just fyi for everyone, when adding the owners of the group Windows Autopilot device preparation device group if you cannot see Intune Provisioning Client - please select Intune Autopilot ConfidentialClient - i know it doesnt make any sense but Intune Autopilot ConfidentialClient is the same thing with Intune Provisioning Client. Typical Microsoft design. btw great video dean - thank you so much for this.
@@DeanEllerbyMVP Can I ask you a question? Do I need to create one group for users and another for devices, both in the process of Microsoft Autopilot device preparation and in the "traditional Autopilot"?
Just discovered your channel and I love your style, and full of really useful info. Subscribed. I will just add that you didn't start by explaining what this new feature did before you launched into it. If you wait until near the end it all becomes clear. Hope this was a constructive criticism.
"should be assigned" = I need to do it. "will be assigned" = the policy will do it. Even after watching the video I don't know what it's trying to tell you.
Thx for the video! One thing I don't understand: Today, I have the slightly annoying registration of the hardware hash. This ensures, that users can only join a device, which is registered on my tenant. With this new method I don't have that control anymore and any user can join their personal device if they want to, because I have to allow that in the enrollment restrictions to make it work.
I know I'm a little late here, but because our devices have their autopillot started by a 3rd party offsite, I don't see the need to switch from our current AutoPilot V1 setup to this new V2 option. However, if they added the option to include configuration profiles in V2, that would definitely make me switch
Great video, very informative as always The Standard/Administrator toggle is supper annoying and confusing Another reallyannoying thing is when you try to assign an application to groups it doesn't let you use the same group fro both Required and Avalable installation at the same time... So you have to create to 2 groups and add the users manually, twice the work (this is if you want the app to only be installed and available to small group of people) (yee you can use powershell and pipe the members of Group A to the command that creates Group B but that is too much and not everyone can use powershell)
Actually I found that I can nest Group A inside Group B and this will both Install the software and also make it available in Company Portal. Group A will force the installation. Group B that has Group A as its member will make it available in Company Portal so that if a technician uninstalls the app they can quickly re-install it since it will appear in Company Portal. Should have thought about this earlier.
Looks promising - will definitely look into it with a test tenant. Would be helpful to work with it in some cases and makes the whole process more streamlined I guess. Thanks for the video!
What if the device is being asked to be wipe? Or to be demoted? Should we manually removed the device serial number on the autopilot settings? Thank you for the video!😊
This looks pretty good. It's pretty much exactly what I want to see from Microsoft - no dramatic changes in functionality, but polish and efficiency improvements behind the scenes. However it requires at least the April 2024 update to Windows 11. Today if I use the Media Creation Tool I get the Dec 2023 version, so that's not going to work. The docs direct me to the Volume Licensing Service Centre, where apparently I can get an up-to-date installer. When I log in there it tells me "VLSC has been retired. All the VLSC features have moved to Microsoft 365 admin center (MAC).". I can't download an installer from the MAC, because I don't have a volume license, just E5 subscriptions. Fun journey, but a bit of a dead end. It feels like it's going to be a long time before I can be confident that a newly purchased device will arrive with a sufficiently up-to-date copy of Windows pre-installed. Is there any functionality around device naming? Currently with hardware hash uploads, we set the device name ahead of time, so our machines all have consistent names. That's functionality I'd rather not lose.
'Polish' - not so much. It still doesn't tell you you've assigned apps in the policy that won't deploy. The % complete is utterly meaningless. It still doesn't show you which apps or policies are being applied. The diagnostics and reporting are sufficiently laggy that they don't have much value. How this is GA and not a preview I've no idea, it's not ready for production use. You're right about devices having to have the required version of Windows on them - OEMs are slow, so that might not happen for a year.
What name did the device get, didn't see that you chosed a name standard? And the thing you said last about letting people join non corporate devices, is'n it the purpose of V2 caus corporate devices are registred with hash beforehand.
Is there an option to set those privacy settings so either user doesn't see that screen, or one or more of the options are greyed out as managed from M365?
