Apple Admins conference
On January 25th I had the pleasure of speaking at the London Apple Admins event at London School of Economics as it was a Apple event I spoke about the crossover with Intune and showed the attends Autopilot. I really enjoyed it and meet a lot of nice people and look forward to speaking there again.
I promised to have this post done about a month ago but due to illness and a busy family life it took way longer than expected.
Windows AutoPilot – What next
I have seen many people talk about Windows Autopilot over the last few months Gerry Hampson MVP , Paul Winstanley MVP and Peter Egerton to name a few I really like the idea of Autopilot and can see a roadmap to an alternative to normal SCCM OSD.
Autopilot gets the machine installed and connected to Azure AD but what next? Just because it has Windows 10 doesn’t mean its usable for the end user.
So I decided to showcase what you can deploy to the machine using device configurations and powershell after Autopilot.
Office 365
I have already blogged about this you can follow my guide here Traditional Management vs Modern Management – Part 2 – Office 365
Chocolatey
Using the Powershell script deployment component of Intune I deployed a few applications using a package manager called https://chocolatey.org this is a nice way to add some applications that users may need.
<# .NOTES =========================================================================== Created with: SAPIEN Technologies, Inc., PowerShell Studio 2018 v5.4.140 Created on: 09/01/2018 11:06 Created by: Terence Beggs Organization: SCConfigMgr Filename: =========================================================================== .DESCRIPTION Installs some basic applications from Chocolatey. #> iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) # Browsers choco install googlechrome -y choco install firefox -y # Core apps choco install notepadplusplus.install -y choco install 7zip.install -y choco install filezilla -y choco install sysinternals -y choco install treesizefree -y # Media choco install vlc -y choco install itunes -y # Development choco install git -y choco install visualstudiocode -y choco install windowsazurepowershell -y choco install putty -y
OneDrive Configuration
Per Larsen has a nice post about configuration of OneDrive for business silently.
EnableADAL on Onedrive.ps1
$registryPath = "HKCU:\SOFTWARE\Microsoft\OneDrive" $Name = "EnableADAL" $value = "1" IF(!(Test-Path $registryPath)) { New-Item -Path $registryPath -Force | Out-Null New-ItemProperty -Path $registryPath -Name $name -Value $value ` -PropertyType DWORD -Force | Out-Null} ELSE { New-ItemProperty -Path $registryPath -Name $name -Value $value ` -PropertyType DWORD -Force | Out-Null}
EnableAutoConfig on Onedrive.ps1
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" $Name = "SilentAccountConfig" $value = "1" IF(!(Test-Path $registryPath)) { New-Item -Path $registryPath -Force | Out-Null New-ItemProperty -Path $registryPath -Name $name -Value $value ` -PropertyType DWORD -Force | Out-Null} ELSE { New-ItemProperty -Path $registryPath -Name $name -Value $value ` -PropertyType DWORD -Force | Out-Null} $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" $Name = "FilesOnDemandEnabled" $value = "1" IF(!(Test-Path $registryPath)) { New-Item -Path $registryPath -Force | Out-Null New-ItemProperty -Path $registryPath -Name $name -Value $value ` -PropertyType DWORD -Force | Out-Null} ELSE { New-ItemProperty -Path $registryPath -Name $name -Value $value ` -PropertyType DWORD -Force | Out-Null}
Bitlocker
Maurice has a nice post setting up bitlocker Traditional Management vs Modern Management – Part 1 – Encryption
Driver update
Maurice has created a version of his modern driver management tool which works with Intune Modern Management – Automating Intune Enrolled Device Driver Updates
Disable automatic app updates Twitter, candy crush etc
The installation of consumer apps on Windows 10 like Candy Crush is very annoying especially if you are using an Enterprise version. This device configuration setting stops the automatic installation.
Use the following information to create the new Configuration Policy
- OMA-URI: ./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures
- Data type: Integer
- Value: 0
Company Portal
From the Windows Store for Business you can deploy the company portal, if you look at my post on automatic enrolment you can see how to do this. Below is an example of the company portal on a laptop deployed using Autopilot.
Post Autopilot deployment
Automatic Redeployment
Enable automatic redeployment
On of the best features of Autopilot is the ability for the user to redeploy their own laptop but you must enable this feature first. Under Device restrictions – general you can enable automatic redeployment.
Redeployment in action, once it has finished it will be back to its original state.
I hope that this showcases what you can do with Intune after Autopilot deployment.
is there an update on this ? Thanks
Hi Terence,
thanks for nice article and good show case.
Considering I used this approach and the device is customized and connected to Azure AD; can it be integrated later to our “normal AD” and then managed with SCCM instead of EMM?
Thanks
Ruben
Hello Ruben, the answer is yes. You can take the co-management approach with SCCM but Sidd Mantri who is the project manager for this talked about enabling Hybrid Azure AD join, this creates a VPN to connect to your domain controller. I will be talking about this at our event in June. So a blog post will come later.
Thanks
Hi Terence,
looking forward to read about your blog post on that, thank you in advance 🙂
If the machine is ‘Hybrid Azure AD joined’ is the user able to access domain resources, e.g. files on a traditional file server, use NTLM v2 or Kerberos and perhaps connect to an OnPrem Exchange?
Ruben,
At the moment that feature in Autopilot is only in prototype and i have not had a chance to play around with it. But as far as i understand it, the machine should act as if it was Domain Joined (Domain Join VPN) with it showing as Azure AD joined too. It should act as if it was an on prem domain joined machine with the benefits of Intune and Azure on top. As most of this is in prototype i don’t have access just yet. To me this is the missing piece of the puzzle.
Thanks
Terence
Hi Terence,
thanks for clarification. – Then let’s wait together and hope that the fog clears up soon 😉
I’ll keep monitoring this blog closer now ^_^
Great post Terence!
Did you know that you can also enable Automatic Redeployment with the default Windows 10 Device restriction profile ? Its under General, at the bottom 😉
I didn’t see that, thanks Jan will update the post later when I get a chance.