The point of Autopilot is supposed to be that new corporate devices work out of the box, right? Why do so few orgs use it that way?
Posted by razorbeamz@reddit | sysadmin | View on Reddit | 222 comments
The entire idea of Autopilot is supposed to be that new devices will be able to be set up automatically for users without IT intervention. At least that's what I imagine it's supposed to be.
But it seems like almost no one uses it that way. Pretty much every Autopilot configuration I've come across needs to be babysat through the process.
dowhileuntil787@reddit
My experience with drop shipping is one of the following happens:
I’m sure if we were big enough to have good contacts inside the OEM we could get the drop shipping to work a bit better… but it’s easier and better OOTB user experience to just get it shipped locally, put a golden Windows image on there, pre-provision it and re-pack it.
Educational_Boot315@reddit
Pretty much all of this.
But also, new employee experience is very important. Even having a new employee sit there and watch the OOBE experience for 20 minutes in an ideal flawless situation is unacceptable in my book. They should be able to sign in, register WHfB, and go.
Staged laptops updated and ready to deploy will always be better than whatever you cook up with autopilot. I don’t care if that means we have to pay to ship another laptop, it’s just the cost of smooth operations.
jesiman@reddit
We do this with our supplier. They reimage it, login with a generic user just for this purpose, let Autopilot do its thing, get updates, reset the OOBE, and ship it. All for $50. It's a sore dick deal for sure.
PatD442@reddit
Is your supplier a distributor by chance? Would love to do this with a TDSynnex, Ingram, D&H....
jesiman@reddit
https://www.tuskerco.com
Mindestiny@reddit
Yep. Especially as your needs grow into proper "Enterprise" needs on an endpoint, there's just so many points of failure that can absolutely tank a user's experience on their first day. And if it doesn't work... now you need to provision and ship them another device, which could be days of downtime.
All that isn't worth it for maybe 20 minutes of labor for a low tier IT tech in the background of what they're normal workload is. Enroll it, let the scripts do their thing, verify it didn't fuck up, and repack it.
DeifniteProfessional@reddit
Could you or anyone share the "right" way to do this? I'm only dealing with about 40 devices at any one time, but I've just been letting the user log in to the OOBE and it joins Intune, runs some minimal config, and then NinjaOne agent gets installed which does literally everything else.
The one issue I have is the user becomes admin, which I do have a script/config in Intune to change, but of course that doesn't actually register until the user signs out and back in
Emergency-Map-808@reddit
Perhaps a post install restart script will sort that last issue for you?
dustojnikhummer@reddit
This is why you still see so many people with MDT (and now weekly "what can we move onto from MDT" threads)
tuxedo_jack@reddit
When dipshits configure apps to install via both RMM and Intune, or mix LoB and Win32 apps, guess what happens during OOBE?
All kinds of race conditions.
dowhileuntil787@reddit
I would argue the dipshits are MS for letting you do that and not telling you anywhere in the UI for Intune that you're about to completely blow up your configuration due to their internal race conditions. Especially when the fix is just downloading a tool from GitHub and re-packaging the app inside an intunewin file. Why on earth is that still necessary after more than seven years.
But in this case, that's not the problem anyway. It still sometimes happens when only deploying the official MS 365 app. Best I can tell it's still a race condition, but a race with one of the Intune CSPs rather than another bit of software. However given that it only fails a few percent of the time and each run takes about 30 mins, I have been unable to narrow it down yet.
CreedRules@reddit
Major orgs have autopilot up and running like a dream. At least that was my experience with IBM and some of the clients I worked with. I miss autopilot.
burundilapp@reddit
Sounds great if you have a multi million budget and a team of twenty to get it done, pity it doesn't work that well for the rest of us with small overworked teams.
JwCS8pjrh3QBWfL@reddit
I had autopilot working flawlessly, and I was the only person in IT. Some folks just make their own lives harder.
burundilapp@reddit
All depends what you want out of it, we want to be able to replicate our policies for existing imaged machines as closely as possible, InTune just doesn't let you do a lot of things, if you are willing to compromise then AutoPiloting is achieveable and we do use it for some specific use cases, it won't replace on premise imaging anytime soon though.
MoreLikeZelDUH@reddit
This is why you fail... you have to let go of a lot of the low value customizations and prep pieces and instead find a way to implement the high value things after Autopilot. We used to be doing silly things like removing the Xbox app as part of the imaging process but honestly who cares. If you care that much, deploy an uninstall to the org so it gets picked up after Autopilot. The whole process works extremely well if it's very light weight.
ChevronEncoder@reddit
It's hard to blame people for not getting it when it's a completely different approach from how imaging has always worked, documentation is always out of date, and error codes are indecipherable, non-existent, and sometimes outright misleading or false.
RikiWardOG@reddit
no it's not cloud time is intune being shit. any rmm I can deploy all my apps in under an hour. Intune same exact apps can take 3-6 hrs depending on which way the wind is blowing. Intune isn't as good as people want to think it is. Its just included in people's licensing and sits in the MS stack.
ChevronEncoder@reddit
It's not Intune, it's Windows. I can wipe an iPhone from Intune in seconds.
RikiWardOG@reddit
low value? who determines the value. It's not IT, it's the end user. This is where you fail. and removing the xbox app should be something you do from a basic security standpoint. the less bloat on a machine that can be out of date means less attack surface. That's the least of the worries though. Office and Adobe Acrobat alone take fucking forever through intune. It is miserable compared to deploying apps with any other rmm product on the market.
burundilapp@reddit
Agreed, it’s a compromise, but there are certain things the business doesn’t want to compromise on and so at the moment we can’t use it across the org.
MoreLikeZelDUH@reddit
Ultimately the business decides how the money is spent, but make sure they know (in dollars and cents) what the decision is. We were able to remove a lot of "business desires" with a quote from our hardware supplier for imaging costs.
Sh1rvallah@reddit
Thanks I'm saving this for a quick summary the next time my CTO asks why we aren't using autopilot over config man task sequences. It's especially annoying because we don't even ship systems to remote users much, maybe 1% of the fleet. Everyone else is in office the first week at least.
LostDrengr@reddit
Came to read the thread, didn't disappoint. I have encountered three of these during a migration on segment of employees just before xmas, I too thought it was supposed to handle this wheel but its nowhere near as good as the sales talk pretends!
ZexGr@reddit
shut up and take my money
maglax@reddit
I am legitimately concerned about some people's internet. I mangled an Ethernet cable at the office, and had a severed data wire 'connected' with just physical contact. It was dropping packets like they were hot. Install still completed in a much more reasonable amount of time than some of our users were reporting. How they did their job is a mystery to me.
mnvoronin@reddit
A gigabit cable with 20% drop rate is still better for software download than a 50Mbps DSL line.
