Making the transition to Intune is a big challenge, especially if the way you’ve always provisioned computers has been to image them with MDT or Config Manager.
With the end-of-life date for Windows 10 approaching, now is the time we should become familiar of what the new process looks like – not just us as the administrator, but our end-users too.
If you’re wondering what Autopilot is and what role it plays, there are dozens of community resources that explain it. It’ll also be one of the first episodes of any Intune YouTube tutorial, but the TL;DR answer is:
Autopilot governs the Out-of-Box-Experience for a Windows device. As soon as the user signs in, the configurations are coming from Intune.
Autopilot is a user-driven process
I see many discussions within my role and throughout online tech communities about how businesses have transitioned to Autopilot to begin the configuration of devices with the user-driven method applied.
I have to say, most of them are getting it wrong.
They are still having IT run through Autopilot with the user, or worse, running through the whole experience (even doing something whacky with MDT first) without the end-user present. The menus and UI are designed for the end-user to run through. The steps the end-user takes are very similar to the ones they take every year or so when they get the latest smartphone. Are you telling me they are incapable of selecting their language and passing the MFA challenge?
(you don’t have to answer that…)
What is the role of IT with tools like Autopilot and Intune?
IT are there to configure Intune and ensure that the device they are about to hand over to the user is Autopilot registered – If your company puts physical asset tags on the device, do this too.
I used to obsess over having a perfect “Golden Image” using MDT. I would tweak the task sequence for hours at a time, making the process as slick as possible. If that sounds a bit like you, time to start obsessing over Intune. It can be used to achieve the same goal, but you don’t have to configure multicasting or deployment share paths.
Intune is actually easier to configure than Microsoft Deployment Toolkit and Group Policy Objects. As soon as my employer finds this out, my perceived value will go through the floor!
Communication
It is unrealistic to expect people to suddenly switch what they’re used to doing without a proper communication strategy. Communication is the thing that can make or break a company. It’s both the best and worst thing about human interaction.
It’s often a nice feeling to have your presence requested with the preface that something new is coming. That can be quickly dampened if a tremendous amount of work or laborious process follows.
Luckily, Autopilot is not that.
Getting users involved
Not everyone enjoys internal IT news, but the least you can do is notify them of your intentions. There are also some (often self-labelled) power users who ask us all sorts of questions about what we do.
If you’re an M365 house, think about establishing a channel to communicate updates. That could be by implementing an org-wide MS Team, or by having news posts delivered on a SharePoint Intranet. Stay away from email, because that’s the inbox of boring stuff no one reads.
Create internal content with screenshots and emojis, people love it. Explain the process, summarise the benefits, and where end-users should go for help. You won’t get everyone, but action is better than inaction.
“We do not break user-space”
This is a direct quote from Linus Torvalds (creator of Linux), and while it has quite a deep technical meaning about the depths of software creation itself, I like to give another meaning to this in my approach to how I configure the end-user experience for Windows via Intune.
It is our job to prevent end-user actions that could harm the business or cause inadvertent mistakes. It is not our job to dictate exactly how the end-user experience should look and feel.
For example, in an earlier role I would lock down the Control Panel, set taskbar pins, create start menu layouts and desktop shortcuts etc. When we configure our Autopilot profile so that users are not Local Administrators, there is little harm they can do to their system. I no longer lock stuff down unless it serves some form of business requirement. Why? Because what I realised was that by disabling the Cortana and Search button on the taskbar, I was preventing people using Windows in a way that might be better for them.
Likewise in Windows 11, I’ve had requests from customers to realign the taskbar to the left. I ask why. “Because that’s what they’re used to” – We need to break away from mollycoddling end-users, and allow them to run their own experience.
Don’t be afraid to set the scene
If you are the person in charge of the endpoint build process internally or for your customers, you have earned a certain level of trust to be in that position. You are therefore able to give consultative advice on how to best move forward using the tools at your disposal.
Question everything about why you build laptops the way you do, you’ll get responses like:
- I don’t know
- It was like that when X was in charge
- That’s the way we’ve always done it
- Because that’s what our security team says we should do
- That’s what framework X recommends
- Something might break if we change that
- Go away
Not a single one of these things above are actual answers you can work with.
One approach you could take is working out what your end-users need for their job, and build a totally new process and pitch it as “this is what good looks like”.
If you’re stuck on how to start doing this via Intune, check out the Open Intune Baseline created by SkipToTheEndpoint
The baseline is largely a collection of Settings Catalog configurations that will give you a good starting point from the endpoint security stance. From there you can tweak and work out your custom business requirements.
Condensing the thoughts
- Configure Intune to meet the end-user requirement, with all the apps and settings they need
- Communicate that things change, and you’re there to help
- Get the end-user to follow the Autopilot user-driven enrolment process
- Don’t break the user-space unless it meets a real business requirement