AutoPilot Time Zone configuration and policy settings

%3CLINGO-SUB%20id%3D%22lingo-sub-1436616%22%20slang%3D%22en-US%22%3EAutoPilot%20Time%20Zone%20configuration%20and%20policy%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1436616%22%20slang%3D%22en-US%22%3E%3CP%3EAll%20computers%20deployed%20via%20AutoPilot%2C%20AutoPilot%20Reset%2C%20or%20manual%20reset%20(settings%2C%20recovery%2C%20reset%20this%20PC)%20are%20deployed%20with%20the%20computer%20time%20zone%20being%20set%20to%20PST%20(Pacific%20Standard%20Time).%26nbsp%3B%20We%20are%20working%20with%20national%20and%20international%20customers%20that%20require%20AutoPilot%20computers%20being%20shipped%20globally%20but%20we%20are%20trying%20to%20deliver%20the%20%E2%80%9CZero%20Touch%E2%80%9D%20Out%20of%20the%20Box%20experience%20to%20the%20end%20user.%26nbsp%3B%20In%20order%20to%20maximize%20security%20our%20standard%20AutoPilot%20deployment%20profile%20sets%20%E2%80%9CUser%20Account%20Type%20%3D%20Standard%E2%80%9D.%26nbsp%3B%20Therefore%20when%20a%20computer%20is%20delivered%2C%20the%20recipient%20is%20unable%20to%20update%20their%20time%20or%20time%20zone%20without%20contacting%20support.%26nbsp%3B%20Additionally%2C%20if%20we%20try%20to%20assist%20the%20user%20with%20traditional%20web%20tools%20such%20as%20%E2%80%9CMS%20Quick%20Assist%E2%80%9D%20or%203rd%20Party%20tools%2C%20such%20as%20ConnectWise%2C%20Screen%20Connect%2C%20or%20TeamViewer%20the%20connection%20is%20established%20with%20the%20user%E2%80%99s%20credentials.%26nbsp%3B%20The%20moment%20the%20change%20is%20attempted%20MS%20User%20Access%20Control%20(UAC)%20kicks%20in%20and%20we%20are%20unable%20to%20see%20or%20assist%20with%20the%20dialogue%20box%20to%20enter%20alternative%20administrative%20credentials.%26nbsp%3B%20Our%20position%20is%20that%20we%20should%20be%20reducing%20software%20on%20computers%20to%20reduce%20the%20attack%20surface.%26nbsp%3B%20We%20should%20not%20have%20any%20administrative%20accounts%20on%20a%20local%20computer%20to%20reduce%20the%20attack%20surface.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20need%20to%20be%20able%20to%20set%20the%20clock%20automatically%20in%20Intune.%26nbsp%3B%20We%20also%20need%20it%20to%20be%20able%20to%20be%20changed%2Fupdated%20for%20travelling%20users%20in%20a%20Zero%20Touch%20manner.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EHow%20much%20revenue%2Fpipeline%20for%20your%20company%20is%20this%20impacting%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20issue%20isn%E2%80%99t%20about%20revenue%20generation%20but%20is%20about%20reducing%20support%20expense%2C%20loss%20of%20productivity%20time%2C%20and%20time%20inaccuracies%20effect%20almost%20every%20aspect%20of%20computing%20from%20logs%20to%20file%20time%20stamps.%26nbsp%3B%20Everyone%20in%20the%20organization%2C%20except%20those%20individuals%20in%20the%20Pacific%20Time%20Zone%2C%20are%20effected.%26nbsp%3B%20Even%20those%20people%20in%20the%20PST%20are%20effected%20when%20they%20travel%20to%20any%20other%20time%20zone.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EHow%20many%20users%20total%20do%20you%20anticipate%20this%20impacts%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEvery%20one%20in%20the%20company%20is%20affected.%26nbsp%3B%20Since%20we%20support%20multiple%20companies%2C%20I%20can%20safely%20say%20that%20this%20effects%20all%20users%20in%20all%20companies%20that%20use%20Intune%20deployments%20at%20some%20point.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EIs%20this%20blocking%20the%20use%20of%20autopilot%20completely%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%2C%20the%20inaccurate%20time%20stamp%20does%20not%20block%20the%20user%20of%20AP%20completely%20but%20unless%20corrected%20the%20issue%20has%20a%20severe%20negative%20impact%20on%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%20workarounds%20that%20I%20have%20attempted%20so%20far%20are%20described%20here%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20uncovered%20an%20article%20by%20Microsoft%20MVP%2C%20Peter%20van%20der%20Woude%2C%20from%20the%20Netherlands.%20He%20developed%20a%20Custom%20Device%20Configuration%20Profile%20using%20and%20OMA-URI%20setting%20that%20can%20set%20the%20time%20zone%20for%20a%20user%20at%20the%20time%20of%20deployment.%20This%20saves%20the%20user%20from%20having%20to%20set%20their%20Time%20Zone.%20However%2C%20it%20is%20a%20one-time%20setting%20and%20the%20user%20cannot%20change%20their%20TZ%20without%20admin%20support.