Reverent@reddit
UX of the unboxing experience is unconscionable.
If you can break the autopilot experience by mashing cancel because you think it's broken, that's a big problem. If you're having to account for that problem in the first place, that's a worse problem.
You can't even say "just let it rip" because it legitimately will break without any user intervention.
No wonder IT want to walk through the tortuous unboxing process for the end user before shipping it to them.
WraithYourFace@reddit
This is why we still pay for SmartDeploy Starter for a base image. We buy through the UPS program for HP so we can't get an enterprise ready image. Also nice to just run a script so SmartDeploy updates the firmware packs for the models we have.
Remarkable_Cook_5100@reddit
At least I know its not just me who feels this way. Diagnosing alot of the errors is an even worse experience.
jstar77@reddit
I feel this comment to my bones.
teriaavibes@reddit
Well lots of companies also don't know what they are doing so there's that.
There are also tons of legacy apps that don't play nice with intune/autopilot.
ronin_cse@reddit
Those legacy apps can just be installed later too, just push out the core management apps with autopilot.
teriaavibes@reddit
Not everyone understands that tho, they want autopilot to be this magical thing that is going to do everything under the sun.
Windows95GOAT@reddit
I mean the old on-prem GPO + Logon script structure did all that np. (depending on script author). And you could grab coffee before it logged on aswell. :D
ronin_cse@reddit
You can still run scripts via Intune and REALLY when you get down to it that's all Intune is doing when it installs something.
Windows95GOAT@reddit
Yeah i know. You can even abuse detection scripts to install even the most broken legacy shit software at times.
segagamer@reddit
Additionally, Macs have ways of doing this too with things like Munki integrated into SimpleMDM.
Certainly trillion dollar company can figure out a similar solution.
JwCS8pjrh3QBWfL@reddit
Comparing to Macs will always be a false equivalency, because Apple has the balls to pull the rug on supporting legacy bullshit, and mac app developers generally play by the rules, so apps can be reliably scripted and installed by an MDM without any interaction. Windows has to support 50 years of legacy bullshit, and developers refuse to update their ancient garbage software so it's not easily scripted or requires stuff to be done by hand, files placed in weird spots, only works with full Admin, etc etc etc.
trail-g62Bim@reddit
Macs also have predictable hardware.
ronin_cse@reddit
I wouldn't say this means Macs have a way of doing this since you're still relying on 3rd party software. We could also say that Macs have a way of doing things like this too using Intune :P
ronin_cse@reddit
Do everything and not require any configuration, which is sadly not a thing with any Microsoft product. When configured correctly though all their stuff generally works at this point.
luger718@reddit
Exactly! We generally just do Office and RMM. Everything else installs later.
Sajem@reddit
We currently image laptops using MECM but are currently testing an Autopilot 'build' and will probably start using later this year - other more urgent/important projects allowing.
We have 5 basic apps that we install on all of our endpoints and they will be installed using Autopilot, most of the other apps that aren't required on all laptops will probably still be installed using MECM
segagamer@reddit
Installed later how?
ronin_cse@reddit
Apps that are deployed to device groups (or the All Devices option) will be installed during the initial Windows setup before the user logs in for the first time, apps that are deployed to users are installed once the user logs in for the first time.
So basically, deploy things like your remote access software and your VPN to the device group and deploy everything else (maybe even your AV/EDR to avoid issues) to the user group.
RikiWardOG@reddit
and then have the user sit there during their onboarding meeting unable to access anything because it hasn't installed yet. cool.
ronin_cse@reddit
Or the apps that are required are deployed to the device. Most users don't need anything other than Office for their onboarding
Hollow3ddd@reddit
Meh, if the company is full cool, all modern apps and services, they are fine.
Pushing xmls, registry changes and install all done orderly and 100% reliability is a different story. More so when you remove the ability for an endpoint account with basic domain privledges but can also run local admin things in the mix.
App delivery is really only a small facet of autopilot deployment. In a small org with legacy apps, that’s tens of hours to finish just those apps
ronin_cse@reddit
Again, those shouldn't be major issues with Intune and it currently has pretty good support for XMLs and registry changes. From my experience sometimes changes like those get blocked by EDR or other software and that's when you run into to problems because Intune IS really lacking in decent logs, or at least finding those logs.
Really you should also look at those registry changes you're pushing out and if you really still need them. I have seen plenty of issues with legacy registry changes causing problems with newer versions of Windows.
Hollow3ddd@reddit
It's that dumb override of pre-provision and post provising requiring the app to be launched 'as user' to generate and note overwrite the appdata entires and apply after.
RMM use use start-sleep for some of this stuff, but we are able to jump system/user contact in separate scripts launched in an order
pakman82@reddit
This 100% this. I been messing with Intune for a few years, and did some preliminary setups at small places, and seen it be clunky, but tempting. Then got to work with a good team on fine tuning a conversion to it by a major multinational.. and did some impressive stuff. And recently, I'm working at a place with a pretty established config, and got a laptop that setup with our complex, multi-layerd, configuration and it took maybe 90 minutes, partly because I screwed it up by plugging one device into an on network lan cable . (I'm not currently working on Intune, nor in the office much, so I plead the 5th.) It can be done very well, but requires finesse and experience. And migration for larger orgs is a complex process.
WantDebianThanks@reddit
Last gig was an MSP where we set up workstations for customers. Owner was former air force, former NSA, 30+ years of experience, we were ms partners, the whole 9.
We had an imaging server for win10 that gave you a generic w10 image.
We never made an imaging server for w11
Yes, there were constant complaints from users and owners and our management about devices not being set up correctly.
No, they did not want to hear about the PS script I made that automated the build process, because they already paid 3 different vendors to do that for us, and then none of them did.
Chaise91@reddit
That and admins without the skill or motivation to make it happen so you end up with good enough.
Tall-Geologist-1452@reddit
Because a lot of orgs have not put in the work to get a true zero touch experience. We have it set up, and it took a lot of work and experimentation to get right... BUT now we can put a set of directions in a box and send it to the end user.
linoleumknife@reddit
Apparently my org has put in the work. I have absolutely nothing to do with Autopilot in my role, but I've been impressed when I've had new laptops shipped to my home and they provision everything automatically.
It's just slower than all hell. Plugged in on gigabit fiber and it's like 5 hours until I can actually use it. And it's not like there's any massive software suites being installed other than basic stuff like Office. It makes me question the time savings versus having a desktop tech in an office image it and toss it back in a box for shipping.
Hotdog453@reddit
If it took 5 hours, they're doing something wrong.
