S01E02 - Setting up Windows Autopilot with Microsoft Intune - (I.T)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Is there an Episode 1 somewhere? Thanks for sharing, btw!

👍︎︎ 1 👤︎︎ u/xSnakeDoctor 📅︎︎ Jul 16 2019 🗫︎ replies

Sure. Here you go.

https://youtu.be/OkeUN-tdfqs

👍︎︎ 1 👤︎︎ u/ASquareDozen 📅︎︎ Jul 16 2019 🗫︎ replies

Captions

hey guys we're live again this is Intune training the Steven Adams show it's the place to learn how to use Microsoft in - I'm Adam gross one of your hosts from the other coasts Hey look at that it's a rhyming it it's awesome hey so I'm a config manager admin and my day job at night job and I love doing this stuff mostly focus on OSD and we got Steve he's he's been coaching me teaching me on all sorts of into related things and so this is our second installment of walking through how to do cool things with Intune so Steve hello mate hey going Adam Dave here so I'm Steve husking I'm MVP FCC MN cheering and have been working in the industry for what nearly 20 years that seems so much shorter than that and I'm I spend a lot of my time nowadays doing and implementing Intune platforms and making the technology work so I my day job previously was managing devices and doing a full SCCM implementation but now I spend most of my time doing yeah yes they see out that in tune and everything associated around that so I'm here chatting with Adam and helping him out and explaining how all the technology all works yeah I'm excited because I think we're we're starting to break down some of the barriers of the difference between config manager and in tune and today's show we're going to be focusing on autopilot and I think this is the we're the sweetest features that come along to really kind of bring in tuned to the forefront to showcase its possibilities and to really help folks like me out so I've done desktop admin most of my life and so being able to have a different way to deliver an OS to a machine is quite impactful in our environment and with the way that Windows 10 is built with things like device reset you can really start to see the pieces come together on how maybe this is the last test task sequence you've ever had to build as to get you to Windows 10 and now you can leverage the OS that comes built on the box from your from your OEM and you can autopilot that right out of the box and you never have to go in and do the things that we've been doing for years of dealing with OSD and building on images and capturing images and all of the fun stuff that we get to fill our day with we get to maybe do some more value add for the company and leverage some really neat functionality so I'm excited to see some of the cool tricks of the trade here that Steve's been working with I've played around with it quite a bit but you know I think Steve's got some some really cool stuff to show us yeah I'm definitely a demand and part of that whole conversation that I have with all my customers around autopilot and and Intune how that device management story plays through is look how long does it take for your computers today Adam to build you say you're doing a task sequencer with OSD and SCCM it's taking what at at least half an hour 45 minutes for really really well designed and implemented a sequence plus the hour or either side for IT to be involved to make sure that it's all set up properly and while picking the computer up from a desk what we can do with the Intune technology is start turning around on you know what mr. user go in to the company portal and just hit the reset button and away you go and it starts again and it's that story that makes life a lot easier and I think that that's a story that I've really started to to gravitate towards over the last several years so in our windows 7 environment we always had a gold image where you know we did we did a reference image and then we would patch that thing occasionally and if you've messed with Windows 7 you know there's like 8000 updates if you ever rebuild that machine and you know I remember the last time we passionate it took days to get that thing patched and the idea that we can take a just the ISO media from from volume licensing and we can slap that on a machine or even let the vendor slap that on a machine for us and trust that as our that's our that's our gold image that's our base image that we work from that really takes a lot of the the overhead out of it but the challenge I think from it from an IT admin perspective and from a desktop perspective is for years we've always wanted to tweak and customize and make the OS this like perfect environment for the user and why would we want to protect the user we want to make it easy for them it's like ok so what we're going to do is we're going to remove say application X because all whole holographic is a good example of a conversation I've had with customers where they oh yeah we don't want Windows holographic in there because well we might get a support call on it so but you might get one or two support calls what does that matter in the grand scheme of the two days it takes me to figure out how to turn that off well and I was going to break something in the future that Microsoft has planned well exactly and and that's that's the conversation and even gets down to the group policy conversation so a lot of the conversation we're having with our customers is around look we need this group policy to set the font for our emails or this our company styling is it's Arial 8 instead of x in your own 12 and it's like well what's the value prop of us actually doing that so that that's the starting point of why we're doing in tune and why Auto is such a powerful product and you start having those why questions because if it take if I can save 2.2 hours per computer for my IT staff where can I spend that time in place of it yeah exactly exactly and and so you know one of the you know the the new philosophy I've got on this is that my corporate image is now just windows I just need Windows on the box and then everything else is policies and configuration items that I can apply through either group policy or through in tune policies or through configure bit configuration manager CIS or you know any of those next layer things but if I can if you give me a machine with windows on with Windows 10 on it I can take it and manage it from there I don't need to wipe that image out and start over and I think that's a huge learning curve thing for people who've done this for years we've always done wiping out and put new back wipe it out and putting you back you know and so that we could do that one tweak that you can't do unless you have wiped it out and put it back and the why why are we doing that and and I think that's that's a hard conversation that you know I had lots of conversations with people about this and said well why are you doing this and I'll fight tooth and nail how it takes we've got certain SLA s and I need to be able to do this and that and you know why it's a management problem that you need to address and think about the new way that you could be doing this and just it's a shift it's a shift in your thinking oh definitely and and that's that's the big conversation point is look the number of admins that I've turned around on Oh will your users have to go through the outer box experience oh no no I'm going to do that for them it's like but then it's registered for you and it defeats the whole purpose but this time through what we're going to do is but we'll do it for them and so then it's like cool but what about next time yeah hey they don't know how to do it you did it for the last time so yeah yeah but here's the stark fact of it if if you're moving to the New World Order being in tune autopilot and aad joined well at what point do you hand over the reins to your staff and go have at it my position is as soon as you build the