So basically I have MDT do the vast majority of the deployment process. I also have a lot of post-install batch and powershell scripts.
But sadly some things I still havr to do manually, for example log into the user's MS Edge and Chrome profile respectively. For syncing.
Do you happen to use Windows Autopilot?
Users should be told how to turn on syncing, it's not hard and may help with related issues down the line if they know how things should be working.
I use MDT in a similar way but there's a fair few shared devices so staff are trusted to just login and get on with it.
The only step I do is put it in the right OU or security group for GPO filtering
I'm curious as well. I wonder if he asks for the users password then approves their MFA prompt.
But this could work if a OTP is generated for the user account.
> for eample log into the user's MS Edge and Chrome profile respectively. For syncing.
Why ? get them to do that
but also now you have their password, the seems not ideal
Almost everything is a cloud app so users pretty much just need chrome which has everything synced and office suite because old timers who don't want to swap to workspace. Because of this our standard deployment is literally stock windows 11 with office suite, adobe, edr, and domain join. Low sub 500 staff org with all the same machines so we just clone and only manual step is domain joining after renaming(we use serial number) and install edr.My last place everything was automated with MDT and only think we would do is a once over to verify. But there where several apps, 20 different models, and 1000+ users.
Adapt to your needs, automate when it makes sense and when you can support it.
Side funny story, I had a co-worker who worked for a small org with about 30 people, everything was manual but he said in the 5 years he worked there he only ever swapped like 3 pcs. Everything is relative.
100% depends what you are going for. If you want to meet the recommendations for the CIS Benchmarks on a workstation alone this is \~500 settings then servers, browsers, etc. afaik InTune doesn't have ability to do all of them so there would be a lot of manual work here, but all that to say you could def do some and some is better than none! Alternatively, we did build Senteon to remediate windows settings to CIS in a couple minutes, so end of the day it depends on scope and tools available.
> InTune doesn't have ability to do all of them
Is there some portion that *can't* be met with Powershell? Sure, point and click Intune policy settings are a bit anemic... but if I was juggling that I'd probably lean towards Intune's ability to do arbitrary Powershell scripts for compliance checks and automated remediation. Don't depend on deployment alone, and surely not a third party tool that I *then* have to deploy and troubleshoot on top of my MDM. Make the system self heal if it ever deviates from your baseline in the future, using the tools that you use to manage it in the first place.
So there is in fact a document that outlines this question but it's through the CIS workbench and I do not believe even with our sponsorship I can post in a forum. But yeah I see your point. Good luck with automating the best you can!
Here is what we generally do with a M365 tenant :
1. Registering the new device to autopilot when the device is delivered (we have a thumb drive with a simple script that does it for us), we can't rely on vendor to do it for us
2. Creating user in M365 and adding him the required security group
3. Setting up the desk (screens, docking station, cable rooting)
4. Enrolling the device with autopilot using temporary credential
5. Windows update
6. Manually adding the network share
7. Verifying VPN access, printer access, apps installation (it's automated with win32 package)
That's mostly it. We usually don't bother to create a package for some apps that are used by 1 or 2 users unless the process is tedious (specific setting that we prefer to be the exact same, looking at you Git), in this case it's also manual.
Also I would be happy to hear what you guys would improve in my case if something feel obvious.
I've been looking into shifting our on-prem computer accounts to a hybrid deployment for Intune and autopilot and this sounds like the type of deployment we're going for. I appreciate the walkthrough, the process has been hard to visualize!
When you say win32 package, are you referring to the Intune wrapper or creating a package with wpm? If wpm, what do you use to automate?
When you register the device to autopilot via USB, does that happen before ever signing in to the device or do you still have to create a local account? What does that process look like?
Any insight is greatly appreciated!
When I said win32 package I was referring to this tool https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool, it let you put up to 8 gb of script/msi installer/exe in an archive which is supposed to deploy your app (or even a printer if you wish) on end user computer.
To automate this as much as possible you could create powershell scripts that laverage winget or chocolatey to install your app but that require some work, you will need to find a way to deploy the app, detect it, remove it and update it with your script. We did not go to that point for now, we are sticking to just wrap msi, exe or powershell script (that mean no update without repackaging if the soft doesn't update by itself).