Ours takes \~25 minutes downloading (IE, we deploy a single \~3GB package I wrote) to get the user to a functional desktop. Admittedly, the front end package is big, and a ton of people have shitty Internet, but 5 hours is... not normal.
RikiWardOG@reddit
dude that's just not true. I've seen it take hours to install Office even. Intune just sucks if time is a concern at all
thortgot@reddit
It definitely doesn't take hours to install office. Something fundamentally wrong with your office deploy method.
RikiWardOG@reddit
lol k. it really depends on the day. I can deploy same way from rmm and it takes like 15 minutes
thortgot@reddit
For on demand installs I imagine?
Intune checking are slow so without a push it will take ~90 minutes to even see the request.
On demand script run or Intune are the "fast" solutions
Hotdog453@reddit
Use Win32 App version of Office, and not the shitty Intune delivered one? That's all just bandwidth constrained. On \~150mbps t-Mobile, my 'test' Internet I use at home? That takes like \~11 minutes.
PhillAholic@reddit
Oh I get it. April fools. You almost got me.
Tall-Geologist-1452@reddit
It is my kids birthday also "wife would not let me call her butters" but i am 100% serious on the comment...
PhillAholic@reddit
I put a return Label in the box for a laptop swap out and the number of people that lose it or throw the entire box out and ask how to send the old laptop back is more than zero.
Tall-Geologist-1452@reddit
That is an HR/legal issue not an IT issue..
PhillAholic@reddit
It's an everyone issue. Doesn't matter if I'm literally the one to put the direction and ship the box or if it's HR or whomever. End result is not having a laptop available when it should be.
Tall-Geologist-1452@reddit
lol... what are you helpdesk?? You have no authority to make anyone do anything, HR escalates the issue, Legal pursues action if not returned.. what are you going to do write a strongly worded email???
lostinthesolent@reddit
My Intune/Autopilot builds have deployed over ten thousand devices across multiple organisations. My build works reliably every time, even when remote fresh starting user devices. But that took a LOT of engineering. Unfortunately most organisations cannot find someone capable of doing that, or do not have the patience that real build engineering takes.
Unfortunately senior management are the problem because they do not view EUC engineering as an important activity and will not invest in engineering.
If your organisation has a crappy Autopilot build then your management are a bunch of dingleberries
Kuipyr@reddit
The R in Intune stands for reliable.
Cormacolinde@reddit
And of course the s is for speed.
tankerkiller125real@reddit
We figured out that if you deploy a connected cache to a local VM or Azure VM (depending on your internet speeds), and then have a device VPN and DOC policies be the first thing that get set things move way faster than they normally would. I've also tested it with making the Node publicly accessible on the internet, and that also works great, but I can't comment on the security of it, so I wouldn't necessarily recommend it.
For example, we host our Node in Azure, and we use Azure VPN, in theory that means a max throughput of 2.5Gbs out of the Node to machines. I've seen it peak as high as 1Gbs during Autopilot deployments on high-speed networks.
Arudinne@reddit
This the reason I started having Ninja handle the actual software rather than Intune. It lets me sequence things.
Tall-Geologist-1452@reddit
Ninja works much better using Compound Conditions works much better and keeps a baseline of apps. I think their strong suite for us with the api integration with CrowdStrike and it reporting. The desktop teams loves it..
Arudinne@reddit
The compound conditions are great! I used it to push out our new VPN client on Monday and it was deployed to roughly ~600 computers within 10 minutes.
A couple failed, but a reboot fixed them.
Tall-Geologist-1452@reddit
Some ID10T comes along and deletes it ,, well then it re-evaluate and reinstalls..I use it for our server environment in Azure and in AWS .. does a decent job with Linux as well..
arbedub@reddit
I was sucked in 100% until the need for the win32 app dependency.
tankerkiller125real@reddit
A quick C# app will do it honestly. There's probably even a way to package powershell scripts as an msi file.
Kuipyr@reddit
Pretty easy, I’ve packaged scripts into .exe before using nsis on Linux.
SenikaiSlay@reddit
Can you explain this or point to resource on this, sounds very interesting
legendov@reddit
I thought it was for sexy
AcidBuuurn@reddit
Stability, actually.
legendov@reddit
Our rep said it stands for Succulent Chinese meal
48x15@reddit
Get your hands off my penis!!!
AcidBuuurn@reddit
Straight to jail.
steveatari@reddit
Simping for Mommy.
pointlessone@reddit
Studying judo?
Oricol@reddit
They're fixing that maybe.
https://patchmypc.com/blog/ic3-from-wns-to-real-time-device-and-ime-actions/
BlockBannington@reddit
First see, then believe but it does sound good
ColbyFromDigg@reddit
When will config changes and apps actually push to your devices? Who knows, could be hours, could be days. Doing all the tricks such as running sync in Company Portal, sync in Access Work or School, rebooting, restarting the IME service, etc also isn’t reliable. Don’t get me started on not being able to see names of config profiles on the endpoint, it just provides a vague granular list of all the changes.
mnvoronin@reddit
S is for Security.
bobo_1111@reddit
And the U is for unique!
TwilightKeystroker@reddit
I'm on the "F in Intune stands for Fast" train - 100% agreed though.
19610taw3@reddit
Log in, wait 45 minutes then reboot. Then log in again and wait another 45 minutes before rebooting a second time ... and then you might see your applications!
TwilightKeystroker@reddit
Whoa wait.... You only have to wait 2 hours?!?! Did you put kneepads on and buy an E7 to get those times down that low?!?!
L3TH3RGY@reddit
😆 it sure does
knightress_oxhide@reddit
Rirnrtrurnrer
damik@reddit
We get this bengin network related error during the OOBE and the user would just need to click "Continue anyway" then sign in again to be brought to the desktop. It's been years and we haven't had time to find the root cause so we've just gotten used to it. That and a few other quarks is why we don't have Dell ship it directly to our users.
fizzlefist@reddit
Just like how the S in IoT stands for security!
compu85@reddit
I'm screenshotting this for later 😅
vrtigo1@reddit
I'm totally stealing this.
alpha417@reddit
I gift you all of the Internets as a reward.
hihcadore@reddit
It works well once you have it set up.
If you want to verify the device is setup before handing it off, preprovision, assign the user a TAP, test the device and you’re good to go.
I suspect all the people that loved SCCM weren’t the ones building the images every few months or pouring over five different sets of logs trying to figure out what went wrong. It was so bad Microsoft created a special log analyzer a lot of us still use today.
RCTID1975@reddit
Ours is pretty seamless.