platform you get them starting using it like from a training point of view the earlier you get them on there the less time you're going to have to spend with them yeah we have tons of intelligent people and our companies that we trust to do all sorts of amazing things to run our business and for some reason we treat them like children when it comes to giving them a computer that I mean come on kids these days they're born with computers in their hands just about you know this next generation of folks that are coming in they know nothing but computers and if we keep treating them the same way we've treated people for the last you know 30 years we're never gonna advance our our we're never gonna get out of this business of you neck hold their hands and feeling like we have to deliver this you know perfect customer service to them they don't need it any more than you know we want to do it for them really and but we've got to get out of that and I think in tune and autopilot it's really kind of gonna help us get there yep so what I'm going to do Adam is I'm going to just start setting up the tenant and we'll talk through that and then while we're waiting for processes to happen we can have a more robust conversation so this tenant we're going to be touching off from our previous call where we sat there and we step through the process of setting up a troll' tenant and configuring it all to be able to have company branding and we've got licenses associated via security groups in the intervening periods we've updated our licenses to m3 6585 licenses on TRO while we're building up this environment so the first step we're going to do is we're going to go to Azure Active Directory and we're going to finish off the mobility component here for the MDM mam function once it finishes loading up it's just going to take a little bit longer takes a bit of time for the data to come all the way from America to Australia it's a bit slow we should drive from my machine nice things to you maybe so here because this is a lab we're just going to hit all and all most companies this might be an issue even if you use it for all and all for everything but it's just best practice if you're doing a pilot you do it as some and some so you'll see what these two things are yes I was just that's a very good all right we don't have another so the MDM scope here this is around at Microsoft gold sorry the mobile device management this is the ability to register devices enroll devices into Intune be at a mobile phone be at a laptop better and an iPad what the mam policy here is it's actually mam has been renamed so previously it was the Microsoft application management platform but it's now called the application protection policy so due to have a guess what the three-letter acronym for that is yeah it it wasn't well thought through policies for maybe apps yes so we've now configured this right so this is the ability to enroll and utilize the mam and MDM features so we'll close out of that and I'm just going to sit her on this one as well make sure it's set as well it's there's a very long story and a very good reason why that's there but I don't know the exact explicit reason it's it's complicated but there's two applications now and you need to make sure you've turned around for both of them so we now have that enabled which means that we can now enroll devices into India so the next step that I normally go to when I'm setting up a tenant is I go to all services and I actually go and unselect all these stars while it's not mandatory and it's not you don't have to do that you'll see on the left-hand side my list of objects are disappearing and becoming a lot smaller what this means is it makes it so I can find what I'm looking for very quickly because there's a lot of services in in Azure as you can see while I'm going through and we don't care about all of them except for in tune at the moment we will add more over time but right now we're only hearing about Indian and Azure Active Directory as a side effect of that Steve type in in tune back in back on the all services page I've noticed this on multiple occasions and I just answer no but so we have in tune and we have Microsoft Intune and I believe that where you just were when you're setting the MDM and man policies was on the Microsoft Intune side of things that was that that service and that the other one that we're going to go to is going to be the device management side of in tune where we actually go configure into is that correct sort of it's it's just published there twice so people can find it is this is the short answer app protection is throwback to when the main policies were separate to MDM and then in tune for education is for if you've got an education subscription certain salonist so the in tune and the Microsoft Intune service links go to the same place now okay yes but not to be confused with the other Microsoft Intune your location active directory in it yes so the the big elephant in the room that we haven't mentioned here is this isn't the first version of into the old version of Incheon is called entry and classic and it runs on Silverlight you need to be running Internet Explorer to be able to viewer and it has a good number of limitations and it is not recommended that you use it or implemented it anymore the only time that you would is it's based around older OSS so Adam do you know when the Microsoft Windows 10 started supporting MDM enrollment just out of interest I know I know I've put you on the spot here well no no let's say 1511 know it was 69 9 1 yeah so any version of Windows 10 before 1609 wouldn't actually or can't actually enroll into the new version of incheon so all of those versions let's let's be very transparent here and very blunt are no longer supported and you should be already moved off them but anybody that's running those older versions of Windows 10 you can't use this technology Jake you're gonna watch this video and when you see this make a note you should get all your 1511 devices upgraded guess yes get off 1511 so what will set what you're seeing here I saw I don't think I can wreak lick on that the first time you try and configure anything in in tune you need to set your MDM authority by default well there's there's three options here you have in tune you have config manager and you have none the first two are really self-evident the third one I don't actually know why you would use that unless it's like for if you're using a third-party MDM platform that's not listed here and wanting to use some of the features for a mention so we're going to set our MDM authority to ensure and we're going to hit choose now Steve I know we're not talking about config manager Co management or anything at this point however which of those two options are the three options would you select if you are using Co management that's a really good question and my understanding is you select in Ching so I will be completely honest I haven't spent much time with Co management and cloud management gateways just because the customers that I tend to target for SCCM don't have the requirement for that today well so the the the great thing is if we are if you are a config manager admin looking at in tune you can still follow along with all of these things and you can begin building out your in tune tenant exactly the same as if you were to stand alone or if you're going to integrate it with Co management because requirement for config manager is to move away from the config manager managed version of in tune to in tune standalone so that you can transition to Co management so they are specifically separating you out back out from the the commingle bit and doing it a different way so so so we're on the right track if you want to eventually do Co management and config manager with this and that's what we have question is series