Windows Autopilot V2? Or just a new profile type? Who cares! It's here!
ฝัง
- เผยแพร่เมื่อ 2 มิ.ย. 2024
- Windows Autopilot v2, or the New Windows Autopilot Profile Type, or the Evolution of Windows Autopilot, or Next Generation of Windows Autopilot, or the Windows Autopilot Update, or Windows Autopilot Device Preparation??
WHATEVER YOU CALL IT, LET'S SEE HOW IT LOOKS!
There has been a significant release of Windows Autopilot this week. Join Dean as we take a first look at how it works!
Next Generation of Windows Autopilot - Microsoft release blog:
techcommunity.microsoft.com/t...
Windows Autopilot Device Preparation - MSLearn:
learn.microsoft.com/en-us/aut...
Detailed Requirements:
learn.microsoft.com/en-us/aut... - วิทยาศาสตร์และเทคโนโลยี
I really enjoy your videos. Easy to understand and your pace and tone is a very pleasant experience
Thank you very much!
Thank you for the video
You're welcome
Looks promising - will definitely look into it with a test tenant. Would be helpful to work with it in some cases and makes the whole process more streamlined I guess.
Thanks for the video!
@11:33 security is an add-on product for Microsoft.
Thanks!
Woah. Thank you! 🙏
Thanks for the video.
How should the Deployment Profile and Enrollment Status Page (ESP) be configured to work with this?
Great video, very informative as always
The Standard/Administrator toggle is supper annoying and confusing
Another reallyannoying thing is when you try to assign an application to groups it doesn't let you use the same group fro both Required and Avalable installation at the same time...
So you have to create to 2 groups and add the users manually, twice the work (this is if you want the app to only be installed and available to small group of people)
(yee you can use powershell and pipe the members of Group A to the command that creates Group B but that is too much and not everyone can use powershell)
Actually I found that I can nest Group A inside Group B and this will both Install the software and also make it available in Company Portal.
Group A will force the installation.
Group B that has Group A as its member will make it available in Company Portal so that if a technician uninstalls the app they can quickly re-install it since it will appear in Company Portal.
Should have thought about this earlier.
Looking forward to the video with the corporate device IDs being used. We block personal devices and don’t want to have to open it up.
Same! I'm looking at it now so I can record it tomorrow when I don't look like it's 11pm :-)
@Dean thanks like always, I want to ask if this method will work for some companies with hybrid join?
This feature doesn’t support Hybrid, although the presence of a dropdown for Join Type indicates it might in the future!
please let me know application has to be rolled out devices? assume that implementing autopilot freshly I am not understanding logic application was targeted previously devices?
An App must be assigned to a device (or user) in order to install on the device.
Features like ESP and Autopilot Device Prep allow you to list important apps that MUST be on there, but they still need to be assigned to the device (or user) in order to install. You can assign by either All Users / All Devices, a specific group, or the Autopilot Device group.. It doesn't seem to matter.
What if the device is being asked to be wipe? Or to be demoted? Should we manually removed the device serial number on the autopilot settings? Thank you for the video!😊
"should be assigned" = I need to do it. "will be assigned" = the policy will do it. Even after watching the video I don't know what it's trying to tell you.
A huge thanks for the video! But I don't understand what the reason moves to "new autopilot v2"? Is it kind of journey from the first version autopilot to the new one?)
I care about hybrid autopilot, unfortunately… wish I didn’t!
Yeah - sorry. I was in a rush and didn't want to get into it.
I still thing that organisations that NEED hybrid don't NEED autopilot, but hey...
@@DeanEllerbyMVP Autopilot works great in Hybrid other than limitations that Microsoft have self-imposed, such of device naming restrictions and the fact they are not investing into Hybrid. Funny thing is they now officially have a stance that Hybrid is a valid end state... go figure. I've had it setup for two years. It's no different other than it also joins the domain via ODJ. If you have an always on VPN / Zscaler ZPA with machine token, it works similar to pure Entra. Sure, 100% of SSO may not be working until the user cert on the device replicates, but that can be detected via a scheduled task monitoring for specific event IDs and prompt the user for one last reboot once they've been using the device.
I work at an MSP and, in this position, I have to bench devices before sending them to our clients. One of our clients leverages autopilot, and it's a bit of a headache.
Would this "v2" work using a temporary access pass to sign the user in during OOBE?
That’s an interesting question. Let me test.
Thx for the video!
One thing I don't understand:
Today, I have the slightly annoying registration of the hardware hash. This ensures, that users can only join a device, which is registered on my tenant.
With this new method I don't have that control anymore and any user can join their personal device if they want to, because I have to allow that in the enrollment restrictions to make it work.
Nevermind, I watched the video you just released....
Thx!
Thanks for the video.
At the owner, the "Intune Provisioning Client" is not there! Any idea?
Missing for me as well.
Look for the service ID of f1346770-5b25-470b-88bd-d5744ab7952c.
In my tenant it was called Intune Confidential client but apparently as long as the ID is f1346770-5b25-470b-88bd-d5744ab7952c it's correct
Did i see you had to set the privacy, thats wasnt required in V1, well not for us. Did it do the uplift from pro to enterprise if you have the required subscription
I did see that as well and installed Windows 11 Enterprise to kick this off. A bit disappointing this doesn't disappear. Maybe it can be controlled via policy/csp. IMO, its something in Windows that needs to be updated to remove this when going down the Autopilot path with this "new" preparation fork
Yes - I didn’t realise at the time! That’s not great…
Thanks for this video!I have added Intune Autopilot ConfidentialClient owner of device group, but when I add this device group in provisioning policy it shows "0 Groups assigned". Any idea what might be problem?