Look for the service ID of f1346770-5b25-470b-88bd-d5744ab7952c. In my tenant it was called Intune Confidential client but apparently as long as the ID is f1346770-5b25-470b-88bd-d5744ab7952c it's correct
I'm not quite following with which group needs to be added to the app for it to install. Would that be the Windows Autopilot device preparation device group? Also, will the device added in this way stay in that group going forward does does Intune do something else with it after deployment? Thanks for this video!!!!
please let me know application has to be rolled out devices? assume that implementing autopilot freshly I am not understanding logic application was targeted previously devices?
An App must be assigned to a device (or user) in order to install on the device. Features like ESP and Autopilot Device Prep allow you to list important apps that MUST be on there, but they still need to be assigned to the device (or user) in order to install. You can assign by either All Users / All Devices, a specific group, or the Autopilot Device group.. It doesn't seem to matter.
Hi, following this video closely, when I created the 2 “Windows Autopilot device provisioning xxxxx group” and I’m trying to add an owner, I do not see “Intune Provisioning Client” in the list. Am I doing something wrong?
Did i see you had to set the privacy, thats wasnt required in V1, well not for us. Did it do the uplift from pro to enterprise if you have the required subscription
I did see that as well and installed Windows 11 Enterprise to kick this off. A bit disappointing this doesn't disappear. Maybe it can be controlled via policy/csp. IMO, its something in Windows that needs to be updated to remove this when going down the Autopilot path with this "new" preparation fork
There so much missing in this video…whats the status in intune after autopilot is done, do we have to add zip to device group what about device naming..
Hi, Realy thank you , i appreciate if you make a video for how to remove an Autopilot devices from the endpoint and how i can rejoine it again to autopilot as a new device , Facing this issue
Thanks for this video!I have added Intune Autopilot ConfidentialClient owner of device group, but when I add this device group in provisioning policy it shows "0 Groups assigned". Any idea what might be problem?
A huge thanks for the video! But I don't understand what the reason moves to "new autopilot v2"? Is it kind of journey from the first version autopilot to the new one?)
I work at an MSP and, in this position, I have to bench devices before sending them to our clients. One of our clients leverages autopilot, and it's a bit of a headache. Would this "v2" work using a temporary access pass to sign the user in during OOBE?
I am facing an issue when Iam trying to enroll the device with this method windows does not give me the option to log in with work or school accounts it just gives me the option to join as a local user, Iam trying many times, but i am not able to fix that issue, so could you help me to solve this.
@@DeanEllerbyMVP Also could you assist me with how to enrol any device with a standard user type when we use (account > work or school account or join Azure active directory method, not autopilot method
@@DeanEllerbyMVP Autopilot works great in Hybrid other than limitations that Microsoft have self-imposed, such of device naming restrictions and the fact they are not investing into Hybrid. Funny thing is they now officially have a stance that Hybrid is a valid end state... go figure. I've had it setup for two years. It's no different other than it also joins the domain via ODJ. If you have an always on VPN / Zscaler ZPA with machine token, it works similar to pure Entra. Sure, 100% of SSO may not be working until the user cert on the device replicates, but that can be detected via a scheduled task monitoring for specific event IDs and prompt the user for one last reboot once they've been using the device.
Does the owner really "only" have to be set for the "Windows Autopilot device preparation device group" and not also for the "Windows Autopilot device preparation user group"?
Hmm. I got mine visible in the portal today too. It appeared about 11AM GMT, and it's taken me 10hrs to get a video recorded about it. I need to improve my workflow :-)
@bridley5189 Some info from a helpful community fellow - @heyradu ! In some tenants, the service principle might have the name of Intune Autopilot ConfidentialClient instead of Intune Provisioning Client. As long as the AppID of the service principle is f1346770-5b25-470b-88bd-d5744ab7952c, it's the correct service principle. If either Intune Provisioning Client or Intune Autopilot ConfidentialClient with AppID of f1346770-5b25-470b-88bd-d5744ab7952c doesn't exist in the tenant, it must be added via PowerShell commands. For more information, see Adding the Intune Provisioning Client service principle. install-module azuread Connect-AzureAD New-AzureADServicePrincipal -AppId f1346770-5b25-470b-88bd-d5744ab7952c
Thanks for the video. However, I still don’t understand what the fundamental difference is. This looks more like a change in approach, but what I saw does not add anything new.
