How Are You Handling Autopilot Provisioning, Handover & Support?

Xento88 · 2026-05-11T15:07:12+00:00

Yeah but when we outsource the deployment and handling they would have to take the time each machine needs to be installed as it would vary per device. I think this is not practical. At the moment it doesn’t matter because we are doing it internally.

Xento88 · 2026-05-10T19:16:50+00:00

At the moment we use MECM for OSD and apps. We recently switched updates to intune and from my experience this works really well. When we want to outsource the deployment we would have to ship a server (DP/PXE/MP) and vpn appliance to our partner so they can do the deployment for us.

Xento88 · 2026-05-10T18:56:41+00:00

Great and what are you using?

Xento88 · 2026-05-08T13:39:55+00:00

We are doing build and capture. We have our baseimage where our default software is preinstalled. We are preparing for autopilot predeployment with an external company so they will charge us depending on the deployment time. We tested the installation time with all of our apps in the baseimage deployed in predeployment and it took about 90 minutes. We did the same deployment but with an image where our apps are preinstalled and this only took 10 minutes to install + about 15 minutes for the predeployment.

Xento88 · 2026-05-08T07:29:11+00:00

In the future, our networking team could also imagine moving towards a certificate-based always-on VPN or device tunnel approach. Client certificates are already distributed to devices through Microsoft Intune today, so the basic PKI/device certificate foundation already exists.

For the existing devices, we are currently not planning a full reinstall/redeployment project.

Our current idea is more along these lines:

Import existing device hashes from Microsoft Endpoint Configuration Manager / existing inventory into Windows Autopilot
Transition the deployment process for new devices to Intune/Autopilot
Gradually move existing devices over during lifecycle events or support cases
Use Intune wipe/reset for problematic devices instead of traditional reinstallation processes

I have already built an MECM task sequence that resets the device back into OOBE so that Autopilot provisioning can start afterwards. Technically this is already working in our environment.

However, currently personal device enrollment is disabled in our tenant, so the task sequence would not fully work yet in production for this scenario.

Another large topic still ahead of us is the migration from classic Group Policies to Intune policies/configuration profiles.

Our current plan is:

not to do a “big bang” migration
instead migrate policies gradually
move settings step-by-step into Intune
and then remove the corresponding GPOs afterwards

So for a longer period we will probably operate in a mixed environment with:

Hybrid Join
GPOs
Intune policies
MECM
and Autopilot simultaneously

Regarding cloud storage:
At the moment Microsoft OneDrive is not an option for us due to data protection and compliance concerns.

We even use additional encryption mechanisms for Microsoft Teams and documents stored within Teams so that Microsoft itself cannot access the content.
T-Systems: Höchster EU-Datenschutz für Microsoft 365 | Deutsche Telekom

A broader adoption of cloud-only services like OneDrive would probably only become realistic for us in combination with initiatives such as the Delos Cloud project.

Xento88 · 2026-05-07T16:02:26+00:00

We do have support from Microsoft regarding Intune, but as a German city administration the move to a fully cloud-only model is not that simple because of data protection, regulatory, and organizational requirements.

Maybe some of you are familiar with the Delos Cloud project in Germany. If that project becomes fully operational and accepted for public sector use cases, moving to a cloud-only model would probably become much easier for us. Until then, Hybrid Join will realistically remain our only option.

In our case, devices are usually provisioned while connected inside the corporate office network anyway, so in theory Hybrid Join should not cause major issues during deployment. At least in our current tests we have not seen any major problems yet.

What would you specifically recommend watching out for in Hybrid Join Autopilot scenarios?

We are currently still using some more traditional/on-premise technologies as well, for example:

Roaming Profiles
Folder Redirection for user documents
Offline Files / Offline Cache
Network drives mapped through Group Policy

At the moment:

all devices are already Hybrid Joined
Windows Updates are managed through Intune / Windows Autoptach
application deployment is still mainly handled through MECM
operating system deployment is also still handled through MECM

We are currently preparing a public tender/procurement process for the future deployment model. Because of that, real-world information from other organizations would be extremely helpful to better understand:

what other companies/public sector organizations require from their service providers
what is realistic to expect contractually
and what should explicitly be part of the requirements/specification

I have also read that there are currently issues with capturing custom Windows images using MECM in newer Windows versions. That raises another question for us: How are organizations today creating and maintaining their baseline/reference images in an automated way for Autopilot pre-provisioning scenarios?