but just saying it is near my heart and so and and it's probably very important to mention as well as look you can have SCCM and in tune running at the same time and the way you would have your in tune as a pilot you want to test and validate things you can still keep using secm or config manager in your platform as your standard device management system without impacting each other unless you put in current management or cloud management gateway or some of the crazy stuff so we're now at the device enrollment page this is where we can set up the Apple Android or Windows enrollment so today we're going to focus on Windows enrollment because that's near and dear to our heart we love Windows and it does everything we need this is where we go and set up our autopilot policies and I know one of the first questions that I'm going to be asked around this is well how do we set up the engine connector for Active Directory to do hybrid ad joint and yes Steven let's please because I need all of my devices to be hybrid because I have local on-premises infrastructure that I need to connect to I'm sure that I have to have that and and that's a very very good question but that the Shi fact of the matter is unless your device is doing that authentication to your network environment there is no requirement to have your device's join to your local Active Directory with hybrid ad and adding that functionality and there just makes it so much more complicated so obviously you've got 20 years of group policy sitting there that you're going look I've always had these settings I've always had my font set to this or I've always had my wallpaper set to that so some of the settings to come across that others don't and to be honest it's not necessarily a bad thing like I I see this is a very cleansing experience where I get to turn around to a customer and go your group policy yeah you know what you don't need that anymore start again give your users a great experience you don't know what your group policy set are set to right like you go into some companies where they have 1500 group policy objects set and you're like I don't know where to start here oh yeah we we decided to go through and and get all the policies for a mist and make it so we're fully secure and compliant and it's like yeah that's that's interesting so yeah the the engine connector for ad like for hybrid ad join I would I I well I don't recommend it to any of my customers there's a simple answer and I I'm very hesitant to actually turn it on because it does add a lot of complexity to your environment so if you're going to do hybrid as your Active Directory drawing you need to have line-of-sight to your domain controller so you need to be on your internal network it takes out the whole coffee-shop scenario it it changes a lot of scenarios for you but we can go into this you're saying whenever I was so I want to ship I want to ship a brand new computer that I order from a vendor and sent it to a user at their home to let them do auto pilot because that's what autopilot is built for but you're telling me that when I use the when I if I want to do hybrid that I now have to bring that machine back on on-site and and autopilot that machine while I'm on on-site in my facility to my knowledge there is it is required there are functionalities and improvements coming from the product group around how that works I know that there was talk that there's there we may be a VPN solution or a way of pulling that information in but obviously there is the offline to my enjoying functionality but then you need to be able to get line-of-sight to your domain controller to complete that scenario so really in doing this we're taking this amazingly slick and streamlined new functionality and we're really somewhat crippling it by putting this more antiquated hybrid join functionality back into the mix then it's what you're saying I mean I said those words but that's what I that's what you imply that that is very much what I implied so there are scenarios where it is important but I don't see for most of my clients that it is a scenario that I would be recommending because it's it adds a lot of complexity to the environment and it's not a way forward so think of it where where you're sitting there and saying what today we have we're moving to Windows 10 we're moving to into and we're doing and all of the the approach of moving to the new platform but then what we're going to do is we're still we're going to use Windows XP so well well they didn't have and and I know that it's not you can't run XP here I'm not saying that guys it's just look you're going to have to make the change at one point or another and that's the direction Microsoft's going more and more will be a ad joint only don't do hybrid ad unless you really really have to so that's all I can just can't stress it enough so we're gonna step now into the deployment profile scenario here this is where we can figure what out auto pilot pilot profile looks like so today we're going to just set up a very simple user driven profile which is the default or is the it was the original profile that we had from Microsoft for Windows autopilot so we're going to call this in chin doc green demo we are going to this can be applied to auto to pyre yep perfect so what this means is when you hit yes on that and you target this policy to a security group and you drop the users I drop the devices so very explicit devices into that security group they now the policy will apply to them even if they've not had the autopilot Hardware hash harvested from the device or registered into the platform so what that means is once the device is registered into Intune you can converted into autopilot so it makes life a lot easier for people flipping the bit from their environment basically autopilot for existing devices is what this enables yes so autopilot for existing devices that have been enrolled by traditional methods whether it be manual enrollment or believe it or not hybrid ad wear it and have in tune enrollment from Active Directory send out a reset command and that device will be back online so we now have deployment profiles here you'll see that there's two options one is user driven and the other is self deploy software ploy is pretty cool but it's not the scenario we're going to talk about today then we're going to join to a ad as we can select either hybrid or Azure Active Directory today as we said and always as your hybrid this is where we now step into what we can hide out of the out-of-the-box experience so the ubi the ubi is what you see when you build a new computer when you buy a computer from Best Buy when you buy it from well JB hi-fi in Australia or whichever company that you're using where it comes up and goes hi I'm Cortana a little bit of Wi-Fi here and all of that fun stuff this is like oh I'm sure I had many many experiences of hearing Cortana go through this process so that whole process which traditionally we've always worked very hard to hide suppress and ignore is very important to see for all of our end users because that's the process they go through every time they get a new computer now and we now know that they can be have that device registered to them so I'll go through that a little bit more in a once we've got this whole process going through and why it's important to have the device and role to the user so this also hides the privacy settings and this allows them to change the account type and options associated to that the important one here is to make sure it is standard because we don't want our users to have admin access to all the devices do we Adam I don't know what if they need to install their printer or something when they get their machine bill there's ways around that but more often than not now most drivers are being published by Microsoft through Windows