Intune intro

Slowly but surely we're trudging through the swamp of Microsoft inventions I love to complain about — but Intune deserves credit. It's powerful and the impact is felt directly.

Slowly but surely, this newsletter keeps wading through the swamp of Microsoft features I love to grumble about — sometimes with good reason. But credit where due: Autopilot is a very well thought-out (somewhat less well executed) feature that saves us IT folks plenty of hours a year. The configuration isn't completely simple, though, and there are two ways to do it. In this cookbook we'll look at the more modern way to set up Autopilot — even though it shaves off a few of the options, it's all in one place and many times simpler.

To configure this policy, open Intune > Devices > Enrollment > Device preparation policies, click Create, and choose User Driven.

The Introduction tab describes what the policy does and links to a not-very-clear Microsoft Learn page that walks through the setup. Under Basics, name the policy and add a description noting which apps and scripts you'll be pushing to the device.

Under the Device Group tab, you need to add a security group that's assigned and whose Owner is the account with the ID f1346770-5b25-470b-88bd-d5744ab7952c. This account is the so-called Intune Provisioning Client or Intune Autopilot ConfidentialClient, which automatically places devices into the group you've created and then operates on them. If this account isn't in your tenant, I'll point you back to the Microsoft Learn article mentioned earlier. After we create the group, we add it to the Autopilot setup.

Next we configure how Autopilot itself behaves: what it does, which apps it installs, and which scripts it runs. This setup joins the device to Entra ID, sets the time-out before showing an error message to 2 hours, and prevents the user from skipping this configuration.

Now we add the required apps. In our case there's only M365 to choose from because we haven't added any others. You can, however, force install up to 10 apps during the device's first install, which should cover even more demanding users. We have no scripts yet, so we move on. We leave Scope tag on Default as usual, and under the Assignments tab we add a user group.

Done. Bear in mind that settings like this can take 24 to 48 hours to roll out, so it isn't a great idea to test right away — but with the looming deadline for the upgrade from Windows 10 to 11, this can potentially save you an hour, or twenty.

In closing

Just recently we switched to Autopilot v2, and the change was rather pleasant. What's been your experience with Autopilot? Link to the cookbook HERE.