%20%26nbsp%3BIf%20traveling%20the%20user%20would%20need%20to%20manually%20change%20the%20setting%20to%20a%20new%20local%20time%20and%20again%20require%20admin%20support.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.petervanderwoude.nl_post_configure-2Dtime-2Dzones-2Dvia-2Dwindows-2D10-2Dmdm_comment-2Dpage-2D1_-3Funapproved-3D89325-26amp-3Bmoderation-2Dhash-3D9de6ea58c25259cc52d3eeb667f350ef-23comment-2D89325%26amp%3Bd%3DDwQFAg%26amp%3Bc%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26amp%3Br%3DyKsLSm86zt8jK5ZDEGesTTPW3MHp0xB7xCK_xmog-tLe07-2Qs5zWI_mDITCO0ln%26amp%3Bm%3DTGSMZ5CtANEDt-Ot12cFMnoKUCCT91CNFX1LmSL6gCg%26amp%3Bs%3D-7tHQTavwpeI6D3XJ3qBezRbxzXRC_G_bOleCPz9eCo%26amp%3Be%3D%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.petervanderwoude.nl%2Fpost%2Fconfigure-time-zones-via-windows-10-mdm%2Fcomment-page-1%2F%3Funapproved%3D89325%26amp%3Bmoderation-hash%3D9de6ea58c25259cc52d3eeb667f350ef%23comment-89325%3C%2FA%3E%3C%2FP%3E%3CP%3E(Note%20about%20this%20fix%20is%20that%20when%20I%20opened%20a%20ticket%20with%20MS%20support%2C%20I%20was%20offered%20this%20as%20solution%20as%20a%20work%20around.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20work-around%20suggestion%20is%20to%20create%20and%20send%20a%20PowerShell%20script%20to%20the%20computer%26nbsp%3B%20(see%20below)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet-TimeZone%20-Id%20%E2%80%9CCentral%20Standard%20Time%E2%80%9D%3C%2FP%3E%3CP%3EStart-Service%20W32Time%3C%2FP%3E%3CP%3ERestart-Service%20W32Time%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFinally%20-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fmsendpointmgr.com-252Fauthor-252Fnickolaja-252F-26data-3D02-257C01-257CMatt.Soseman-2540microsoft.com-257Ca60b94951b3f4511f66908d8063e503f-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637266212001889546-26sdata-3DsLKOvEvg0a5uDgRp-252BTIXB9Kv7tpXDqI4umUyYlVHW20-253D-26reserved-3D0%26amp%3Bd%3DDwMFAg%26amp%3Bc%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26amp%3Br%3DyKsLSm86zt8jK5ZDEGesTTPW3MHp0xB7xCK_xmog-tLe07-2Qs5zWI_mDITCO0ln%26amp%3Bm%3DTGSMZ5CtANEDt-Ot12cFMnoKUCCT91CNFX1LmSL6gCg%26amp%3Bs%3DWw1WP7sC1cZEHwqe-RjSAYUddO2jW02ZXkzP7LmDyno%26amp%3Be%3D%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENickolaj%20Andersen%3C%2FA%3E%20from%20%3CA%20href%3D%22https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__MSEndPointMgr.com%26amp%3Bd%3DDwQFAg%26amp%3Bc%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26amp%3Br%3DyKsLSm86zt8jK5ZDEGesTTPW3MHp0xB7xCK_xmog-tLe07-2Qs5zWI_mDITCO0ln%26amp%3Bm%3DTGSMZ5CtANEDt-Ot12cFMnoKUCCT91CNFX1LmSL6gCg%26amp%3Bs%3D0uEy333JJ9TbMtWpJhVfGIWVDv-TlQuOlss097NS9kE%26amp%3Be%3D%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EMSEndPointMgr.com%3C%2FA%3E%20developed%20PowerShell%20scripting%20using%20Windows%2010%20location%20services%20and%20Azure%20Maps%20that%20can%20get%20Time%20Zones%20working%20but%20would%20also%20incur%20Azure%20charges.%26nbsp%3B%20The%20author%20notes%20that%20it%20currently%20works%20but%20if%20Windows%20code%20changes%20in%20anyway%2C%20it%20scripting%20can%20break%20and%20there%20would%20be%20no%20one%20to%20support%20the%20problem%20at%20that%20point.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__msendpointmgr.com_2020_05_20_automatically-2Dset-2Dtime-2Dzone-2Dfor-2Ddevices-2Dprovisioned-2Dusing-2Dwindows-2Dautopilot_%26amp%3Bd%3DDwQFAg%26amp%3Bc%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26amp%3Br%3DyKsLSm86zt8jK5ZDEGesTTPW3MHp0xB7xCK_xmog-tLe07-2Qs5zWI_mDITCO0ln%26amp%3Bm%3DTGSMZ5CtANEDt-Ot12cFMnoKUCCT91CNFX1LmSL6gCg%26amp%3Bs%3Du_ft9H5_ZlVnktsKaqYur3nNgnUduqPdfRoIXac3cR0%26amp%3Be%3D%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fmsendpointmgr.com%2F2020%2F05%2F20%2Fautomatically-set-time-zone-for-devices-provisioned-using-windows-autopilot%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUltimately%2C%20we%20would%20like%20to%20see%20a%20native%20solution%20in%20Intune%20which%20just%20works.%26nbsp%3B%20Any%20help%20getting%20us%20toward%20that%20solution%20would%20be%20greatly%20appreciated!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1436850%22%20slang%3D%22en-US%22%3ERe%3A%20AutoPilot%20Time%20Zone%20configuration%20and%20policy%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1436850%22%20slang%3D%22en-US%22%3EI%20couldn't%20agree%20more%2C%20native%20support%20for%20dynamically%20set%20this%20would%20be%20very%20helpful.%3C%2FLINGO-BODY%3E
Occasional Contributor