updates for business so if you've got a modern printer yes if it's a if you're still got a HP jetdirect for well it's it's gonna it's I'm sure it's still running but it's not going to really work out a box for you although probably will have inbox drivers by default but hey they haven't changed in 20 years so honestly saying you know what we've got a user is gonna be potentially at their home on the road at a coffee shop something with their new device and they're going to be connecting it to the Internet to begin the auto pilot process and they're going to be all alone with no ITA assistance and and we're going to stick them out there with with no administrator account as a safety net and so I'm playing the devil's advocate here because the we've been living in a you know low trust environment for a very very long time and you know know virtually no one has admin rights but we've put in controls to elevate but the point being here we should we should give standard a chance we should do everything in our power to make standard work because the moment you slide that slider over you're introducing a very high level of risk into your environment that doesn't need to be there and there are better options and things have changed like Steve said you know there just is really very little reason to need to rely on that crutch and say oh we've got to have this this you know give the users in ministry right out of the gate yeah and this is a fun conversation that I have with a lot of my peers and customers is we don't have local admin accounts we don't create local user accounts we don't have any accountability as an admin on the device and you say that to a lot of people and they sit there and go but what happens if I need to get data off that device that's encrypted with BitLocker and it can't sign on to the debate or it can't sign on to the network what do I do and my response is well you know what we've been holding the hand of IT of the customer for twenty years saying don't worry if you don't save it in the right location we'll go and find it for you now where our point of going look we have onedrive for business we have onedrive for business know in folder redirection so if you save it on your Start menu if you save it in documents if you save it in pictures will Roman for you not a problem so now that we know that people are saving their files in documents desktops and pictures what does it matter what does it matter if the device is bricked because it should be up in the cloud and if it's not and it's an executive walking over oh I save it in the root of C well it's like made your risk and compliance conversation doesn't actually hold water anymore let's go and have a have a chat to the risk officer of you saving into the wrong location and and that's that's a confronting conversation to have with an executive but it's these these are the sorts of conversations that we can need to start having and say looks too bad so sad and I think that's really great because we've you know more been using this phrase over and over and over again it seems more more frequently now as these are administrative problems not technical problems and there's a point where you need to hold users accountable for that what they're doing you need to put technology in place and trust the technology it's okay you should be using us we move to folder redirection you know 10 years ago and our users just know we're not going to bend over backwards to try to recover a machine if it craters here's your new machine and all your data will come down when you log in how nice and yeah if you so so yeah so what you know you've got BitLocker on the machine throw it in the trash and move on if it's broken you know like what are we worried about Staubach what's up spending this time stop wasting your time trying to be the hero for the user just do you know trust the technology and move on yep definitely and here's the fun conversation that I I started with you at MMS was around look we're sitting there with BitLocker we've got BitLocker and all their devices the keys are sent up into Azure Active Directory does that not mean that we now have a security hole because we have the keys for drive encryption stored off the device and and people look at me but well we need to be able to get data off there and so but do we I know I don't go and get the recovery keys anymore I don't care oh the device is if your device is not able to be signed into ok let me go and run down with the Windows 10 image stick and we're going to reinstall it and we will be back online in half an hour to 45 minutes and you have that conversation and people go oh ok cool and we're not going to worry about the BitLocker so this is where I started looking at it going will do we actually need to keep the BitLocker key set it and forget it it's a bigger conversation obviously but it's one of those things that you sit there and go we'll do we need it yeah and that's where you definitely get into those rabbit holes of well you know what if you know some some external force was applied that now has cratered that machine inadvertently you know and we're trying to just get that user back online you know they just dock their machine their desk this morning and now they're bit Lockard for no apparent reason and we can you know it's it's a convenience to have it but is it the end of the day no it's really not it really does turn into a well it's for the user to have a better experience and we don't have to spend an hour you know they don't have to waste an hour with their machine being imaged okay I get it but we have a user self-service portal for that I can just go and type their stuff in get it themselves they don't even have to involve IT and if that works great but to your point yeah for the most part you could probably just not care about the keys - yep and everything's in SharePoint or onedrive so they can work off their iPad they're fine they're somebody else's computer so and and so then let's take it that one next step further of ok so this is even more of the reason why autopilot is useful because we don't have to wait for the 30 minutes for the OS to apply to that machine to give the user a new machine you know just pull out a new machine give it to them in I've already got the OS sitting there sitting at the waiting at hoobie for the user they can off pile it in and be working within minutes at least have data on the machine oh it's gonna take a few minutes for the rest of their apps to get there did they need all those apps today probably not no and you know you've got you can get your email online and think I mean so there's definitely if you really stop and re architect your environment you can really rationalize away a lot of this stuff that we've been doing for years sure and that's exactly it so let's let's not get bogged down on this again and we'll continue it as you can tell we're very passionate about this technology you can click I'll keep talking and we'll just keep moving what we have here is the white glove experience we're not going to talk about that but this is a very new technology from Microsoft it came out last month month before and it's it's going to be cool but what we're using it for is not not this scenario we're just doing a straight-up user-driven configuration and then obviously we're not going to set a device now because these are cattle they're not pets we don't know our cattle well actually you do like I grew up in the dairy Carmen you do name your cattle but anyway that's completely beside the point at the end of the day we're sitting here and saying look why do you need to know what the name of the computer is it's irrelevant it's disposable go and grab another one the way you go so no more hosts file are no more DNS entries while your admin Scone know yeah we're all do is I'll put a cname that forwards