I had this at first. I think I just went back and created a new prep policy…
Ok thank you. I have try my luck 😊
No luck at all. Still says same. Maybe I just give it a day to think
This looks pretty good. It's pretty much exactly what I want to see from Microsoft - no dramatic changes in functionality, but polish and efficiency improvements behind the scenes.
However it requires at least the April 2024 update to Windows 11. Today if I use the Media Creation Tool I get the Dec 2023 version, so that's not going to work. The docs direct me to the Volume Licensing Service Centre, where apparently I can get an up-to-date installer. When I log in there it tells me "VLSC has been retired. All the VLSC features have moved to Microsoft 365 admin center (MAC).". I can't download an installer from the MAC, because I don't have a volume license, just E5 subscriptions. Fun journey, but a bit of a dead end.
It feels like it's going to be a long time before I can be confident that a newly purchased device will arrive with a sufficiently up-to-date copy of Windows pre-installed.
Is there any functionality around device naming? Currently with hardware hash uploads, we set the device name ahead of time, so our machines all have consistent names. That's functionality I'd rather not lose.
'Polish' - not so much. It still doesn't tell you you've assigned apps in the policy that won't deploy. The % complete is utterly meaningless. It still doesn't show you which apps or policies are being applied. The diagnostics and reporting are sufficiently laggy that they don't have much value. How this is GA and not a preview I've no idea, it's not ready for production use. You're right about devices having to have the required version of Windows on them - OEMs are slow, so that might not happen for a year.
@10:51 - can you find out why 7zip did not get install ??
I am facing an issue when Iam trying to enroll the device with this method windows does not give me the option to log in with work or school accounts it just gives me the option to join as a local user, Iam trying many times, but i am not able to fix that issue, so could you help me to solve this.
Which version of Windows are you using?
@@DeanEllerbyMVP Window 11 pro
@@DeanEllerbyMVP Also could you assist me with how to enrol any device with a standard user type when we use (account > work or school account or join Azure active directory method, not autopilot method
intune provisioning account not found
Was your VM registered in Autopilot?
No.
"It makes no sense at all!!" 🤣
what if you're missing the intune provisioning client app?
btw: Thank you for creating these video's..
I assume if you're missing that, you're also missing the Device Prep feature, but if not... oops!
@@DeanEllerbyMVP No I have that.. I just got this today, so maybe they're not finished with my tenant.
Hmm. I got mine visible in the portal today too. It appeared about 11AM GMT, and it's taken me 10hrs to get a video recorded about it. I need to improve my workflow :-)
@bridley5189
Some info from a helpful community fellow - @heyradu !
In some tenants, the service principle might have the name of Intune Autopilot ConfidentialClient instead of Intune Provisioning Client. As long as the AppID of the service principle is f1346770-5b25-470b-88bd-d5744ab7952c, it's the correct service principle.
If either Intune Provisioning Client or Intune Autopilot ConfidentialClient with AppID of f1346770-5b25-470b-88bd-d5744ab7952c doesn't exist in the tenant, it must be added via PowerShell commands. For more information, see Adding the Intune Provisioning Client service principle.
install-module azuread
Connect-AzureAD
New-AzureADServicePrincipal -AppId f1346770-5b25-470b-88bd-d5744ab7952c
Does the owner really "only" have to be set for the "Windows Autopilot device preparation device group" and not also for the "Windows Autopilot device preparation user group"?
Yeah, I think so. The user group is to be populated by the organisation / admin.
So, this new method will install all company stuff without the need to provision anything from the manufacturers or having to get the HardwareID first. COOOOL. Thank you.
Yes.. which is a good thing and a bad thing, potentially.
@@DeanEllerbyMVP What are the Bad things Mr Ellerby? Thanks
The first one that springs to mind is that in order for this to work as i showed, Personal Devices must be allowed in the tenant. Many organisations don't allow this, because they want to ensure staff only work on devices that are corporate owned.
@@DeanEllerbyMVP I thought Personal devices only register/join from the "Work/School account" in the Settings section and NOT when the device requires provisioning when the user has to login in with the Corporate account. Thanks
Thanks for the video.
However, I still don’t understand what the fundamental difference is. This looks more like a change in approach, but what I saw does not add anything new.
There seems to be a lot of difference under the hood. I've not quite got enough content for a video on that, but it IS fundamentally different.
It's also just a base for new features that are planned to build on this new capability. Features that were impossible or unlikely due to the v1 approach.
@@DeanEllerbyMVP Thank you, I'll be looking forward to the news. Thank you for keeping us updated :)
@@DeanEllerbyMVP this seems to be my take on it too. I haven't had the opportunity to play with it yet, but having watched your video it feels like a preview release, where the additional interesting functionality is yet to come. Really feel like a primary school child could design a better UI in both Intune and the OOBE than Microsoft though! The spelling mistake, the scroll bar with cut off text in OOBE on the MFA screen. Not even including the lack of an option to display a list of apps/policies being installed 🤦♂️
I think I agree, but one thing is for certain, after months of QA, the spelling mistake is unforgivable.
@@darrenoleary It's horrible. One of the design expectations for this "new" Autopilot was for better info to the end user. Therefore, when things fail (like an app), specific info can be displayed. Maybe it does, I haven't caused it to fail yet. However, giving a percentage (which is horribly inaccurate) and removing detail is going backwards, IMO... why be so scared to show on the screen EXACTLY what is happening?
You still didn't spell organisation's correctly.....
Thanks!
😱 Thanks Brian!
Lets start a revolution!
Dean brings a lot of knowledge and value to the community.