All computers deployed via AutoPilot, AutoPilot Reset, or manual reset (settings, recovery, reset this PC) are deployed with the computer time zone being set to PST (Pacific Standard Time).  We are working with national and international customers that require AutoPilot computers being shipped globally but we are trying to deliver the “Zero Touch” Out of the Box experience to the end user.  In order to maximize security our standard AutoPilot deployment profile sets “User Account Type = Standard”.  Therefore when a computer is delivered, the recipient is unable to update their time or time zone without contacting support.  Additionally, if we try to assist the user with traditional web tools such as “MS Quick Assist” or 3rd Party tools, such as ConnectWise, Screen Connect, or TeamViewer the connection is established with the user’s credentials.  The moment the change is attempted MS User Access Control (UAC) kicks in and we are unable to see or assist with the dialogue box to enter alternative administrative credentials.  Our position is that we should be reducing software on computers to reduce the attack surface.  We should not have any administrative accounts on a local computer to reduce the attack surface.

 

We need to be able to set the clock automatically in Intune.  We also need it to be able to be changed/updated for travelling users in a Zero Touch manner.

 

 

How much revenue/pipeline for your company is this impacting?

 

This issue isn’t about revenue generation but is about reducing support expense, loss of productivity time, and time inaccuracies effect almost every aspect of computing from logs to file time stamps.  Everyone in the organization, except those individuals in the Pacific Time Zone, are effected.  Even those people in the PST are effected when they travel to any other time zone.

 

 

How many users total do you anticipate this impacts?

 

Every one in the company is affected.  Since we support multiple companies, I can safely say that this effects all users in all companies that use Intune deployments at some point.

 

 

Is this blocking the use of autopilot completely?

 

No, the inaccurate time stamp does not block the user of AP completely but unless corrected the issue has a severe negative impact on users.

 

 

The workarounds that I have attempted so far are described here:

 

I uncovered an article by Microsoft MVP, Peter van der Woude, from the Netherlands. He developed a Custom Device Configuration Profile using and OMA-URI setting that can set the time zone for a user at the time of deployment. This saves the user from having to set their Time Zone. However, it is a one-time setting and the user cannot change their TZ without admin support.  If traveling the user would need to manually change the setting to a new local time and again require admin support.

 

 

https://www.petervanderwoude.nl/post/configure-time-zones-via-windows-10-mdm/comment-page-1/?unappro...

(Note about this fix is that when I opened a ticket with MS support, I was offered this as solution as a work around.)

 

Another work-around suggestion is to create and send a PowerShell script to the computer  (see below)

 

Set-TimeZone -Id “Central Standard Time”

Start-Service W32Time

Restart-Service W32Time

 

Finally -

 

Nickolaj Andersen from MSEndPointMgr.com developed PowerShell scripting using Windows 10 location services and Azure Maps that can get Time Zones working but would also incur Azure charges.  The author notes that it currently works but if Windows code changes in anyway, it scripting can break and there would be no one to support the problem at that point.

 

https://msendpointmgr.com/2020/05/20/automatically-set-time-zone-for-devices-provisioned-using-windo...

 

 

Ultimately, we would like to see a native solution in Intune which just works.  Any help getting us toward that solution would be greatly appreciated!

 

1 Reply
I couldn't agree more, native support for dynamically set this would be very helpful.