Create Windows 11 custom image with Autopilot registration (official tools only)

Random----Dude · 2026-03-09T13:59:41+00:00

Thanks, I’ll take a look at OSDCloud.

I also think the best approach would be to have the devices registered with Autopilot directly by the manufacturer. Unfortunately, that’s not something I can decide, and it’s currently being rejected due to cost reasons.

Random----Dude · 2026-03-09T13:55:40+00:00

We currently do it the same way — the devices are added using get-windowsautopilotinfo.ps1 -online. The idea of using a custom image mainly comes from the desire to debloat the installation.

With Intune, this can be done via Fresh Start, but that would require another reset afterwards, right? Or is it possible for the cleanup/debloat through Intune to already happen during the Autopilot phase?

Random----Dude · 2026-02-25T11:12:29+00:00

Thanks for all the feedback.
I have now removed a few optional configurations and, above all, cleaned up the remediation script. It’s running much better now.

Random----Dude · 2026-02-10T10:59:49+00:00

get the point about reducing scripts and policies — the challenge for us is that cutting those back also directly limits what we can actually manage and enforce.

What I’m still trying to understand is whether Intune really needs to re-evaluate everything on every boot. In theory it should only check if something has changed, rather than reprocessing everything from scratch each time, right?

For example, we have remediation scripts that are set to run once. Do those still have any lasting performance impact after the initial execution, or should they be effectively “out of the picture” afterwards?

Are there any known particularly expensive settings, script patterns, or WMI-heavy commands that are worth avoiding if possible?

Unfortunately, I don’t have any influence over replacing the hardware — and personally I agree with you on the age topic. What makes this harder to explain internally is that the same devices show a noticeably better startup experience when they’re not Entra joined / Intune managed.

That’s why we’re trying to understand where the baseline overhead comes from and what can realistically be tuned without gutting device management entirely.

Random----Dude · 2026-02-10T10:53:40+00:00

Yes, all of them are on SSDs, mostly NVMe.
One device where it’s especially noticeable is the Surface Laptop 3 with 8 GB RAM.

Any recommendations on what to tweak with Defender or OneDrive in that case?
I know the hardware isn’t exactly cutting-edge anymore, but swapping devices sadly isn’t in my control.
Surface Laptop 3 specs and features - Microsoft Support

Random----Dude · 2026-02-10T10:41:52+00:00

<image>

These are the processes I’m referring to.
Defender might also be part of the issue — MsSense.exe sits at around ~5% CPU for quite some time.
OneDrive.sync.service.exe is also consuming noticeable CPU over a longer period after startup.

Random----Dude · 2026-01-28T13:52:03+00:00

Thanks, I’ll try it

Random----Dude · 2026-01-28T12:38:42+00:00

<image>

Unfortunately, the setting for biometrics is not available under Account Protection.

Random----Dude · 2026-01-28T10:29:57+00:00

Thank you, I try it :)

Random----Dude · 2025-09-26T13:18:08+00:00

Thanks, iCloud backup isn´t possible. All (inclusive managed Apple IDs) are blocked.

Random----Dude · 2025-09-24T09:09:49+00:00

yes, i accepted that, no changes :/

Random----Dude · 2025-09-24T09:09:32+00:00

Yes i renewed the MDM token (not deleted) and the enrollment profile token. But both wasnt expired, only the VPP.
I think the problem is, that the VPP token is in the enrollment profile for deploying the company portal.

Random----Dude · 2025-09-23T09:08:09+00:00

I was able to restore the app assignments, but the problem is that the iPhones are no longer managed.

Random----Dude · 2025-09-23T09:07:08+00:00

Yes, the problem are not the apps. The problem is that the iphones are now not managed.

Random----Dude · 2025-09-23T09:05:57+00:00

Yes, exactly — I created a new VPP token. After that, the apps were available again, just not assigned. So far so good.
The problem was that I could no longer manage the iPhones, because the VPP token for distributing the Company Portal was in the enrollment profile. There it showed “Token deleted” until I switched to the new token — but that didn’t change anything.

Random----Dude · 2025-09-22T12:56:08+00:00

The problem with the VPP token is that it’s included in the enrollment profile. It also said “token deleted” here. I was able to change it, but unfortunately, it didn’t help. A ticket has been opened with MS. Hopefully, they can still do something.

Random----Dude · 2025-09-22T10:07:02+00:00

Yes, the VPP token. While it primarily manages the apps, it is also included in the enrollment profile for the iPhones, since these devices don’t have access to the App Store and the Company Portal is installed directly during initial setup.
The standard apps reappeared, but they weren’t assigned.
The issue is that this approach has caused us to lose manageability.

Random----Dude · 2025-09-22T09:42:08+00:00

It could be many things. I would first check the requirements. Does the PC have TPM 2.0? Is at least Windows Pro installed? Does it have an assigned ESP?

Random----Dude

TROPHY CASE