from Bob that forwards through my computer names so then I can just go straight slash slash Bob oh yeah that was easy oh yeah there's it's been a fun a couple of fun ones like that across the career so we're just hit next and now we'll go into the scope takes scope tags give us the ability to sit there and say this scope of users have access or this scope abusers are going to be targeted again we're not going to do anything here with that we're not we can we create a new group here No so right now we're not going to do any assignment because we can't create a security group here to do that assignment you'll note that you can't do direct device or direct user assignments in Intune and this is intentional we want to make sure that you are always deploying to a group because then it's easy to manage and maintain so I'm just going to hit next on that and then we have the review and create tab the cool thing about this UI and why and and and around all of this is if we were to if we were to have done this even three weeks ago the UI was completely different because Microsoft just released this UI so there's our training demo configuration and we have all of that information there so the next step that we've traditionally although that if you go and follow most people they go right now what you need to do is our OPM and then hit shift left-hand or boot into the OS and installed - script get - Windows autopilot info right well there's actually a neat little trick that you can get around needing to do that and what we need to do is we need to install module which will be already on my computer so I'm just going to import here and we're just going to hit f8 the next step is we need to connect to autopilot in true and I'll prompt me for a username which is going to be this one not raining and I'll pop a window if it's not already authenticated I'll Steven I notice that you're running this script on your computer and not on our new machine that needs to be Auto piloted that's what I'm here so what we're doing here is we're actually going to download a JSON file so as you can see this is the first time I've actually signed in to Intune power show on this device and while we've got this here let's let's have a little quick chat about this so this is actually an app ID sitting in Azure Active Directory so you register an app and it gives you the ability to access certain components of the graph which underlies all of Microsoft 365 in tune as your active directory and these are the options that have been granted to this application and we we as admins can consent on behalf of them so to go back to your question about write whatever what are you actually doing here Steve is we're going or from where you keep grabbing that configuration profile that we just created so if I go dollar app policies you can see here's the display name of Inchon raining demo right and we then go out of box experiences and there's the configuration so we're hiding it we're hiding privacy were hiding EULA it's a standard you type it's a single user device we're skipping the keyboard and we're hiding the escape link so this is basically kind of a light version of an unattended XML that we would traditionally be used to write definitely 100% so my mouse is just gone flat oh nice is it one of those cool collapsible surface mice no I've got one of those but my batteries are on their last legs so I'm just going to add that into this object here and we're then creating this JSON file here which I believe okay let me just set quite path to somewhere that I know it needs to be - ancient raining and and then we're just go and so here's that JSON file there so what will quickly do because we're inverse code we can just open that up and we can see it as a JSON file in here and this is what we then publish into our configuration it's a little bit different than what we have here because this is all that we actually need and Microsoft doing that conversion for us so now if I go to Windows Explorer and after a yes now Steve we didn't we didn't publish this to a particular security group and then we go and and the thing I think is the reason here is that number one all you have to have is the file the number two device that we are going to autopilot is not currently provision or in any way in our new Intune tenant and so traditionally you would have to get that device the the bits from that device registered into in tune you can't still do that today that is one of the mechanisms to it but we need to boot the Machine up to the hooby launch PowerShell do some things or we have to get our vendor to send that information to our intern environment to register that device so we'd have to have the device in in tune then deploy assign that policy to that device for it to be able to be Auto piloted by the user from the ubi wizard and so what we're doing here is we're taking we're skipping some of that pre-registration and we're sending look we know all the registration information we don't need to know about the device yet here just this will give you all the bits you need to register to our tenant that that that's correct so what we're doing here is this JSON file is partial partially what is downloaded when we go through that autopilot onboarding process and pulling data from the cloud so where that works is we go in here and we drop that into a directory in the VHDX so this VHDX all that we've done with this is we've created that VHDX from convert iso to the HDX script and we then go in and we have an auto pilot folder here and we just paste that file in remember to actually second we real real and Explorer and we copy that and we paste that into the auto pilot directory it needs to be called auto pilot configuration file JSON if it's not auto photo pilot configuration file JSON it doesn't work so we've now saved that in there and we just need to eject that disk and it's worth pointing out though what he's doing here is this is this is to boot in of a hyper-v box and this is a great way to do testing on autopilot like he said he took just the windows ISO media and there's a PowerShell module out there that converts the ISO to the HDX and so then he just didn't even it doesn't even have a built machine yet he just took Windows and and converted it into a disk and now he's gonna boot it up the first time and it's just gonna be there if you were doing this traditionally on a physical box you would need to you know drop the file on there because some other mechanism you could fix the boot or boot off of a thumb drive or something like that to drop this file on there so darling you could even use Destin HTM to note yeah so you can even use a toss sequence which is a fully supported methodology to convert your Windows 7 devices across to Windows 10 where you lay down your windows 10 image and you inject the JSON file itself yeah so there's there's definitely multiple ways to get to this point to be able to test out the processes so then once you get to your steady state as you're buying new devices from your OEM so you would have them pushing that information into your internet in it but if you or there's a the phrases autopilot for existing devices there's there's a even at a sequence template in config manager that has all all of these steps including the JSON bit already built out for you and so it's you know all you need to do is get Windows on the box and get this JSON file on the box and you're rolling so but for the most part this is for testing and for existing devices that haven't been previously enrolled in in tune if they're previously if you've got them enrolled already you could skip this part you could just boot the machine right into a new Windows 10 whoo the experience exactly and that's the great thing about this technology is that it's actually really flexible the only thing and this is the important