Moving from MDT/WDS to Autopilot – Real-World Lessons, Wins & Gotchas
Hi all, We’ve been moving away from an ageing WDS + MDT setup and over to Windows Autopilot, and I thought I’d share a few key lessons and experiences from the journey. In case anyone else is working through the same transition (...or about to). Why the change? MDT was becoming unreliable, drivers/apps would randomly fail to install, WDS is on the way out, and we needed a more remote-friendly approach. We also wanted to simplify things for our small IT team and shift from Hybrid Azure AD Join to Azure AD Join only. We’re doing this as a phased rollout. I harvested existing device hashes using a script from a central server, and manually added machines that weren’t online at the time (most of which were just unused spares, we haven't introduced new hardware yet). If you want a copy of this auto-harvest, please see my next post, this script is useful as it'll just go off and import the hardware hashes into Intune, and can run against multiple computers at a time. (I will add the link to the post once made). Some of the biggest hurdles: • 0x80070002 / 0x80070643 errors (typically due to incomplete registration or app deployment failures) • Enrollment Status Page (ESP) hangs due to app targeting issues (user vs device) and BitLocker config conflicts • Wi-Fi setup with RADIUS (NPS) was complex, Enterprise Certificates and we're still using internal AD for authentication, so user accounts exist there and sync over to Azure. • Legacy GPOs had to be rebuilt manually in Intune, lots of trial and error • Some software (like SolidWorks) wouldn’t install silently via Intune, so I used NinjaOne to handle these, along with remediation scripts in Intune where needed We also moved from WSUS to Windows Autopatch, which improved update reliability and even helped with driver delivery via Windows Update. What’s gone well: Device provisioning is more consistent, updates are more reliable, build time per machine has dropped, and remote users get systems faster. It’s also reduced our reliance on legacy infrastructure. What I’m still working on: Tightening up compliance and reporting, improving detection/remediation coverage, figuring out new errors that may occur, and automating as much manual processes as possible. Ask me anything or share your own experience! I’m happy to help anyone dealing with similar issues or just curious about the move. Feel free to reply here or message me. Always happy to trade lessons learned, especially if you’re in the middle of an Autopilot project yourself. Cheers, Timothy Jeens
iOS Wifi Profile not getting delivered
For the past few months we have had a profile set up that gets a restriction profile that locks the device into kiosk mode for an app and also has the setting "Join Wi-Fi networks only using configuration profiles" configured. We push out our Wi-Fi network to the devices along with root cert + SCEP profile for certificate based authentication. This has been working great for the past few months. Starting last we were enrolling iPads as we have been doing, but when enrolling the device into Intune it gets the green check mark for 'Get your device managed' and goes to 'Update device settings' and can never confirm device settings. Looking at the device its been disconnected from the WiFi network. Going to Settings -> WiFi; theres no networks available (I have verified there are multiple networks available) and it says 'Your iPad can only join WiFi networks that are configured by your organization's admin'. Checking the management profile on the device I can see all the restrictions and both the SCEP certificate and root certificate, but the WiFi profile is not listed in there. Checking the device in Intune shows that the WiFi profile is still 'pending' for the device, along with the management profile, root cert and SCEP cert. If I enroll a regular user based device assigned the same WiFi profile (but not restrictions profile) it gets the profile and connects without issue. It seems like the device is getting the policy to only allow access to the network from the configuration profile and disabling WiFi on the device before it gets the WiFi profile. Has anyone run into this or have a solution? We can remove "Join Wi-Fi networks only using configuration profiles" but I'm not sure how that would impact the already enrolled ~80 devices.
Android Enterprise Wifi deployment using SCEP Cert problems
Hi all, I am trying to setup android phones to connect to the wifi through a wifi profile. We use SCEP certificates. The trusted root certificate and the SCEP certificate deploy successfully to the device via Intune. The trusted root CA automatically gets put into the User store (dont know if this is causing the issue as its not in system store). However, we cant see the deployed SCEP certificate on the phone without using an app called 'My Certificates'. This confirms that both the CA and SCEP certificate are on the device. The Wifi profile is then sent to the device and again this says successful on intune but the phone doesnt connect to the wifi. The SSID it is trying to connect to appears but it doesn't connect. Looks like it tries connecting and then fails. Nothing can be seen on the networks ISE servers so it doesnt even look like its getting that far. Then tried to add the wifi manually. WPA2 enterprise. When I select the option to select a certificate, it shows the ssid name (mustve got this from the wifi profile deployment) with '_NULL' at the end? Dont understand what this is or what it means? Tried selecting the null certificate but this doesnt connect either. Connection we want to use is EAP-TLS. We DONT use the Company portal. The android phones are fully managed corporate devices. The above method to deploy the Certs and wifi profile works fine with iOS devices but not android Any help would be greatly appreciated Thanks SAiOS SCEP Device Certificate Bereitstellung schlägt fehl
Hallo in die Runde, ich bin kompletter Intune Neuling und versuche gerade auf unseren MacOS und iOS Geräten ein Zertifikat via Intune zu verteilen, mit dem die WLAN Verbindung hergestellt werden soll. Auf den MacBooks funktioniert dies auch inzwischen. Auf den iOS Geräten bekomme ich es leider nicht zum laufen. Die habe vier Configuration Profiles für iOS: 1.) Root-CA 2.) Intermediate-CA 3.) SCEP Device Certificate 4.) WiFi Die beiden ersten Profile bekomme ich verteilt. Ich sehe auch, dass auf dem Gerät das Root und das Intermediate CA installiert wird. Profile 3 und 4 haben aber den Status Error. Beim SCEP Device wird gar keine Fehlermeldung angezeigt, beim WiFi: -2016314109 (22003:Invalid RAResponse) Ich könnte mir vorstellen, das der Fehler vom WiFi-Profil ein Folgefehler vom fehlenden SCEP Certificate ist. Kann mir hier irgendwer weiterhelfen? Hatte jemand schon ähnliche Probleme? Wo finde ich Logfiles in denen ich mehr Informationen finden kann? Matthias
