hi,
in autopilot what is the recommended best practice for updating drivers and bios during pre-provision process
thank you
+1 for this. We currently have a PS script we run pre-Autopilot to check for and install all the latest Windows Updates etc. Microsoft announced they were going to start including the installation of the latest Windows Updates as part of Autopilot - ref MC891140 but it's been postponed
- Heather_Poulsen
Community Manager
Thanks for joining us today! We'll keep this Q&A open through Friday so you can catch up on demand and continue to post your questions for the Autopilot team.
The initial experience heavily depends on SSO working from the get-go. This is something we think could be improved (not speaking of our very special DMA-feature in Europe). Any plans on improving/optimizing the process involving receiving the PRT etc.?
- Jason_Sandys
Can you be more specific about exactly what you are talking about here? Are you referring specifically to hybrid join?
No, in this case entra-only, but actually doesn't matter.
We need to approach a state where you log into Windows for the first time and any application (Teams, Word, Outlook, OneDrive, ...) is able to pull an SSO token from Windows - immediately. It's not like users are waiting for 10 minutes until everything has been set up in the background. We still have quite a few customers relying on custom splashscreens after the first login which are basically locking the screen until certain conditions have been met.
Hi,
When using Autopilot, what is the recommended best practice to update drivers and bios during the pre-provision process. In my scenario, this is specific to devices such as Lenovo.
Thank you
Hy,
if you still need a solution for HP, kindly post that in the tech community under the Intune Topics and I will be happy to assist you on that.
Good luck!
We deploy drivers to our HP laptops with a powershell script wrapped as a Win32 app. It's a bit clunky, but it works. I don't know about Lenovo, but if you can script it, the approach should work.
Thank you for answering my question about blocking setup for personal accounts.
To confirm, is it just the Enterprise SKU that will prevent users from logging in with personal accounts, or also the Pro SKU? What happens if the user attempts to login with a personal account on these SKUs?
- Pearl-Angeles
Thanks for your questions! The panelist covered this topic around 47:09.
Thank you for answering my question about REQUIRED apps and using the ESP Block list Maggie.
I've read on the MS forum, and other blogs, that this block list does not prevent all REQUIRED apps installing, whether they're on the block list or not. Hence we haven't implemented this method. Is there any truth in this please?e.g. https://call4cloud.nl/autopilot-delay-apps-installation/
Thank you everyone, and for responding to my question in the AMA recording, it is much appreciated 🙂
- Pearl-Angeles
In addition to Maggie's comment below, she also covered this question during the live AMA around 42:44.
- Maggie_Dakeva
Take a look at this: https://learn.microsoft.com/en-us/intune/intune-service/enrollment/windows-enrollment-status?source=recommendations#block-access-to-a-device-until-a-specific-application-is-installed. The behavior defers based on the mode and type of app. Hope this helps!