Just need to enroll it in autopilot first since Dell can't seem to get that straight on a consistent basis.
m1kkel84@reddit
How do you enroll it without stating the device up and getting the device id?
anxiousinfotech@reddit
Honestly we don't even enroll them first. We gave up on getting the OEM to do it. They get enrolled when the user logs in the first time. There's maybe 2-3 per year where the user (usually a new hire) doesn't follow instructions and fails to log in with their work account. Dealing with a reset on those few takes WAY less time than fighting with an OEM and handling the devices that don't arrive in a state consistent with our instructions.
luger718@reddit
How are you doing that? Device preparation policies?
opsandcoffee@reddit
In theory Autopilot is supposed to simplify things, but in practice it adds another layer that has to go perfectly right for the whole flow to work.
Between network dependency, app deployment timing, policy conflicts, and enrollment quirks, a lot of environments end up with inconsistent results.
So what you see in real setups is a mix:
- some devices fully going through Autopilot
- some needing manual intervention
- some falling back to traditional provisioning
It works well when everything is tightly controlled, but most environments aren’t that clean, especially with remote users and mixed infra.
That’s probably why many orgs don’t rely on it as the only provisioning approach.
jhuseby@reddit
I’m not sure if it’s just the way our org is implementing it or if this is a universal experience but autopilot and intune fucking sucks ass. I understand and agree with the supposed benefits of both, but in practice it’s just a pain in the ass to implement and support. SCCM deployment and software center seemed infinitely better. I’d honestly prefer going back to creating manual images vs intune.
Smiles_OBrien@reddit
It's funny because I've had the opposite experience. In our org (school district) SCCM was the most temperamental, unreliable piece of shit I've ever used. Through several different traditional imaging systems in the interim, we've landed on Autopilot + Intune for computer deployment and domain join (we're hybrid AD), and then hands off to PDQ connect for application installs. After getting the config right, basically no problems with Autopilot + Intune, but that might just be our specific setup.
Th4ab@reddit
SCCM is great when things go well. But it is certainly not an appliance like other similar products and things can break and need some real sleuthing that frankly shouldn't be needed. But to me it's always been the superior imaging platform. That computer is just 100% ready for the user when you see the login screen, I can bet my job on it.
RikiWardOG@reddit
but isn't that the whole fucking problem. you should need a whole different system to use autopilot and deploy your apps. This is where I've landed too. I use automox and an api call to install apps from there. It shouldn't be that way though.
thortgot@reddit
Skill issue? Intune isn't that complex to deploy. Where people screw up is assigning required apps at the ESP level that don't need to occur pre user credential.
Company portal is VASTLY better than software center.
Sea-Aardvark-756@reddit
Our younger techs feel similar but they're impatient as shit and liked being able to start a task sequence overnight and come back to something they could hand out that users could immediately use with the name set to the serial, hybrid joined, Pro upgraded to Enterprise, and all our old vendor software, VPN, and Wi-Fi profile loaded. With Intune we noticed most are fairly quick, but oddly 1/10 or so need to sit for a while before everything happens. Which means they always need to check them and validate before handing out, which kind of slows everything down worse than it used to be when it was reliable.
SchemaAndShell@reddit
As long as Autopilot installs a Falcon sensor and RMM agent I don’t really care.
bjc1960@reddit
We dropped shipped from Dell direct to our CEO. I latest asked him how it went and he said, "fine." Therefore, it is "fine" in 'our org."
rohmish@reddit
I don't do IT anymore, but when I did it failed if the wind blew a bit too fast.
the_orange_guy_8912@reddit
I experienced Autopilot by myself as a end-user. Got a new Lenovo laptop, sealed brand new in box. Turn it on, connect to Wi-Fi, did a small update and rebooted. Then, immediately asked for my company username/password/2FA and it just installed all our common apps, policies, VPN configuration. Took a little while, but I literally did nothing else to get it up and running.
Seems possible to have a decent Autopilot experience, just depends on the implementation.
AndreiWarg@reddit
Everytime I have a new device for a user, I just install it myself. Sometimes it doesn't even have any network drivers. So I do the full prep and hand over the device after running all the updates.
nousername1244@reddit
They dump heavy apps, legacy configs, and 20 policies into ESP, then act surprised it needs babysitting. keep it lean and it actually works.
RikiWardOG@reddit
So when a user needs those apps that aren't in the config on day 1 they just... don't work? like there's nothing autopilot about that.
bbqwatermelon@reddit
FWIW having Dell plant hardware to work like this was quoted for us at $40 per machine which adds up. We have so few remote users that it makes more sense to import ourselves then run Autopilot. I can see it being great for majority or full remote workforce but who gets to do that these days?
RikiWardOG@reddit
because it's marketing BS. It breaks like every other update and is plain not worth it in some instances tbh. Like how unprofessional is it to have a new hire sit there for 3 hours while intune attempts to install user apps.
Commercial-Fun2767@reddit
Price?
ncc74656m@reddit
Most people who configure Autopilot don't actually know what they're doing with it, or are still partially attached to legacy configuration tools for no apparent reason. I've set it up at two different places and barring the issues with managing multiple orgs under a single tenant, the computers were basically fully configured on the other side except for a rare one-off tool install.
We have occasional failures which usually repush failed packages on the back end of setup, but those are rarer and almost never an actual showstopper. (Even when they are, you just wipe and restart and it deploys just fine.)
StromboliNotCalzone@reddit
It shouldn't need babysitting. As long as your config is tested Autopilot is as reliable as the user's internet connection.
Companies reuse hardware though. Relatively few deployments are brand new laptops shipped directly to a user, most are used or need to be sent to IT first for various reasons, so setting it up for the user isn't much of an extra burden.
CruwL@reddit
we drop ship new laptops direct to remote employees.
they sign in, it installs 90% of the apps they need. and off they go
ChevronEncoder@reddit
I've found that if you give a user a laptop in OOBE, they'll start doing things on it as soon as their desktop appears that causes conflicts with whatever is automated after autopilot finishes.
xsam_nzx@reddit
I'm thought I was taking crazy pills reading this thread. Ours works mint.
MitochondrianHouse@reddit
I used to do the images for my company back in the XP/Win7 days, MDT and eventually SCCM. I moved on to another position, and when my old team implemented InTune, they did a totally half assed job.
Things I had defined out in the "old" images, for example, DNS suffix search order, I had that set both on the Image and also had a high level GPO to all systems setting it. They... just didn't do that. I then sent them specifics of "this is a problem not being set" and the a MS KB showing how to do it in Intune. It's not hard, it's just in a different place and I literally told them how to fix it.
That was 2 years ago. They still haven't fixed it. Fortune 100 Company. When we get new laptops, we basically turn them on Friday at end of day at home and pray it finishes and syncs before Monday and you don't get any pages over the weekend. I have my own documentation on things to fix, and don't tell anyone but I have access to LAPS for endpoints still so I fix mine and my team's myself. I tried, can lead a horse to water and all that.