thing to call out based on the Twitter conversations that we've had recently is look if you're going to be doing anything then other than user driven you need to have a physical TPM yes TPM 2.0 yes so we're just waiting for this to pop up now so this is where we can have a little bit of a conversation around everything else that's going on in the tenant so while that's doing that I'm just going to sit this down here and I'm going to go back to my browser I'm just going to grab that off to the side so we can sit there and watch that go through while we have a little bit of a playthrough in here what we have in here what we should also look at setting up use the cname validation so this is to validate that we've set it up correctly my guess is that we haven't set this up correctly because we haven't actually gone and made any changes to our dns for it so Adam and I'll work on getting this sorted out after the fact but that will go through and clean that up the other important one to note here is the enrollment status page so have you heard much about the enrollment status page before Adam yes what the enrollment stays pretty amazing is it used to not exist and they've just continually made some improvements to it and I think it's fantastic yep so the enrollment status page gives us the ability to sit there and see the installation process of applications when they're being installed and deployed why are they or what I call it well while computer is being provisioned so here's where we then go and say well do we want to see the work flow and see things being installed the answers yes we want to empower our staff we want them to know that we're doing stuff rather than them signing in and going oh I've got my computer I don't have any apps where are my apps I will don't they'll come through eventually you'll get there just just wait this gives us the ability to sit there and go well this is going to pop up and say here you go I think that's a great thing that we've you know I think as admins we've fought and fought and fought for things like this for quite a while because with so many of the processes that we've seen with moving moving you know doing our upgrades from seven to ten and things like that we've really been encountering that well it's just sitting there with the spinning thing and it's not giving me any words and spinning things been sitting there for thirty minutes and how long is it doesn't tell me anything and so providing some sort of useful information to the user lets them know that something is happening is hugely powerful for them and I think this is a great ad yeah hundred percent I completely agree so the first iteration of autopilot and in tune when we're doing 17:09 rollouts didn't have this functionality and we'll haven't we'll get into the point where like look we need to be able to tell the user just hold on hold on just wait we're installing stuff and we had the we had the conversation internally of going well is it worth us sitting there and fixing all of this up and writing in our own solution that's that's pretty crazy and thankfully Microsoft turnaround went actually he looked this is what we're working on it's going to be here shortly so what we're working what we're looking at here on the VM on the right-hand side is I'm just going to select my region being Australia yes I'm not American and it's not the default so we're going to select Australia as our region and then the next step is it will ask us what keyboard do we want this is important we want the u.s. keyboard we don't want the UK keyboard because we want not to do stuff well we want the keyboards to be correct for us the other option is you can select this second keyboard that we just skip there so one of the things that I find entertaining is if you select the u.s. international keyboard I don't know if you have selected that previously Adam but one of the cute things that happens when you select the US International keyboard is when you hit quotation marks or double quotes it doesn't type it straight away until you type another character Oh so yes and if you do and typically it's waiting for second quotations again like the double quotes again and you end up with a whole heap of skewing skewing code and you're like what just happened there and it's because the English international keyboards been selected not the u.s. keyboard I've heard that some additional ubi related improvements may be coming down the pipe where we could potentially even take away even more of those you know maybe less of these stops on asking for the keyboard asking for this or that for environments where you know we already know the answers to some of these things why do we need to ask and so I mean I've heard maybe and it just really comes down to you know preference in your environment and for what your users do and don't need yes and and a lot of that is around the self self provisioning scenario that we're looking at earlier so we didn't select the self deploy one of the best features that Microsoft brought in with Windows 10 19:03 media for Pro and enterprise is the fact that you no longer have Cortana turned on by default yeah it sounds like such a little thing but when you have 1520 devices in an office all going through the outer box experience at the same time and Cortana starting up in A Chorus across the room is quite an interesting experience so what I'm going to quickly do is on the ESP page over here on the left is I'm just going to leave this turned on so we can see some information pop up so I'm just going to hit save on that and that's deployed by default and this is important by default that is deployed to all users so you'll see that here if we close that and that's always going to be there the default one will always be there but you can create multiple profiles from multiple different groups and they come down in priority order so I'm just going to sign it into the VM now in June doctrine and we go next and I'll ask me for my super secret password and here's one of the cool things that I found with my corporate account is because we have password less sign-on setup with our phone I actually don't get prompted for a password through here it just pops up a number going select number 12 on your phone and it will allow you to sign in so it just signs in without any passwords required I am that's pretty powerful and pretty awesome so one of the things I'm just going to quickly check while that's going through the process here from a security point of view is making sure that we have MFA required for device enrollment an MFA full device enrollment you you sit here and it's a question of why would I want that and it's a security thing so if a hacker gets one of your user accounts and they figure out you use name and password they then can go and create a VM like I've just done here and have that on your corporate environment with all of your corporate applications with everything associated around that so but pre previously by default it was turned on that you needed MFA to join devices but now it's turned off by default so I highly recommend going and turning this feature on because more and more you're going to be building devices outside of your corporate boundaries so you're not going to have the control so I'm just going to quickly save that on the tenon while we're in here I'm going to show something that is near and dear to my heart called Enterprise State roaming have you heard much about InterPro State roaming before atom well you know I tell you what's even I think it would be wonderful if you could make this work in my production environment because we have this turned on and we keep clicking all the boxes and everything looks right but it just doesn't seem to be working and we think that it's the answer to you SMT and you Eevee slicing both of those and we have drank the