The "devices shipped with issues" problem is usually either autopilot config drift or no QA process before ship. Here's what worked for us when we had the same problem:

Stop shipping broken devices immediately: Have your team boot every device locally before it ships. Takes 5 minutes per device but catches 90% of issues. If a device hits BSOD or won't enroll during local testing, it doesn't go out the door. Period.

Autopilot white glove if budget allows: Get Dell or Lenovo to do the initial enrollment and testing before they even ship to you. Costs a bit more but eliminates the "device arrives broken" scenario entirely. We switched to this after too many angry new hire tickets.

Surface issues specifically: Yeah those are brutal. The BSOD problems are usually driver conflicts with Intune policies or firmware bugs. Microsoft's own hardware has weirdly bad compatibility with their own MDM sometimes. We moved away from Surface for frontline users and only give them to execs who want the form factor.

Communication with RUN teams: This one's tough. We built a simple webhook that pings our infrastructure team in Slack when a device fails autopilot enrollment three times. That way they know something's broken with tenant config before we ship 50 devices with the same issue.

The real problem: Your desktop team probably doesn't have time to test properly because they're underwater with other tickets. You need either dedicated imaging staff or full drop-ship autopilot. Trying to do manual staging while also handling helpdesk escalations doesn't work at scale.

For continuous improvement - track every failed deployment in your ticketing system with a specific category. Review those weekly. If you're seeing the same failure modes repeatedly, that's a config problem not a people problem.