There seems to be a lot of difference under the hood. I've not quite got enough content for a video on that, but it IS fundamentally different. It's also just a base for new features that are planned to build on this new capability. Features that were impossible or unlikely due to the v1 approach.
@@DeanEllerbyMVP this seems to be my take on it too. I haven't had the opportunity to play with it yet, but having watched your video it feels like a preview release, where the additional interesting functionality is yet to come. Really feel like a primary school child could design a better UI in both Intune and the OOBE than Microsoft though! The spelling mistake, the scroll bar with cut off text in OOBE on the MFA screen. Not even including the lack of an option to display a list of apps/policies being installed 🤦♂️
@@darrenoleary It's horrible. One of the design expectations for this "new" Autopilot was for better info to the end user. Therefore, when things fail (like an app), specific info can be displayed. Maybe it does, I haven't caused it to fail yet. However, giving a percentage (which is horribly inaccurate) and removing detail is going backwards, IMO... why be so scared to show on the screen EXACTLY what is happening?
Love this vid but excuse me it still looks like Microsoft did something else useless here. The whole idea and concept about adding the HWID was a bit of added security in managing devices especially when considering offboarding users who have company devices. Without the HWID a user could wipe the machine and just sign into a personal windows account or whoever their new employer is and walk away with a new computer.
So, this new method will install all company stuff without the need to provision anything from the manufacturers or having to get the HardwareID first. COOOOL. Thank you.
The first one that springs to mind is that in order for this to work as i showed, Personal Devices must be allowed in the tenant. Many organisations don't allow this, because they want to ensure staff only work on devices that are corporate owned.
@@DeanEllerbyMVP I thought Personal devices only register/join from the "Work/School account" in the Settings section and NOT when the device requires provisioning when the user has to login in with the Corporate account. Thanks
just fyi for everyone, when adding the owners of the group Windows Autopilot device preparation device group if you cannot see Intune Provisioning Client - please select Intune Autopilot ConfidentialClient - i know it doesnt make any sense but Intune Autopilot ConfidentialClient is the same thing with Intune Provisioning Client. Typical Microsoft design. btw great video dean - thank you so much for this.
Yes, it has the same object ID.
I really appreciate the fantastic classes! They have helped me tremendously in understanding Intune better (and with more appreciation). Best regards!
You're very welcome!
@@DeanEllerbyMVP Can I ask you a question? Do I need to create one group for users and another for devices, both in the process of Microsoft Autopilot device preparation and in the "traditional Autopilot"?
Good stuff! Love the videos, man!
I really enjoy your videos. Easy to understand and your pace and tone is a very pleasant experience
Thank you very much!
I really appreciate this video from you!!
Just discovered your channel and I love your style, and full of really useful info. Subscribed.
I will just add that you didn't start by explaining what this new feature did before you launched into it. If you wait until near the end it all becomes clear. Hope this was a constructive criticism.
Thanks!
😱 Thanks Brian!
Lets start a revolution!
Dean brings a lot of knowledge and value to the community.
"should be assigned" = I need to do it. "will be assigned" = the policy will do it. Even after watching the video I don't know what it's trying to tell you.
Thanks for the video.
How should the Deployment Profile and Enrollment Status Page (ESP) be configured to work with this?
Thx for the video!
One thing I don't understand:
Today, I have the slightly annoying registration of the hardware hash. This ensures, that users can only join a device, which is registered on my tenant.
With this new method I don't have that control anymore and any user can join their personal device if they want to, because I have to allow that in the enrollment restrictions to make it work.