kool-aid but it doesn't seem to be working so definitely replace UAV because this is the new version of Yui V where while you SMT it's it's not quite but what we're doing with enterprise state roaming is the settings like your dark-themed your your look and feel of the operating system make basically what you see with Windows as a consumer when you go from computer to computer is the same as what we're turning on here if I default it's off because not everybody wants it but for the easiest way of migrating data from one computer to another is just turned on because it makes your life so much easier obviously you can sit there and say look I'm going to do selected users but we want everybody to have that because it's it's a free kick once we then flick in onedrive no and folder redirection and it gives you the ability to auto redirect and roam your desktop documents and pictures as well as what you get with enterprise state roaming around favorites web settings and everything around that it's it's a really good replacement for roaming problems yeah I want to see I think that the weird we must be experiencing something along the DRM realm we think you've got some sort of DRM documents right document rights management stuff configured that's preventing that from sinking properly or something we've been fighting that for a bit but yeah I mean I think it's and really to the point of you know well it's not really a US Mt replacement but if you you know for our environment we've basically got us MT down to where we don't really migrate hardly any and we get your printers in your network mappings and that's about it yeah and so if we can switch this on and teach users how to map a new printer yeah we're good oh yeah well and that's where what we can do now and and this is how we manage our printers is we actually have a scheduled task that we use as a logon script that installs printers and installs drive maps and everything from the legacy world it's not pretty but it does the job of what we need today ideally and then this is the real that this is the idolic world is everything gets moved to SharePoint everything gets moved to teams and document libraries there and príncipe yeah I mean who needs paper well yeah like in our office where I work in a managed service provider what we do is we we sit here and we are doing constant tech work and we've got three four printers in the organization and they're like Steve we want these automatically mapped I'm like why we're all IT professionals we should be able to go to settings and go at printer and the best thing about Windows 10 is it has the ability to go oh yeah these printers are in your network which one do you want to use and it even knows which one you probably use the most and sets identity oh yeah exactly and that's that's the power of how all that works now yeah I really like that technology so you'll now see we have a device that's come in which is this VM here and my mouse keeps turning off just bear with me and we go to all devices and we select that device so you'll see here it's using the desktop name and part of the conversation we're saying earlier about why do we want our users to what run through this process is this feature right here the enrolled user I can now click on that user and I can find information out about that device or that user I should say but the more important one is right so when you're starting up they don't ring up and go look I have a problem with computer 1-2-3 right they go hi I'm Adam I have a problem with this computer I have a problem with my computer I don't know what my computer name is and how do we find out who they are so this is where we you know everybody's computer has their full name and and a home address as the name so that we can make sure that we can find them I mean of course let's know what their device is but that's it that's how the media has told us that we can find each other is all we need is the IP address and we can tell you which desk you're at yeah well I mean why not just name the computer the IP address just to make sure well exactly that that would be entertaining I still don't understand why there's only a 15 character limit on the device name it just don't get it it's goes back to legacy it's back when we had 8.3 names turns out you actually used more than 15 characters for a device thing yes but don't please don't it really causes problems yes at and and why do you need to name your computers let windows handle it for you you don't need to so what I was going to quickly show you here is look we now I can now go in here with my user object and go look what devices are they registered for Steven I'm just going to make this a little bit bigger and we select that device and I can click into it and I can see all the information about that device one of the things you need to do here is if you're wanting to manage it well if you're wanting to manage it which is going to in turn by default it doesn't auto filter so you need to just type in the computer name and search in my case I only have one computer but if you've got a lot of computers in there it's make sure you take a copy of the computer name Microsoft's aware of it they're trying to fix it it's just taking a bit of time but you can see that this is the device that we're working on now we can go and find out more information about the hardware manufacturer and everything around that the operating system language so you'll see that we're using en-gb the reason why we do that is with Australia if we use the ear in u.s. we get prompted for a language pack with uaq when we're installing it then you have to file an annual tax return with the US well yes and this gives us Jade APR as well yeah it doesn't but hey I thought I'd take the joke so you'll now see that this VM is finished build and that's it that that is autopilot and that's how easy it is to set up we can go through and look in our default policies so you'll see here by default this device is not compliant because we don't have any compliance policies assigned to it it's a good thing yeah I think it's pretty cool so we go back over here so now we have Windows hello for business set up how many people want to set up window solo for business you go and have that conversation with your execs and they like oh we can go we can do fingerprint signing or I can use my fancy camera on my computer a sign-in right you've had these conversations right Adam and what we find happening there is they start having that conversation and they go but all right cool we're going to turn on Windows hello for business what what do we need to do to do that and I'm just going to quickly put this onto another screen to put my mobile phone number in only two people are gonna watch this video and it's gonna it's gonna be me at least it's one of those people I know I I understand that but yeah windows too low for business as soon as you turn that on in a corporate environment what you're going to have happen is it now uses OAuth 2 instead of the traditional ntlm or that it's expecting to use or Kerberos or so when we move across to going to existing file script file shares it starts having issues authenticating and your users will be prompted to authenticate every time there is methodology on updating your Active Directory to support this but it takes time to set it up so if you're deploying in tune and you're having issues with authentication and everything around that onto existing file shares that's why turn off Windows hello for business and it will fix your problems up straight away so I'm just finishing off setting this up and then finished and you'll see now we're going through past the security prompts so I don't know what else you'd like me to go through today Adam but um I'm pretty comfortable with where we're at up to here well I think I think that the what I'd