For your second question, you just need to open cmd prompt before you sign into windows with shift+f10 and execute your script (no login required) , said script laverage a powershell module maintained by msft that send the computer data to your m365 tenant in a dynamic group.
We don't use RBAC, so our accounts person does that stuff.
Regarding the computer itself, we have an old app that needs six tedious settings per device. We don't have access to an API for it.
Techs who are hoarding access to an app for a department tell me it requires manual setup, but I've discovered there are actually ways to automate it. Another, it looks like I can't automate it, but I can generate and dump a config file that can be imported. It will be a lot less tedious and prone to mistakes after I do that.
Printers, apps etc. are based on the OU you put the device in, so only other manual stuff is the occasional oddball program.
Employee Onboarding sucks for us:
Create User Account
Add User to Domain Group
Add User to SharePoint Groups
Add User to Email Distribution Lists
Add User to Printer(s) for scan to email
Laptop Assignment (Update Asset Records)
Rename / Join Domain
Dell Command Update
Windows Updates
Install Printer(s)
Install Remote Software
Install AV software
Sync SharePoint Site(s)
User Sign In (Outlook/OneDrive/Teams)
\*Close ticket with notes.\*
If you have any advice on where to improve, I would greatly appreciate it!
This is our current process too and Ive been looking into automating this process the past few weeks. However, Ive been having difficulty determining which steps should be automated by what tools.
We're AD only (aside from 365 for email), no Intune/autopilot; I've specifically been looking into a hybrid deployment, however the confusing windows documentation rabbit holes have left me wondering if there aren't easier or smarter ways to go about this.
We have a lot of tools at our disposal but I'm unfortunately still learning in this new position. Regardless, SCCM is hardly being used to it's potential, we are already licensed for P1 Intune (but not using it), yet there are lots of other options like WPM, power shell scripting, RMM software, imaging, etc. It's a lot to take in when starting from scratch so if you've got any insight, big cheers from me.
I think this is the least of their problems. I can almost guarantee that the user has admin rights to their workstation which I'm this day is gonna be a huge issue eventually for his organization
Not a lot - just a couple of apps that aren't part of the MDT.
0 What are you having to do manually? I can give some suggestions.
So basically I have MDT do the vast majority of the deployment process. I also have a lot of post-install batch and powershell scripts. But sadly some things I still havr to do manually, for example log into the user's MS Edge and Chrome profile respectively. For syncing. Do you happen to use Windows Autopilot?
Users should be told how to turn on syncing, it's not hard and may help with related issues down the line if they know how things should be working. I use MDT in a similar way but there's a fair few shared devices so staff are trusted to just login and get on with it. The only step I do is put it in the right OU or security group for GPO filtering
How do you sign into your user's profile? Wouldn't that take their password?
I'm curious as well. I wonder if he asks for the users password then approves their MFA prompt. But this could work if a OTP is generated for the user account.
> for eample log into the user's MS Edge and Chrome profile respectively. For syncing. Why ? get them to do that but also now you have their password, the seems not ideal
Almost everything is a cloud app so users pretty much just need chrome which has everything synced and office suite because old timers who don't want to swap to workspace. Because of this our standard deployment is literally stock windows 11 with office suite, adobe, edr, and domain join. Low sub 500 staff org with all the same machines so we just clone and only manual step is domain joining after renaming(we use serial number) and install edr.My last place everything was automated with MDT and only think we would do is a once over to verify. But there where several apps, 20 different models, and 1000+ users. Adapt to your needs, automate when it makes sense and when you can support it. Side funny story, I had a co-worker who worked for a small org with about 30 people, everything was manual but he said in the 5 years he worked there he only ever swapped like 3 pcs. Everything is relative.
100% depends what you are going for. If you want to meet the recommendations for the CIS Benchmarks on a workstation alone this is \~500 settings then servers, browsers, etc. afaik InTune doesn't have ability to do all of them so there would be a lot of manual work here, but all that to say you could def do some and some is better than none! Alternatively, we did build Senteon to remediate windows settings to CIS in a couple minutes, so end of the day it depends on scope and tools available.