Nicko265@reddit
The main problem people bring in themselves is having way too many apps on first launch.
Install your VPN software, any security agents, Office. Deploy Office as a win32 app, not their inbuilt one, works every time.
mirrax@reddit
Yeah, but got spoiled in the MDT / SCCM days of being able to just just have it provision to completion without needing to check back in on it. Handing that off prevented supervisors calling in checking in when their new employee will actually be able to do work.
Even with a well tuned system, not convinced that the reduced physical effort of direct ship/Autopilot matches the reduced cognitive load of the old way.
segagamer@reddit
How do you deploy the rest?
Top_Flounder8344@reddit
I assign everything that needs to be assigned but apply a requirement rule to not install the application if it's at the oobe. It will then skip the app and install when the user gets to the desktop.
JwCS8pjrh3QBWfL@reddit
Through Intune still, just don't require them during the ESP.
Top_Flounder8344@reddit
I feel the same way haha
FireLucid@reddit
It's all good until MS fucks something up. Last month the office CDN was out for a day and all our deployments failed. They screwed up something with the enrolment and that didn't work for 2 days for us sometime in Jan from memory.
Fallingdamage@reddit
IT Admins need things to work a specific way. They need things to work the way they expect and design them to work. If results are inconsistent or the design introduces more problems and tickets than its worth or more than they want to deal with, they will find another way to do it.
If you're going to implement something that works without needing to be coaxed or fiddled with, it needs to work without being coaxed or fiddled with.
_i_am_root@reddit
I sit next to the hardware guys at my org, and if I had a dollar for every time I heard “autopilot failed” I could retire comfortably.
xueimelb@reddit
I'd bet all of those dollars that your org implemented something wrong. Autopilot fails in my apartment because of something my pihole is blocking, which still doesn't make sense to me.
Frothyleet@reddit
It doesn't make sense that blocking DNS requests could stop a service that uses DNS from working properly?
xueimelb@reddit
I agree, but that's what I've found. I think one of the things pihole is blocking on my network is maybe telemetry or tracking related, and that's what breaks it, but I didn't bother to dig deep enough to figure it out. I just disable blocking when needed since I'm the only one here
avisgoth@reddit
For us, it's not a technical issue. We have it fully ready for the user to enroll, out of box. It's a cultural issue, our org just can't move past the white gloves. Maybe someday.
bayridgeguy09@reddit
We tried the "we will install the basics but after that users will need to install apps they want/need from company portal".
The users honestly seemed fine with that approach, management was not. They said "how will people know which apps they need".....we replied "wouldnt their manager walk them through the apps their department uses during training?"...... they actually replied that "the managers might not know all the software their staff uses"
SMH
So our Intune deployment went from 5 apps in preprov stage (sec stuff, RMM, VPN, Office), and maybe another 5 after login, with the user getting anything else they need from Company Portal.............to 46 applications on preprov, and another 20 something after login.
I mean it works, but its gone from a 10-15 min to desktop after login, to an hour and a half to desktop after first login.
So now we are back to preprovisioning machines to take care of the 46 apps because management doesnt think people know what they need to do their job. Even after a user signs in, now its installing 20 something apps in the background.
It went from an elegant self serve solution, back to imaging machines. We even tried to frame it in that we would potentially have cost savings as not everyone needs every app and after some time we would now be able to see actual usage by monitoring user installs, but no one here has any idea which departments use which apps so everyone gets everything, and NEEDS it as soon as they login.
Windows95GOAT@reddit
We have the same "issue" but we prefer it that way. We enjoy meeting the new employee atleast once. This also prefents the "hiring" scams that are becoming more popular.
However we have none out of the country.
dannoetc@reddit
Because Intune/Autopilot behaves when it wants to, honestly. The "babysitting" requirement in Autopilot usually stems from a fundamental issue with push-based management: if a sequence breaks or the network wigs out during a configuration push, the the Autopilot process kind of hangs without clear remediation.
Quick tangent, I'm actually working on a service to move away from "push and pray" delivery and toward state-based enforcement. It uses Onboarding Plans and a lightweight local agent to transition a device into a specific, compliant state (software, configurations, and security posture).
Basically, it focuses on a "Proof of Control" model—it ensures the device reaches its defined baseline and automatically remediates drift if settings change or installs fail. This addresses the "last mile" of setup that typically requires manual intervention, making the "set and forget" promise of automated deployment more resilient.
Think Immybot but with compliance remediation and baseline state management being the core.
DM me for more info if you're interested in the logic behind it - I'm trying to get some folks to help test it out.
Arudinne@reddit
I've yet to be able to get autopilot to the point where it can work by itself without me babysitting it through the process.
I've given up on using it to do anything but install the company portal and our RMM (NinjaOne) because it takes fucking ages and would often just thrown an error and fail.
I'm working on using NinjaOne to actually deploy the software we need because at least it can get that done before the heat death of the universe.
Valdaraak@reddit
Because it does. Configuration only goes so far. And sometimes it doesn't even push out everything properly. Our new setups require at least one reboot after the user gets to the desktop just because some of the settings we push out won't take effect until they do.
But they can't just immediately reboot, because that configuration from Intune will push out anytime between "during initial install" and "an hour later".
monkeydanceparty@reddit
I just assumed everyone used it that way. Intune seems to have gotten faster in the last few years. No one even tells me about new employees until they sit at their desk and it only takes about an hour of their time (not mine) to set up a new machine.
And, between autopilot and OneDrive backup, if a road warrior has issues, I just reset the machine and it reloads windows and builds everything back. And if they lose a machine, they could always grab one from Best Buy and just sign in with a corporate id (I usually enroll and nuke these machines, since users need to be better)
Just don’t put too much in the autopilot, just enough to be ready to work, then I do the rest with remediations.
xueimelb@reddit
Are remediations slow as shit for you? Of the remediations I make, I set most of them to run hourly and I'm lucky to see them run more than once per day, never hourly.
monkeydanceparty@reddit
Yeah, I usually just run daily, but it does seem to run on “Microsoft time” of whenever.
Gamingwithyourmom@reddit
For whatever my opinion is worth as a lead Architect for workspace services at multiple large 20k+ device orgs that I've built out zero touch drop shipping for, and built multiple Intune community solutions, the problem is the techs implementation of it. Always.
There are absolute correct ways to do things and little wiggle room to "make it your own" or "this is close enough" and 9 times out of 10 it's one or a few small gotchas that are missed.