like to see next and we've been going for a while at this point so the I think in our next stage I think we should talk about how do we get our apps on this machine how do we get our policies on this machine how do we make it look like what we do today but in a more modern way I mean taught you with in light of all of the things that we've discussed about you know we shouldn't do this you shouldn't do that well yeah okay some of the stuff we do need to do so you know help walk through all the next phases of those things to show us how ok you know we've got this Auto piloted machine is it really the same as our other machine can I tell the difference how do I you know how do I use it so I think we've got a little ways to go to peel back some more layers here but I think this is you know look we're we're rocking and rolling we've got a device that's ready to go on our you know to access corporate resources and do we need to do definitely I really like the JSON file trick I think that's very nice in a state where we don't already have the device registered because I I know in previous iterations where I was testing and testing this you know you wait an hour just to get a device registered up the first time that doesn't demo very well so no it's awesome and that's part of what we're doing for like we do a lot of these provisioning xand a lot of these configurations for our customers and and how that's working for us is we're sitting here and saying look we have our own laptops we have our own labs we're going to run a PowerShell script that goes and gets that JSON file and injects that into the VHDX is for us so we can sit there and constantly spin up new VMs for our customers and do that testing and validation without having to have physical devices except for if we need the TPM 2.0 yeah yeah I think that's fantastic because you can you have access here - I mean that scenario is really amazing so you know in my environment I only I only managed mine I only managed our tenant but for if you manage multiple tenants or if you are working with a partner who's going to manage your tenant for you all they need is access to to your Intune environment and they can basically white-glove your whole OSD process from their office just you know here look we gotta spin up some VMs on our on our side yeah alright everything looks good now all you have to do is just deploy on your in there's nothing nothing to migrate there's nothing to move there's no I mean if you try to do this in at written or traditional way or they say hey build me at a sequence a config manager and then migrate it over or go build it an MDT and move it over and you know try to help think they couldn't even they'd have to have a replica of your domain on there in and all these feelings it's a mimic it and and and then you get that then you get it worked in my domain scenarios and I've worked in my environment so well yeah of course it is you've been able to sit there and do everything around that and like the one thing that I find it just amazing is so my lead engineer Ben he sits down in Melbourne he works from home he doesn't go on customer sites unless he has to and will do full deployments where he doesn't actually go on the customer side other than the kickoff meeting and that's it all the rest is done remotely we sit there we have that conversation and then it's all ran by teams we have VM and we spin up everything we need yeah that's I mean that's just revolutionary um the speed at which you can get a company moving with this is amazing and if you've listened to any of the marketing coming from Brad Anderson and those guys you know the the word that you keep saying is if you're starting Greenfield if you're starting with a brand new instance don't start with traditional on-prem Active Directory don't spin up don't start buying hardware don't spin up physical infrastructure start here it can do everything you need the challenge that we're faced with is the migration path from traditional legacy we've been we've got 30 years of history in all of this stuff that's getting here and you know and pulling all those pieces apart and opening hoping all the you know the house of cards doesn't collapse on us as we make the migration that's the thing that's that's crippling that's really difficult to wrap our heads around from an organizational perspective is got all of these things and you know what which thing is going to be the one that makes it all fall apart on us that's the thing that keeps us awake at night yep things like this desert this is a thing that you can incremental II add to your environment you can put you can just add this to your arsenal of things and start making the transition prove it out say okay let me just use a device on the internet from my desk at my office see what it doesn't work prove it prove that it doesn't work instead of the other way saying Oh surely surely this is never gonna work I'll prove it well the biggie conversation is and this is what we're finding happening having happen at a couple of our customers and and and the use case scenarios and the case studies from Microsoft where they're sitting there and going well why do you need to have a dedicated corporate network plugged into all of your sites I can get a fast internet connection from vendor x4 twice twice as fast if I don't have the corporate component attached to it I web proxy things in place and right from the internet that's right and and that's exactly it it's a matter of taking the time and going well if I sit there and have all of my devices running on VPN at my customer sites is my infrastructure capable of handling that for client to server VPN and if it is what does it matter we got always-on VPN it's no different than direct access oh yeah so food for thought yeah well I don't know about you but I think it's probably you're just past your lunch time and well let's just way past my bedtime here so yeah I think I should call it quits and plan for another round of this sometime in the future very soon and tackle there there's more bits of Intune I found this to be very educational you know I kind of play and play and um for some of it for the dramatic effect but uh you know I think this stuff is is really amazing and I think we're gonna you're gonna really see this playing a big role in in the future of of your organization and you can't just keep ignoring it this is gonna this is the future this is where it's going and you know do everything you can to begin testing it and I'm as you could see we we've got three months to mess around with this and just to pilot it out and try it and you can do this on your own with very little infrastructure I mean you need a web browser and a single VM and you can be jesting off pilot all day long so or even you could build you don't even have to have a physical VM you can't build it either if you wanted to pay some if you had some advocates or a little bit the month to do it or they've got an old laptop or an old discourse it in under the table I showed Steve earlier I have an imaging closet in my yep in my office here I've got six old laptop sitting on the shelf that I'm testing with so it doesn't take much I have I have a pile of laptops just sitting here that I use for testing different scenarios and you move them from tenet and away you go so there's no reason why you can't start testing in tune today is what I would be saying absolutely you know and on that note I think we will call it a wrap there Adam pass time today thanks T or talk soon all right see ya

Info

Channel: Intune Training

Views: 127,048

Rating: undefined out of 5

Keywords: Micrsoft, MEMIntune, MSIntune, AAD, AAD Joined, Microsoft Endpoint Management, MEM, AutoPilot, Intune, Training, Azure

Id: KN4tfKQqtVs

Channel Id: undefined

Length: 78min 25sec (4705 seconds)

Published: Tue Jul 09 2019