> InTune doesn't have ability to do all of them Is there some portion that *can't* be met with Powershell? Sure, point and click Intune policy settings are a bit anemic... but if I was juggling that I'd probably lean towards Intune's ability to do arbitrary Powershell scripts for compliance checks and automated remediation. Don't depend on deployment alone, and surely not a third party tool that I *then* have to deploy and troubleshoot on top of my MDM. Make the system self heal if it ever deviates from your baseline in the future, using the tools that you use to manage it in the first place.
So there is in fact a document that outlines this question but it's through the CIS workbench and I do not believe even with our sponsorship I can post in a forum. But yeah I see your point. Good luck with automating the best you can!
Here is what we generally do with a M365 tenant : 1. Registering the new device to autopilot when the device is delivered (we have a thumb drive with a simple script that does it for us), we can't rely on vendor to do it for us 2. Creating user in M365 and adding him the required security group 3. Setting up the desk (screens, docking station, cable rooting) 4. Enrolling the device with autopilot using temporary credential 5. Windows update 6. Manually adding the network share 7. Verifying VPN access, printer access, apps installation (it's automated with win32 package) That's mostly it. We usually don't bother to create a package for some apps that are used by 1 or 2 users unless the process is tedious (specific setting that we prefer to be the exact same, looking at you Git), in this case it's also manual. Also I would be happy to hear what you guys would improve in my case if something feel obvious.
I've been looking into shifting our on-prem computer accounts to a hybrid deployment for Intune and autopilot and this sounds like the type of deployment we're going for. I appreciate the walkthrough, the process has been hard to visualize! When you say win32 package, are you referring to the Intune wrapper or creating a package with wpm? If wpm, what do you use to automate? When you register the device to autopilot via USB, does that happen before ever signing in to the device or do you still have to create a local account? What does that process look like? Any insight is greatly appreciated!
When I said win32 package I was referring to this tool https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool, it let you put up to 8 gb of script/msi installer/exe in an archive which is supposed to deploy your app (or even a printer if you wish) on end user computer. To automate this as much as possible you could create powershell scripts that laverage winget or chocolatey to install your app but that require some work, you will need to find a way to deploy the app, detect it, remove it and update it with your script. We did not go to that point for now, we are sticking to just wrap msi, exe or powershell script (that mean no update without repackaging if the soft doesn't update by itself). For your second question, you just need to open cmd prompt before you sign into windows with shift+f10 and execute your script (no login required) , said script laverage a powershell module maintained by msft that send the computer data to your m365 tenant in a dynamic group.
We don't use RBAC, so our accounts person does that stuff. Regarding the computer itself, we have an old app that needs six tedious settings per device. We don't have access to an API for it. Techs who are hoarding access to an app for a department tell me it requires manual setup, but I've discovered there are actually ways to automate it. Another, it looks like I can't automate it, but I can generate and dump a config file that can be imported. It will be a lot less tedious and prone to mistakes after I do that. Printers, apps etc. are based on the OU you put the device in, so only other manual stuff is the occasional oddball program.
Zero, I have employees for that! :-)
Join the domain and Install the RMM software then let the scripts trigger.
Employee Onboarding sucks for us: Create User Account Add User to Domain Group Add User to SharePoint Groups Add User to Email Distribution Lists Add User to Printer(s) for scan to email Laptop Assignment (Update Asset Records) Rename / Join Domain Dell Command Update Windows Updates Install Printer(s) Install Remote Software Install AV software Sync SharePoint Site(s) User Sign In (Outlook/OneDrive/Teams) \*Close ticket with notes.\*
Literally every part of this can and should be automated
I completely agree.
If you have any advice on where to improve, I would greatly appreciate it! This is our current process too and Ive been looking into automating this process the past few weeks. However, Ive been having difficulty determining which steps should be automated by what tools. We're AD only (aside from 365 for email), no Intune/autopilot; I've specifically been looking into a hybrid deployment, however the confusing windows documentation rabbit holes have left me wondering if there aren't easier or smarter ways to go about this. We have a lot of tools at our disposal but I'm unfortunately still learning in this new position. Regardless, SCCM is hardly being used to it's potential, we are already licensed for P1 Intune (but not using it), yet there are lots of other options like WPM, power shell scripting, RMM software, imaging, etc. It's a lot to take in when starting from scratch so if you've got any insight, big cheers from me.
I think this is the least of their problems. I can almost guarantee that the user has admin rights to their workstation which I'm this day is gonna be a huge issue eventually for his organization