2023E11 - Windows Provisioning (5-Ways including Autopilot) (I.T)

Glad you like them. We certainly enjoy making the content. Hope you find what you need!

Agreed, thank you.

We also login with a generic user 1 time so they don't have to wait at the ESP screen.

That's because any windows device not registered with autopilot is classed as not corporate owned

Unfortunately no. We don’t have access to Knox to be able to setup a demo lab for that.

Entra joined all the way, as the user needs to access the data not the device, with ideally a split tunnel VPN that will route traffic that is needed back to your corp network

Can you explain a bit more about the process that you are using or where you are having issues? Because I'm a bit confused.
You state that you have an issue post Intune enrollment, namely that the Autopilot profile is not assigned, but how did you enroll the device in Intune? As that is essentially the task of the Autopilot profile. Autopilot does essentially 2 things: it loads settings for the OOBE (what to show, what to skip) and it ensures that the user logs into your tenant to start the enrollment process.
We also use group tags, create dynamic groups based on those tags and assign the Autopilot profiles to those groups. And while it does take a little bit of time, that usually is no issue as the devices are in the Autopilot Devices list even before they arrive at the location. We assign the group tag once they are uploaded and before they are even delivered. At that point it doesn't matter if it takes 10 minutes or 10 hours to sync everything.
With Autopilot setup correctly and with good policies in Intune that enable SSO for a lot of services, like OneDrive, the user can walk through the OOBE very easily with just entering their credentials (except when they want to onboard on wifi as then they will get to select language, region and keyboard as well).

@@Hans-gb4mv When enrolling the device, I opt for the PowerShell online method. However, although this successfully enrolls the device into Autopilot, it falls short of assigning the device to an Autopilot profile. The device status consistently indicates "not assigned," preventing the computer from updating and restarting itself. Consequently, the user doesn't experience the Out of Box Experience (OOBE). To address this, we find ourselves signing into the computer (ourselves preping the computer for the user) manually to apply the profile and then triggering an Autopilot reset for the computer. The Autopilot is assigned to a dynamic group using the associated naming convention, and both Autopilot and policies are applied using policy sets.
While there are no issues once the device is enrolled, preparing them for the user's OOBE becomes a challenge, as the Autopilot profile is not assigned until after the user signs in. Thank you for the reply and time taken to respond

@@Hans-gb4mv after explaining I realize what I have done. I have everything pointed at dynamic groups but nothing to devices not in a group. I've made changes to allow for this I haven't tested it but am sure it will work. Thanks again for the replies

While I get your point, one rule we generally go by is - don’t add info in the device name that is already available in the drive record (one of the other columns you can filter on). It’s easy to filter out the noise quickly without adding additional stuff to the name.
Plus you’re not careful you can easily end up with duplicate device names when using serial if you use too many prefix characters. We had that happen with surface devices where the last part of the serial was the same on all models but the first parts were different. The serial gets truncated from the end resulting in duplicate names.
Do what works best for you but honestly I think if you gave it a shot, you’d find a great deal of freedom on not customizing device names and just relying on other fields for filtering/reporting.
-Adam

@@IntuneTraining I think the bigger issue is for anything else that deals with all of the enterprise endpoints outside of Intune the names look like a mess with difficulty determining the device unless you drill down or look up their details in Intune or asset management. For example third party support tools, AV cloud consoles, security logging, etc.
I guess I’m just a little more OCD about device names being in order by type across the enterprise.

Sure. Shoot me an email. Firstname @ Intune.training

While supported method, Hybrid Autopilot isn't recommended for new devices. That may be the thinking for not having it be a big part of the video. Literally the only thing I have come by is wireless 802.1x doing LDAP look ups of computer objects not able to do Entra ID join.

We will continually stand by our position of avoiding Hybrid Provisioning. We don't believe it's necessary and Microsoft specifically even recommends against it. See the top blue box on their docs page here: (learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid). Additionally, there are numerous other sources for information about settings up Hybrid Autopilot and we don't have the infrastructure in our labs anymore to even be able to demonstrate it anymore. Have you tried going Entra ID only (AADJ) or do you have specific items that don't work for you today?

Hybrid AD Join is not necessary for most scenarios. I have been deploying AAD only devices for a while and I have found it much easier to manage them through Intune. AD Connect takes care of the authentication and I can still access the on-prem resources as needed. For older devices, I have migrated them to Hybrid AD Join and I have also seen the benefits of using Intune for management. Hybrid AD Join adds complexity and overhead to the provisioning process and it is not recommended by Microsoft unless you have specific requirements that AAD only can’t meet. I think the video does a great job of showing the different ways of provisioning Windows devices using Autopilot and Intune. 👍

It’s 2024… put your windows phone away…

the question I have to ask at that point is: why do you require hybrid?
When I started looking into using AutoPilot in my company, one of the first issues I ran into is that a hybrid deployment requires line-of-sight with a domain controller when the user gets to the login prompt for the first time. This is fine if your users are always in the office, but that was not the case in our company. So I asked our most senior guys and they said: nope, not allowing a device VPN tunnel so you can have LOS at the login prompt.
So, I quickly started working on non hybrid join. And yes, there's a lot of pain that goes into that initially. But at the end of the day, I had everything working. I could access fileshares, printers, do RDP and all that other fun stuff. I spent a lot of time working out kinks and issues, but it was worth it. Ready to go on a non hybrid joined AutoPilot device.
And then you go on vacation, you come back, and they attempted to switch it to hybrid, because they had forgotten one thing, our own software that we develop in house checks for the domain the computer is joined to in order to see if it is allowed to be run. And patching that out to something that could recognize if it is joined to our tenant will take probably a year. So, since we were implementing a new VPN solution that supported a PLAP,, we also had a workaround for that issue and after my vacation I cleaned up the mess that others had made and reluctantly accepted that we were still doing hybrid with the promise of going non-hybrid in 2025.
But as I said, try non hybrid first, and only when you hit a roadblock where you have an external dependency on being domain joined, consider if going hybrid is the right solution. You'd be surprised how far you would get.
I would like to add that while we have moved to hybrid, all the mgmt for AutoPilot enrolled devices is done through Intune. We are no longer applying GPOs for example, so going from hybrid to non-hybrid when we finally get the green light on that last dependency should be a simple matter of updating our Intune settings.