MSEndpointMgr

Modern Management of Windows – Intune & Autopilot

Apple Admins conference

On January 25th I had the pleasure of speaking at the London Apple Admins event at London School of Economics  as it was a Apple event I spoke about the crossover with Intune and showed the attends Autopilot. I really enjoyed it and meet a lot of nice people and look forward to speaking there again.

I promised to have this post done about a month ago but due to illness and a busy family life it took way longer than expected.

Windows AutoPilot – What next

I have seen many people talk about Windows Autopilot over the last few months Gerry Hampson MVP Paul Winstanley MVP and Peter Egerton to name a few I really like the idea of Autopilot and can see a roadmap to an alternative to normal SCCM OSD.

Autopilot gets the machine installed and connected to Azure AD but what next? Just because it has Windows 10 doesn’t mean its usable for the end user.

So I decided to showcase what you can deploy to the machine using device configurations and powershell after Autopilot.

Office 365

I have already blogged about this you can follow my guide here Traditional Management vs Modern Management – Part 2 – Office 365

Chocolatey

Using the Powershell script deployment component of Intune I deployed a few applications using a package manager called https://chocolatey.org this is a nice way to add some applications that users may need.

<#	
  .NOTES
  ===========================================================================
   Created with: 	SAPIEN Technologies, Inc., PowerShell Studio 2018 v5.4.140
   Created on:   	09/01/2018 11:06
   Created by:   	Terence Beggs
   Organization: 	SCConfigMgr 
   Filename:     	
  ===========================================================================
  .DESCRIPTION
    Installs some basic applications from Chocolatey.
#>

iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))

# Browsers 
choco install googlechrome -y
choco install firefox -y

# Core apps
choco install notepadplusplus.install -y
choco install 7zip.install -y
choco install filezilla -y
choco install sysinternals -y
choco install treesizefree -y

# Media
choco install vlc -y
choco install itunes -y

# Development
choco install git -y
choco install visualstudiocode -y
choco install windowsazurepowershell -y
choco install putty -y

OneDrive Configuration

Per Larsen has a nice post about configuration of OneDrive for business silently.

EnableADAL on Onedrive.ps1

$registryPath = "HKCU:\SOFTWARE\Microsoft\OneDrive"
$Name = "EnableADAL"
$value = "1"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}
ELSE {
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}

EnableAutoConfig on Onedrive.ps1

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive"
$Name = "SilentAccountConfig"
$value = "1"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}
ELSE {
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive"
$Name = "FilesOnDemandEnabled"
$value = "1"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}
ELSE {
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}

Bitlocker

Maurice has a nice post setting up bitlocker Traditional Management vs Modern Management – Part 1 – Encryption

Driver update

Maurice has created a version of his modern driver management tool which works with Intune  Modern Management – Automating Intune Enrolled Device Driver Updates

Disable automatic app updates Twitter, candy crush etc

The installation of consumer apps on Windows 10 like Candy Crush is very annoying especially if you are using an Enterprise version. This device configuration setting stops the automatic installation.

Use the following information to create the new Configuration Policy

  • OMA-URI: ./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures
  • Data type: Integer
  • Value: 0

Company Portal

From the Windows Store for Business you can deploy the company portal, if you look at my post on automatic enrolment you can see how to do this. Below is an example of the company portal on a laptop  deployed using Autopilot.

Post Autopilot deployment

Automatic Redeployment

Enable automatic redeployment

On of the best features of Autopilot is the ability for the user to redeploy their own laptop but you must enable this feature first. Under Device restrictions – general you can enable automatic redeployment.

Redeployment in action, once it has finished it will be back to its original state.

I hope that this showcases what you can do with Intune after Autopilot deployment.

Terence Beggs

An Irish man living in London, after completing a BSc in Computer Science in 2005 he started working in the IT Industry. Currently Senior Systems Officer at London Metropolitan University managing Azure and several thousand endpoints across several campuses in London. Technology focuses include SCCM, MDT, Azure, Office 365, Active Directory, Group Policy, Application Packaging, PowerShell, Virtualization and Automation.

8 comments

  • Hi Terence,

    thanks for nice article and good show case.
    Considering I used this approach and the device is customized and connected to Azure AD; can it be integrated later to our “normal AD” and then managed with SCCM instead of EMM?

    Thanks

    Ruben

    • Hello Ruben, the answer is yes. You can take the co-management approach with SCCM but Sidd Mantri who is the project manager for this talked about enabling Hybrid Azure AD join, this creates a VPN to connect to your domain controller. I will be talking about this at our event in June. So a blog post will come later.
      Thanks

      • Hi Terence,

        looking forward to read about your blog post on that, thank you in advance 🙂
        If the machine is ‘Hybrid Azure AD joined’ is the user able to access domain resources, e.g. files on a traditional file server, use NTLM v2 or Kerberos and perhaps connect to an OnPrem Exchange?

      • Ruben,
        At the moment that feature in Autopilot is only in prototype and i have not had a chance to play around with it. But as far as i understand it, the machine should act as if it was Domain Joined (Domain Join VPN) with it showing as Azure AD joined too. It should act as if it was an on prem domain joined machine with the benefits of Intune and Azure on top. As most of this is in prototype i don’t have access just yet. To me this is the missing piece of the puzzle.

        Thanks
        Terence

      • Hi Terence,

        thanks for clarification. – Then let’s wait together and hope that the fog clears up soon 😉

        I’ll keep monitoring this blog closer now ^_^

  • Great post Terence!

    Did you know that you can also enable Automatic Redeployment with the default Windows 10 Device restriction profile ? Its under General, at the bottom 😉

    • I didn’t see that, thanks Jan will update the post later when I get a chance.

Sponsors