Techs using the built in office package instead of a custom packages win32 using a .xml, it's mixed and matched app types like LoB and win32 during deployment, it's assigning windows update policies on the device level that cause reboots during autopilot and not planning for that workflow, etc etc.
I think people expect it to be "set it and forget it" and "it's desktops, it shouldn't be this complicated" but orgs often have hyper specific requirements and the techs implementing just..... Can't be arsed? Like "I've tried enough, it should be easy" and I agree, but that doesn't solve the problem. This tech stack has a ceiling a mile high to get "perfect" and finding someone who owns the stack and gives a shit enough to make it perfect is basically impossible.
ChadTheLizardKing@reddit
I think you called it. It has to be build 100% correctly against the needs of an organization. That is not, primarily, a technical problem; it is an operations and organization problem.
In many orgs, even medium sized orgs, who have not gone through a formalized organization process implementation - ISO, whatever - there is no "formal" process to be translated into a technical standard that can be implemented. E.g., In a former life, I did MSP work and a lot of SMB process was, "New employee started. Call their manager on the first day and find out what they need. Oh, the manager does not know? Just give them the previous employee's computer it already has everything and hope for the best."
I can build an autopilot process but if operations cannot reliably explain what a user needs, then the whole process fails. We end up white-gloving because that is a politic way of saying, "Operations managers have no formal descriptions on what their employees actually need so they outsource that to the IT department to figure out."
digitaltransmutation@reddit
For me, the problem is 3rd party applications. Some applications just cannot be implemented in a zero-touch method.
I have this one compliance "app" that is literally just a folder full of PDFs and little homemade DRM module. Why can't I just add a license key to the install command? Idk, ask the guy who thought he should distribute PDFs as an MSI. I'm sure he has a great answer and knows what he is doing.
razorbeamz@reddit (OP)
This is not the case.
statikuz@reddit
I think it used to be but now it is 25?
What's new in Windows Autopilot device preparation | Microsoft Learn
JwCS8pjrh3QBWfL@reddit
ugh, they caved on that? So stupid. People need to stop putting every goddamn app in autopilot.
tempest3991@reddit
Device prep profiles does
trueg50@reddit
You don't deploy all your apps in the DPP, only required ones (security tools etc..) all the other apps like Office should be via standard app deployment.
uptimefordays@reddit
Honest answer? Because Autopilot and Intune span multiple teams—endpoint, identity, networking, security—and no single team owns the end-to-end experience. It’s easy to land a “good enough” deployment that gets you 80% there, and most organizations stop because that last 20% requires cross-functional coordination nobody has formally committed to. Hybrid environments make it worse: as long as legacy infrastructure is in the mix, there’s always a reason to trust the old provisioning path over the new one.
LaDev@reddit
I'm crying in hybrid join.
medium0rare@reddit
It’s a new process first and foremost. It requires leadership buy in and coordination with purchasing. Also really helps to have accounts at a big distributor that can do their part in the process. That’s a big lift for a lot of teams and it’s hard to break old habits.
Hotdog453@reddit
I mean, I'd argue it's not really NEW anymore. We might be getting new admins and such coming in, and just 'for the first time' seeing it, but the tech itself isn't NEW.
It reminds me very much of ConfigMgr, back when it was popular. The PRODUCT hadn't changed THAT much over the years, but we had a continuous stream of people coming in and using it; so it was new to THEM.
medium0rare@reddit
I wasn’t saying it was new in general. But if an org isn’t using, it’s new to them.
segagamer@reddit
I first set up MDM on MacOS with SimpleMDM. I wanted to get the same with Windows devices and set up Intune.
My disappointment is immeasurable. It's so unnecessarily complicated and confusing, with nothing to specifically kick off software installs etc. It's gotten to the point where I'm half considering moving the entire org to MacOS.
locke577@reddit
I've built a nice little business exclusively getting small businesses set up with autopilot/Intune so that whether they buy phones from a cellular carrier or a laptop from Dell or HP, it arrives to them already enrolled in Intune and ready for the user
TaiGlobal@reddit
May I ask how much demand is there for this? Do you just get clients on upwork (and I’m assuming eventually word of mouth)
locke577@reddit
The demand (and growth) is almost entirely from referrals and I'm in a hyper specific vertical where most of them are already using the same software, so onboarding and getting them set up is usually a very smooth process.
I don't use upwork, I'm not a trunk slammer.
TaiGlobal@reddit
Is this your only income or you have an actual job or other services you offer and have clients for? How long does it take to onboard each customer and how much do you make from each if you don’t mind me asking?
iwontlistentomatt@reddit
Is lead time for ordering not a concern for some companies? Cumbersome ordering process i.e. waiting for approvals from finance which can take days/weeks,once the order is placed the shipping time varies based on stock at the supplier. I can pretty much guarantee X days from the initial request to it being delivered from my own local stock in my store room.
trueg50@reddit
You can have your VAR/reseller warehouse the devices for you. You buy your 30, 50, or 1000 devices for the next few months for a small extra fee and then ship out of the warehouse. Its not the only way of doing it, but just another tool in the tool box.
Geminii27@reddit
Marketing vs implementation by people who just read the marketing.
cubic_sq@reddit
Because you need to account for anywhere between 5% and 20% of devices taking up yo 2 days to complete provisioning. And then there are the random total failures and need to wipe and start again.
Thus doesnt work in practice to drop ship devices from vendor to end users, even if you can ensure the device profile is loaded before the device arrives at the user.
KennySuska@reddit
I've set up Autopilot at 2 orgs over the last 3 years. It's great but it's slow and can be inconsistent at times. For example you might be deploying 50 of the same device and 5 might just fail mid-setup. That can be very annoying to deal with remotely.
Mizerka@reddit
Were starting to roll out intune with autopilot and full mdm package, honestly its terrible, and the god damn dynamic groups, who came up with this, here's a group with a rule to populate members, nice nice, it updates between 3 minutes and 12hours. The entire mobile settings catalogue is just terrible, sliders the change values as you scroll down, you set a staging policy to lock device down? And you want to revert it once user claimed device? No you don't bozo, there is no allow or deny, it's either of those and unset. And unset won't clear the setting, it'll just inherit setting that doesn't apply anymore.
Windows95GOAT@reddit
We are a Autopilot and Intune only business and we basically use it for ourselves. In theory the device is ready to go, but we prefer to have seen the employee atleast once. So we go through the Autopilot proccess with them during their onboarding.
Even then Autopilot will randomly just not work so i would hate to use this with people out of country.
mullsies@reddit
Despite Microsoft possessing the hardware ID and knowing the physical keyboard layout of their own Surface devices, they'll let users assign UK keyboard layouts which have the hilaroius impact of switching @ symbosl for "
And this is step one. It only gets worse from there.