Nevermind, I watched the video you just released....
Thx!
I know I'm a little late here, but because our devices have their autopillot started by a 3rd party offsite, I don't see the need to switch from our current AutoPilot V1 setup to this new V2 option. However, if they added the option to include configuration profiles in V2, that would definitely make me switch
Great video, very informative as always
The Standard/Administrator toggle is supper annoying and confusing
Another reallyannoying thing is when you try to assign an application to groups it doesn't let you use the same group fro both Required and Avalable installation at the same time...
So you have to create to 2 groups and add the users manually, twice the work (this is if you want the app to only be installed and available to small group of people)
(yee you can use powershell and pipe the members of Group A to the command that creates Group B but that is too much and not everyone can use powershell)
Actually I found that I can nest Group A inside Group B and this will both Install the software and also make it available in Company Portal.
Group A will force the installation.
Group B that has Group A as its member will make it available in Company Portal so that if a technician uninstalls the app they can quickly re-install it since it will appear in Company Portal.
Should have thought about this earlier.
@11:33 security is an add-on product for Microsoft.
Looks promising - will definitely look into it with a test tenant. Would be helpful to work with it in some cases and makes the whole process more streamlined I guess.
Thanks for the video!
What if the device is being asked to be wipe? Or to be demoted? Should we manually removed the device serial number on the autopilot settings? Thank you for the video!😊
This looks pretty good. It's pretty much exactly what I want to see from Microsoft - no dramatic changes in functionality, but polish and efficiency improvements behind the scenes.
However it requires at least the April 2024 update to Windows 11. Today if I use the Media Creation Tool I get the Dec 2023 version, so that's not going to work. The docs direct me to the Volume Licensing Service Centre, where apparently I can get an up-to-date installer. When I log in there it tells me "VLSC has been retired. All the VLSC features have moved to Microsoft 365 admin center (MAC).". I can't download an installer from the MAC, because I don't have a volume license, just E5 subscriptions. Fun journey, but a bit of a dead end.
It feels like it's going to be a long time before I can be confident that a newly purchased device will arrive with a sufficiently up-to-date copy of Windows pre-installed.
Is there any functionality around device naming? Currently with hardware hash uploads, we set the device name ahead of time, so our machines all have consistent names. That's functionality I'd rather not lose.
'Polish' - not so much. It still doesn't tell you you've assigned apps in the policy that won't deploy. The % complete is utterly meaningless. It still doesn't show you which apps or policies are being applied. The diagnostics and reporting are sufficiently laggy that they don't have much value. How this is GA and not a preview I've no idea, it's not ready for production use. You're right about devices having to have the required version of Windows on them - OEMs are slow, so that might not happen for a year.
@10:51 - can you find out why 7zip did not get install ??
Looking forward to the video with the corporate device IDs being used. We block personal devices and don’t want to have to open it up.
Same! I'm looking at it now so I can record it tomorrow when I don't look like it's 11pm :-)
What name did the device get, didn't see that you chosed a name standard? And the thing you said last about letting people join non corporate devices, is'n it the purpose of V2 caus corporate devices are registred with hash beforehand.
Was your VM registered in Autopilot?
No.
Is there an option to set those privacy settings so either user doesn't see that screen, or one or more of the options are greyed out as managed from M365?
Thanks for the video.
At the owner, the "Intune Provisioning Client" is not there! Any idea?
Missing for me as well.
Look for the service ID of f1346770-5b25-470b-88bd-d5744ab7952c.
In my tenant it was called Intune Confidential client but apparently as long as the ID is f1346770-5b25-470b-88bd-d5744ab7952c it's correct
I'm not quite following with which group needs to be added to the app for it to install. Would that be the Windows Autopilot device preparation device group? Also, will the device added in this way stay in that group going forward does does Intune do something else with it after deployment? Thanks for this video!!!!
please let me know application has to be rolled out devices? assume that implementing autopilot freshly I am not understanding logic application was targeted previously devices?