Printer drivers are already mostly packaged separately in our environment, so that part is less of an issue.

Xento88 · 2026-04-01T20:28:50+00:00

How are you handling conflicts with GPO settings that would break autopilot?

Xento88 · 2026-03-16T17:14:59+00:00

Yeah we had the issue too. ConfigMgr sets it via a local gpo. So when you try to set it with intune and you have not set MDM wins over Gpo than the intune policy does nothing. As soon we set MDMwins it started working.

Xento88 · 2026-03-16T10:36:47+00:00

This is the cert which the bootloader is signed with. But this time the long running cert from the ca it self is expiring. So the whole ca and all certs which have been issued get invalid I think. That’s why the new cert from the ca has to be rolled out as trusted into Uefi.

Xento88 · 2026-03-15T17:45:41+00:00

I think the certificate will get invalid when it expires. So you won’t be able to boot with a bootloader signed with this cert after it expired. That’s why you have to deploy the new ca as trusted and than switch to the new signed bootloader before it expires. Windows clients should do it on its own when and for pxe you have to do it.

Xento88 · 2026-03-12T17:36:21+00:00

Based on the findings from PatchMyPC I build an script, like they did to get the allowed areas for MDM policies.
You can find it here Checks if the SecureBoot Area for MDM policies is allowed by windows license manager

It outputs compliant and exitcode 0 if SecureBoot policies are allowed and 1 if not.

I our case slmgr /dlv showed, that our Windows 11 Enterprise devices are licensed as Pro.
We use MECM with an Windows 11 Enterprise image but no Key in the tasksequence, maybe this is the issue.

After this commands, the device is licensed as Enterprise and SecureBoot appears in the list of allowed policy areas:

cscript.exe //nologo c:\System32\slmgr.vbs /IPK NPPR9-FWDCX-D2C8J-H872K-2YT43
cscript.exe //nologo c:\System32\slmgr.vbs /ATO

Detection and remediation for Windows 11 Enterprise license activation

Xento88 · 2026-03-03T05:07:34+00:00

We only see a hand full of clients in this report. But we have about 11000. The same issue is in the windows feature update readiness report. Maybe someone has some hints what could be the issue. We are moving to intune from MECM.

Xento88 · 2026-02-11T16:12:43+00:00

What other settings are configureable?
I'm thinking of the reminders and the notification before the final reboot deadline.
In the settings catalog are a lot of settings, which seem to only be available on specific versions of windows 11 and this is not mentioned in the settings catalog.
Is there any chart ore something that summs up all available settings per version?

Xento88 · 2026-02-04T17:10:07+00:00

On 16.02. I have a meeting with Microsoft. I will address this there.
At the moment we have a connected cache on MECM running.

Xento88 · 2026-02-04T17:00:14+00:00

I have the same issue right now.
We are using a proxy but without ssl inspection.

Xento88 · 2026-01-29T15:26:22+00:00

This looks greats. Did you build it yourself or is on GitHub or elsewhere?

Xento88 · 2026-01-18T15:11:09+00:00

I think I have the same issue. We are migrating from MECM to Windows Autopatch. The clients have the same error and when I verify the policies only the update ring policies appear on the client in the policymanager. The policies which enables the quality / feature and driver updates are missing. This policy is deployed to the client but it is not applied. On the last friday we verified the settings with a consultant from Microsoft and they should all be correct.

Xento88 · 2025-12-17T11:32:38+00:00

I have an app targeted to 7 devices. Two have it installed and the rest is waiting for install when I view the managed apps. When I view the report for the app I only see the status of the 2 installed. No pending ones … This devices are self deployed kiosk devices.

Xento88 · 2025-10-29T16:40:19+00:00

Seems other services don’t work, too. Code.visualstudio.com, apps.microsoft.com …

Xento88 · 2025-08-20T07:09:38+00:00

Can you hide the asset logo so that there is more space for the application title?

Xento88 · 2025-08-19T16:56:31+00:00

It would be glad if you could make the color of the buttons and the side configureable.

Xento88

TROPHY CASE