Personally I wish just we could just run a couple of powershell scripts and all intune did was report centrally and allow remote wipes.
AtarukA@reddit
I use an AZERTY keyboard, but software side, I always use a Canadian Multilingual Standard, not everybody wants to be imposed the same software keyboard as the hardware one.
Smeg84@reddit
I'm the SysAdmin at a business with 30 users, all remote based and switching to Autopilot is a huge time-saver for me. I have it configured for zero touch but I've learnt to limit the apps that pre-install; limited to DNS Filter and Company Portal, even then the latter can fail so I've since configured it to allow the user to continue even on failure.
Autopilot was the reason we moved from buying Asus laptops from Amazon to Lenovo so we can have the laptop enrolled on shipment and sent directly to the user.
Turak64@reddit
Mostly because people don't set it up properly, think it's something it's not and then fudge their way through it. You absolutely can set it up, so that at very least after the first login the user has their office apps and a couple of other basic things. The key is to keep the AP process as simply as possible. Then ideally use device categories, so the user can pick their department from company portal and then automatically have it deploy the rest of the config and apps.
Nikt_No1@reddit
I am not sure about technicalities as I have not worked with Autopilot on enterprise scale (I was an admin of medium size business I think) so I don't know enough to say anything about that but I know that one of the top reasons just has to be that - users (ekhem, people) are dumb.
I recently started new job and I was scheduled to 2x onboarding sessions for a whole day. First day was typical trainings, general onboarding to the company - standard boring stuff when u start new job etc.
Second day was scheduled as onboarding as well, next day of half-sleeping right? No, wrong!
The purpose of this 7.5h long session was to onboard 30+ people onto their devices - phones, laptops - their accounts (mostly for... microsoft services). We sat there of seven long hours, and I'd say 3/4 of the time people were asking helpdesk people for help - setting MFA, clicking THE RIGHT BUTTON on a display despite having instruction printed in front of them, not knowing what to do even though everything had numbered steps...
The amount of stupid I heard and saw that day was astonishing - and half of the people were primarily digital users with previous working experience.
I was ready in like an hour or something. I just read the instruction.
Ok_Rip_5338@reddit
i always viewed it as a tool to get you 90% of the way there. saves you a ton of work installing software, security settings, etc. but the last 10% realistically cannot be automated. IT will always need to click their mouse at least a few times for legacy programs and weird one-off configuration that only 2 users need.
g0f@reddit
Seems strange to settle when you’re that close to being done. Just package your legacy stuff with PSADT and I’m sure you’ll find a way to make it install reliably.
Ok-Double-7982@reddit
Been wrestling with this recently. Old weird programs we are trying to retire.
senectus@reddit
We do... getting dell to pre-enroll the devices into autopilot was a bit of an effort, ensuring all devices are bought via the dell interface that mandates that is an ongoing battle.
Id say we get about 98% coverage globally.
We still get idiots buying a random laptop with Windows home on it and getting reimbursement before we finally hear that they can't even byod join the things.
Repulsive_Bank_9046@reddit
Bad config if it takes that long. Ours takes 20-30 minutes after we cleared out apps that did not need to be installed during it
Wind_Freak@reddit
How many of them are trying to replicate SCCM and have a device with 100% of the apps within an hour?
Connection-Terrible@reddit
Does anyone know if hash upload is roadmapped at all for GCC High?
WorkyMcWorkPants@reddit
We do. It just breaks every so often from app updates, new scripts, OS updates, etc.. When it does break, I'm the only person in my org that's familiar enough to fix it within a reasonable timeframe. This can lead to awkward periods where members of IT will need to brute-force their way through the OOBE.
I suspect other orgs either don't have time to squash bugs or anyone competent enough moved-on to other positions.
It also doesn't help that we sometimes source from Amazon instead of the usual vendor. The Amazon laptops have to be manually enrolled into Autopilot.
iamLisppy@reddit
Has anyone gotten Adobe Acrobat Pro to install via win32 app for Intune? Im about to give up getting this POS to install this method and just have our RMM do it instead. Any guidance would be killer!
BWMerlin@reddit
What things are you seeing when you say the process needs to be baby sat?
Ok-Double-7982@reddit
Our hybrid environment is light years better than before and the wipe feature is a beaut. I call that a win.
Chehalden@reddit
The ESP page is a freaking joke, such a pain to even get working when it does work. We just disable it completely.
Also all users need our image on the devices, so we get the devices first, image them & then users can run through autopilot for Device to User affinity. Works pretty well in this manner.
If you try to fully recreate your "image" in deployments, it can take multiple hours before a device is really usable after the user enrolls it. So imaging is still the best course of action for us
5panks@reddit
Basically calling us out directly. The answer for our org is no one wants to sit down and plan out what software is used by what groups of people. You can't just automate deployment you have to automate the process.
TheAlmightyZach@reddit
I'm going to assume it's for the same reason I just got issued a new Mac and came to learn my global company doesn't have ADE enabled on corporate issued Macs..
In theory, yes. You should be able to effectively drop ship a device to a user and everything should work no matter where they are located. The problem, I think, is that so many companies are stuck in their ways. Changing to that platform requires training and time to develop. My company has a small department that images Windows machines for all of North America. I don't do that kind of work, but I'd imagine they don't have the time to train and develop new processes without either increasing staff or decreasing their current throughput.
ProposalKitchen1885@reddit
Mac’s and Intune/entra are still a joke. Better every couple months, but it’s pulling teeth trying to explain to people certain features just don’t exist.
TheAlmightyZach@reddit
I agree. When I managed this at a former (much smaller) company, we deployed Mosyle despite having Intune licenses available.
Cr4yol4@reddit
Autopilot has been annoying the shit out of us lately. We made the switch a couple months ago and we're now getting laptops with this device is already enrolled errors.
Our solution right now is delete it out of Entra and Autopilot. Sign in to a local domain account. Run a script to grab the hashkey and autoupload to our environment. Wipe the laptop again. And then have the user sign in as normal.
Zeggitt@reddit
In my experience with a hybrid environment, its was really unreliable and slow.
joshghz@reddit
I think it depends what you're expecting out of it. I've seen a lot of people on here complain (with some very valid points), but In my experience it worked well for us at least 98% of the time, when it just needed it to apply a handful of policies and like one or two mandatory apps before letting the user have control (the rest were installed in the background after).
I do get that it is generally slow, but if your mandatory pre-install list is 1000 policies, 50 scripts and a full install of Creative Cloud and Autodesk, it's not exactly going to be streamlined.