An App must be assigned to a device (or user) in order to install on the device.
Features like ESP and Autopilot Device Prep allow you to list important apps that MUST be on there, but they still need to be assigned to the device (or user) in order to install. You can assign by either All Users / All Devices, a specific group, or the Autopilot Device group.. It doesn't seem to matter.
Hi, following this video closely, when I created the 2 “Windows Autopilot device provisioning xxxxx group” and I’m trying to add an owner, I do not see “Intune Provisioning Client” in the list.
Am I doing something wrong?
I subscribed because subscribers are nice 😊
Did i see you had to set the privacy, thats wasnt required in V1, well not for us. Did it do the uplift from pro to enterprise if you have the required subscription
I did see that as well and installed Windows 11 Enterprise to kick this off. A bit disappointing this doesn't disappear. Maybe it can be controlled via policy/csp. IMO, its something in Windows that needs to be updated to remove this when going down the Autopilot path with this "new" preparation fork
Yes - I didn’t realise at the time! That’s not great…
There so much missing in this video…whats the status in intune after autopilot is done, do we have to add zip to device group what about device naming..
There’s no much missing in APv2. :-)
New video coming soon to fill in the gaps.
Hi, Realy thank you , i appreciate if you make a video for how to remove an Autopilot devices from the endpoint and how i can rejoine it again to autopilot as a new device , Facing this issue
Thanks for this video!I have added Intune Autopilot ConfidentialClient owner of device group, but when I add this device group in provisioning policy it shows "0 Groups assigned". Any idea what might be problem?
I had this at first. I think I just went back and created a new prep policy…
Ok thank you. I have try my luck 😊
No luck at all. Still says same. Maybe I just give it a day to think
@Dean thanks like always, I want to ask if this method will work for some companies with hybrid join?
This feature doesn’t support Hybrid, although the presence of a dropdown for Join Type indicates it might in the future!
A huge thanks for the video! But I don't understand what the reason moves to "new autopilot v2"? Is it kind of journey from the first version autopilot to the new one?)
I work at an MSP and, in this position, I have to bench devices before sending them to our clients. One of our clients leverages autopilot, and it's a bit of a headache.
Would this "v2" work using a temporary access pass to sign the user in during OOBE?
That’s an interesting question. Let me test.
I am facing an issue when Iam trying to enroll the device with this method windows does not give me the option to log in with work or school accounts it just gives me the option to join as a local user, Iam trying many times, but i am not able to fix that issue, so could you help me to solve this.
Which version of Windows are you using?
@@DeanEllerbyMVP Window 11 pro
@@DeanEllerbyMVP Also could you assist me with how to enrol any device with a standard user type when we use (account > work or school account or join Azure active directory method, not autopilot method
Thank you for the video
You're welcome
Thank you so much for this.
To confirm, does this mean we don’t have to run the autopilot PS commands if we use this deployment method?
@@kabelothosi7301 This method doesn’t use the hardware hash, so if that’s the command you’re referring to, then yes - it’s not needed.
@@DeanEllerbyMVP appreciate the quick response. Going to try it out. Recently moved from a hybrid to a fully cloud setup.
I care about hybrid autopilot, unfortunately… wish I didn’t!
Yeah - sorry. I was in a rush and didn't want to get into it.
I still thing that organisations that NEED hybrid don't NEED autopilot, but hey...
@@DeanEllerbyMVP Autopilot works great in Hybrid other than limitations that Microsoft have self-imposed, such of device naming restrictions and the fact they are not investing into Hybrid. Funny thing is they now officially have a stance that Hybrid is a valid end state... go figure. I've had it setup for two years. It's no different other than it also joins the domain via ODJ. If you have an always on VPN / Zscaler ZPA with machine token, it works similar to pure Entra. Sure, 100% of SSO may not be working until the user cert on the device replicates, but that can be detected via a scheduled task monitoring for specific event IDs and prompt the user for one last reboot once they've been using the device.
