I've noticed as of late (maybe in the past couple of weeks) that autopilot requires 2 logins, one at the welcome screen, and another one at the account setup. We are expecting our users to login, walk away, and come back to find their computers business ready. Now it looks like when they come back they have to login again to finish the account setup. Is this change by design or is there some configuration anomaly in my setup, since this introduces additional friction in the user's experience. I'm also finding that compliance and configuration policies often fail for the system account. Is there a way to alleviate that?
@derekliuI don't know about your Autopilot problem and I have not experienced double login yet, but the system account not being compliant or failing with configuration policies is something I've had as well. Are you assigning the policies to the devices or to the users? If you assign policies to a device it applies the policies to all accounts on that device, including the system account (which will usually bring trouble for the compliance and such). I've not had any cases in which the system account was actually needed in Intune. In almost all cases it is better to just assign the policies to the users. If they then change device it will automatically migrate all policies and apps to that device as well. Only when you work with special shared devices is assigning them to the device itself useful (and even then there is a good case for user assignment). Simply reassigning the policies to users instead of devices won't make that system account go away in the portal though. You will have to delete the policy and make a new one, then assign it to the users only, then there won't appear a system account.
This is what I have found out from experience. I might be wrong but it has worked for me in the past. If someone wants to correct me about my policy assignment best practices, feel free to do so. I'm relatively new to Intune.
Hope this helps you with some of the problems you have.
@SamTeerlinckThank you, we implemented this and yeah it's working out a little bit better for us. We were still getting non-compliant for the "require bitlocker" item no matter how many times we restarted (made sure there were no pending updates), so we switched over to the less stringent "require encryption of data on device".