Trigonal_Planar@reddit
Doing a migration of a few hundred thousand devices to Intune and, let me tell you, you should use pre-provisioned Autopilot. I would definitely not ship new devices straight to users and have them do the user-driven enrollment unless I had no other choice.
https://learn.microsoft.com/en-us/autopilot/pre-provision
Master-IT-All@reddit
The level of work to get Autopilot and Intune working well is generally greater than the amount of time saved.
trueppp@reddit
Skill issue...I personally preffer immy.bot but we have a couple of clients on Autopilot, and basically use it to launch Immy...dropshipping laptop to users and they get up and running in an hour or 2 with almost no intervention, just let her rip....
Key-Level-4072@reddit
Im out of realm of dealing with end users these days but still have to advise the teams that do.
Ive onboarded Intune and Autopilot at prior employers in the past. Had the regular issues but figured it out.
Now Im watching the team that handles these things fumble their way through Intune and Autopilot and generally doing a shit-fuck job of it….years into things we accomplished in a month or two just a few years ago.
Ive seen Immy Bot over the years, but it seems like it’s an MSP product. I don’t see them calling out large-scale enterprise tools like Crowdstrike, BeyondTrust, Z-Scaler, etc in their list of logos. Just Connectwise and their ilk.
I think it’s probably gonna save us some serious coin and time to just use a tool….because these folks who don’t RTFM and just blindly do what ChatGPT tells them surely aren’t gonna get it done….and It’s not like Im gonna get a bonus if I go down there and do it myself….but is Immy Bot an enterprise-grade tool? Or is it just a really good option for MSPs who then use their RMM to fill in the gaps?
trueppp@reddit
I've always operated in the small business space and now work for an MSP. It really depends on what you're looking for.
There is an extensive library of premade scripts and you can add your own as needed, if you can do it in Powershell, you can automate it with Immy.
It spits out a Windows deployment package that will run at OOBE that will connect to your instance and that you can customise, so in our case it:
- Either auto-Onboard which prepares the PC as a generic workstation for that client or needs to assign user to PC in the console to start the process.
It then:
- Resets the PC, which get rid of the pre-installed apps
- Sets the background to a spiffy custom backround telling the user that initial config is in progress
- Installs our RMM
- Installs the clients EDR
- Installs and configure VPN client
- Runs manufacturer updates (scripts are available for Lenovo, Dell and HP)
- Runs Windows Updates
- Rename + domain join (AD or Entra depending on client and config)
- Encrypts the drive, saving the key to our RMM and AD/Entra
- Installs "common" packages (Office, Acrobat Reader, 7-zip, VPN client etc)
- Installs LOB apps if applicable
If a user is set:
- Applies/config software depending on filters if we assigned to PC to a user.
- Configures any product that supports it.
And finally changes backgroud for spiffy "You can log in now" backgroud, and reset's it to Default background post install.
twolfhawk@reddit
I have never seen autopilot work as an MSP
illicITparameters@reddit
It does work, it just takes more work than it’s worth for most. I’ve set it up from scratch a few years ago for a small org I was migrating to cloud-only Entra/SPO/Teams and it was hell.
Sad-Land2756@reddit
I had to do this recently for a company that im still working with. It wasn't fun to setup but I have to admit its nice when you are solo IT
illicITparameters@reddit
I charged $125/hr for that job so fuck it 🤣
Neat-Researcher-7067@reddit
Not all of them ;-)
ronin_cse@reddit
As usual I’ll add to the unpopular opinions others have probably already said: people don’t know what they are doing and don’t have it set up properly. When everything is working as intended, and you have a vpn solution if you’re still domain joined, then it works well and works reliably. If anyone reading this disagrees then you need to check your setup because something isn’t configured correctly.
Kemaro@reddit
Everyone’s needs and use cases are different. We bare metal image everything that comes through the doors. 90% of our devices are on prem and hybrid joined. About 10% are remote and entra only. These get imaged and an autopilot json gets dropped on them. This makes the device boot right up to autopilot deployment without a need to check in. Our techs can then white glove the device before shipping/handing to the user. Works for us and produces a very reliable and repeatable result.
zanzertem@reddit
Tell me you haven't used Intune without telling me you haven't used Intune
WraithYourFace@reddit
Anyone here rocking Autopilot v2? Just started using it and just need to add an identifier (serial number) so it doesn't try to enroll as personal.
Skyhound555@reddit
My company is too cheap to stick to a singular vendor for pc purchasing. I am also too lazy to configure it for multiple vendors. We already go through the pain of shopping around for the cheapest PC prices.
Tbh, I have my user base fairly well trained on pc documentation. It wasn't too much of a lift for me to just instruct people to set themselves up through the normal oobe and have Autopilot take over midway. We do get the occasional person who accidentally use their personal emails and have to start over, but it is what it is.
ZoneEmbarrassed7697@reddit
Because it fucking sucks.
ryryrpm@reddit
We whiteglove everything instead of zero touch because we're a university and I think the staff and faculty would burn us at the stake if we made them deploy their own computers. These people are overworked, underpaid and barely have any time for us when it comes to doing a computer replacemet. Also many of them have massive amounts of unstructured data saved locally that has to be transferred and they need a lot of hand holding to do it.
I think TRUE zero touch means IT literally never puts hands on the device or the box. But that depends on how you procure your machines. We lease all our computers in bulk orders. So it's not like we're buying laptops as needed when people are hired and then having the OEM ship it directly to users. If we did I could definitely make the case for zero touch. Its much easier to just have a stock of computers to pull from.
With all that said, Autopilot still brings us benefits even if it is not "the point" you're talking about. Technicians are also users. They benefit from a streamlined provisioning experience as well. Dell uploads our device hashes. All our machines are assigned to a single deployment profile that's set to self-deploying mode. The technician updates the record in our asset management system, our integration configures it in Intune and then they turn on the device and let it run. It's a lot better than a task sequence and easier to maintain.
EVERY ORGANIZATION IS DIFFERENT
St0nywall@reddit
It isn't easy to use, at least from my perspective.
Licensing is a mess.
autojack@reddit
Takes some fine tuning but works well once you’re there. Hate that you can’t set an install order without precedence which can be a pain.
Another gotcha we’ve had was apps trying to do something during autopilot that can screw it up. Had an RMM tool try to auto upgrade as soon as it installed which would break the process.
It’s not fast but it works.
BoltActionRifleman@reddit
I think many gave up on that dream due to its inconsistency. Ninety devices out of a hundred might set up just fine, the other ten fail and who knows why, so they choose to still use it, but monitor the process.
fmtek81@reddit
it all depends on how it's setup in the backend. that takes a lot of work from IT, but once that is done, it can be pretty seamless
KStieers@reddit
Go to r/sccm search for "Airing of Grievances"
So much not quite there with OutaTune...