Does the owner really "only" have to be set for the "Windows Autopilot device preparation device group" and not also for the "Windows Autopilot device preparation user group"?
Yeah, I think so. The user group is to be populated by the organisation / admin.
intune provisioning account not found
I think this apps id is f1346770-5b25-470b-88bd-d5744ab7952c and I found it under "Intune Autopilot ConfidentialClient" name
what if you're missing the intune provisioning client app?
btw: Thank you for creating these video's..
I assume if you're missing that, you're also missing the Device Prep feature, but if not... oops!
@@DeanEllerbyMVP No I have that.. I just got this today, so maybe they're not finished with my tenant.
Hmm. I got mine visible in the portal today too. It appeared about 11AM GMT, and it's taken me 10hrs to get a video recorded about it. I need to improve my workflow :-)
@bridley5189
Some info from a helpful community fellow - @heyradu !
In some tenants, the service principle might have the name of Intune Autopilot ConfidentialClient instead of Intune Provisioning Client. As long as the AppID of the service principle is f1346770-5b25-470b-88bd-d5744ab7952c, it's the correct service principle.
If either Intune Provisioning Client or Intune Autopilot ConfidentialClient with AppID of f1346770-5b25-470b-88bd-d5744ab7952c doesn't exist in the tenant, it must be added via PowerShell commands. For more information, see Adding the Intune Provisioning Client service principle.
install-module azuread
Connect-AzureAD
New-AzureADServicePrincipal -AppId f1346770-5b25-470b-88bd-d5744ab7952c
Thanks for the video.
However, I still don’t understand what the fundamental difference is. This looks more like a change in approach, but what I saw does not add anything new.
There seems to be a lot of difference under the hood. I've not quite got enough content for a video on that, but it IS fundamentally different.
It's also just a base for new features that are planned to build on this new capability. Features that were impossible or unlikely due to the v1 approach.
@@DeanEllerbyMVP Thank you, I'll be looking forward to the news. Thank you for keeping us updated :)
@@DeanEllerbyMVP this seems to be my take on it too. I haven't had the opportunity to play with it yet, but having watched your video it feels like a preview release, where the additional interesting functionality is yet to come. Really feel like a primary school child could design a better UI in both Intune and the OOBE than Microsoft though! The spelling mistake, the scroll bar with cut off text in OOBE on the MFA screen. Not even including the lack of an option to display a list of apps/policies being installed 🤦♂️
I think I agree, but one thing is for certain, after months of QA, the spelling mistake is unforgivable.
@@darrenoleary It's horrible. One of the design expectations for this "new" Autopilot was for better info to the end user. Therefore, when things fail (like an app), specific info can be displayed. Maybe it does, I haven't caused it to fail yet. However, giving a percentage (which is horribly inaccurate) and removing detail is going backwards, IMO... why be so scared to show on the screen EXACTLY what is happening?
Love this vid but excuse me it still looks like Microsoft did something else useless here. The whole idea and concept about adding the HWID was a bit of added security in managing devices especially when considering offboarding users who have company devices. Without the HWID a user could wipe the machine and just sign into a personal windows account or whoever their new employer is and walk away with a new computer.
"It makes no sense at all!!" 🤣
You still didn't spell organisation's correctly.....
So, this new method will install all company stuff without the need to provision anything from the manufacturers or having to get the HardwareID first. COOOOL. Thank you.
Yes.. which is a good thing and a bad thing, potentially.
@@DeanEllerbyMVP What are the Bad things Mr Ellerby? Thanks
The first one that springs to mind is that in order for this to work as i showed, Personal Devices must be allowed in the tenant. Many organisations don't allow this, because they want to ensure staff only work on devices that are corporate owned.
@@DeanEllerbyMVP I thought Personal devices only register/join from the "Work/School account" in the Settings section and NOT when the device requires provisioning when the user has to login in with the Corporate account. Thanks
Thanks!
Woah. Thank you! 🙏