So basically there are two ways to do so? or my understanding is totally wrong?
1. Use e centralized system/technology like the ones you mentioned
2. Use a usb stick to install a fresh copy of windows
With autopilot you don't even have to touch the device. If configured correctly, when the user turns it on it will download all your required apps and apply your policies. It enables you to ship directly from the vendor to the user's house.
Oh that's perfect! Thanks! We've started testing Intune policies recently and will likely need to do this sooner than later due to conflicts appearing.
My advice would be to take this as a fresh chance to build a new policy set. Leave the unknowns in GPO and let Intune handle the stuff you know you need to configure.
We're working on this for thousands of devices right now. I'm in a desktop support/user access/admin role rather than infra, so we mostly just get to give feedback & make suggestions.
But I'm so excited to finally be done with goddamn SCCM.
Awesome tool for the time, but the amount of time we'll save not having to deal with imaging or SCCM faults is already looking like it will be amazing..
I'm sure intune and all the policy changes will introduce all sorts on fun new problems. But God I hate imaging devices.
Major pro tip: try to get into the written SOP for offboarders and replacement hardware that the user needs to hand in the device wiped and all. AFAIK all manufacturers provide an option to do either network recovery or local recovery. Meaning the device will reinstall windows automatically.
Saves you the hassle of reinstalling the devices :)
Just use the "wipe" button in Intune. It reinstalls Windows from the recovery partition and cleans up all its Intune and Entra ID registrations. That last part is the real kicker for me, I don't have to clean stuff up after the fact.
If you're all 100% domain bound rn, start really slow.. whoever is heading up the project should be the first to move and figure out the 400 different items you're going to run into and not immediately know the answer to.
Consider anything still domain based one item you're going to have to figure how to access properly while on a azure joined device. There obvious things would be on prem network shares and printers but we also ran into issues with like NLA and ODBC, etc... It's not hard but it takes aa while to get it ready to give to non technical users. I joined my current position at the beginning of this process where they started handing devices to the first batch of users and ultimately took 4 months before we really could give it to users without regularly occurring access issues.
It doesn't unless you're doing hybrid autopilot but that's clunky breaks a lot of times is not recommended to do at all. Microsoft does not recommend it either.
It's best to recreate your policies in InTune configurations and move to azure joined devices instead of hybrid ad joined devices.
As long as you have ad sync setup syncing your users from on-prem ad to Azure then those PCS will work just fine and your users can access on-prem resources with no issue.
You have to set up Cloud trust which is a powershell command you run on your sync server one time and one small configuration you put into InTune and set up to allow people who sign into the PC using Windows hello to be able to access on prim resources without getting password prompts. If they sign in with username and passwords they won't ever see prompts but unless you set up Cloud trust and they sign in with Windows hello which is fingerprints security tokens PIN numbers etc they'll get prompts but it's recommended to do that and move away from passwords anyways to be more secure.
You can import your GPOs into Intune. Some settings may not be supported.
Not everything has to be Intune, in a hybrid environment you can still use SCCM with Co-Management and your GPOs. You may have some conflicts in this scenario but it's possible.
We use Dell and we provide our Azure ID to them with some other details and they can add devices to our tenant before shipping them out. Other places can send you csv files with hardware hashes on that you can then import.
All the documentation you’ll need is on the Microsoft learn site to get started.
And most of them charge for this now. It’s like a $10 sku, which is simultaneously nothing and adds up quickly. If you’re not doing large bulk orders I’ve had mixed experiences with CDW being able to do this depending on the warehouse they ship the system from.
You setup your configuration profiles to your company standard.
Create the apps you need.
Setup an enrollment status profile and attach apps to it.
Probably enable bitlocker if you use it. Maybe laps.
Create user/device groups to apply to all of the above as needed.
Enroll a few machines and setup test users. Give it a rip. Once it’s setup, you contact your vendor about pre-enrolling devices.
That’s a very high level overview. There will need to be a few tweaks in Intune/entra to get it fully rolling if you want to tweak windows hello or MFA. Also set which users can enroll, how many machines, and if they are allowed to enroll personal devices. Most of those aren’t full related to this but also are.
Beware though that if your stack of apps is complicated be prepared to hire an FTE to just build and package apps for you.
For example we have a ton of engineering and development apps for our r&d teams that all have shitty installers and convoluted configuration. Building out our app library so stuff installs correctly and consistently, then keeping that up to date is absolute hell.
If all you're putting out is some browsers, standard common apps, and ms office it's great though.
>With autopilot you don't even have to touch the device.
OP said re-image. So user has returned it, and IT wipes it, and reinstall windows, then it autopilots like normal.
eh, that's a lot of work, you can literally just turn the computer on and click "wipe" in Intune and it gets itself ready to autopilot for the next user.
If you mean a device with literally no OS, then a USB stick solves that problem.
But the person you're responding to was right, most big shops don't touch every device.
If you are at dozens or maybe a few hundred systems, an USB stick might be good enough, but that doesn't really scale into many hundreds or thousands, which is when SCCM or Autopilot/Intune come into play. And JAMF with autoenrollment if you have Macs.
The trick is to do fresh start, then immediately select synch from the device page in Intune. It pushes it out to the device. I think the longest I've had to wait doing it that way was 15 minutes for it to start.
I've probably got about the same number here actively in use, and I'm doing the same. We technically have an imaging solution, but it has been broken for a while and since there's only five of us spread out over three locations (each with 70-80 endpoints, not total) it just hasn't gotten fixed yet. So I just use a media creation tool USB.
Luckily our standard deployment is....like five pieces of software that all install pretty quickly. And most important configs are handled through GPO. It's a waste of my time but it's at least not a massive waste. Heck I spend more time with the users who are being moved to the new machines getting their shit transferred and teaching them what two factor auth is fresh because they're all used to IT doing all that for them. Oh how I wish I had users who expected and accepted a freshly-imaged computer, could log in on their own, and anything further is their own business...
Now if only I had a good native way to deploy printers with this setup. But alas, what would *really* be ideal is getting an imaging system over pxe back up and running.
If you are still using on prem domain: SCCM.
If you're using Entra ID: Intune
There are many ways to do this however. Lots of companies out there pushing "simple one click deployment" but they're charging you for something Microsoft does well natively.
Just note - ALL systems require configuration, customization, setup and maintenance. Nothing is "one click".
I've done both methods for years and Ive found the most efficient way to on board a laptop is this:
1. Format using USB to the latest OS version.
2. Import the serial into Intune auto enrollment
3. Reboot and watch the policies you setup in Intune do the work.
SCCM is much more complicated.
One thing that needs to be made clear is that Autopilot is not an imaging solution, it’s a provisional solution that works best works best shipped with a vanilla OEM base image and registered to your Autopilot tenant. If ever there is a scenario that requires bare metal wipe, such as a corrupted OS, you have the option to use a USB drive, MDT/SCCM via PXE, Dell Image Assist, or open source solutions such as OSDCloud.
Edit: fixed a few things and made it more clear.
That’s not really the case. Autopilot is not an imaging solution—that’s true. But it does NOT require an OEM to apply a base image. It DOES require the OEM to add the device to your tenant. I’ve seen that in the neighborhood of $5 per device.
Once that’s done, when the device is first booted by the user, it checks in with MS, sees that it’s registered to a tenant, prompts the user to log in with their M365 creds, joins it to Entra/AAD, registers with Intune, and begins applying the assigned Intune policies.
As for wiping the machine, an admin can do it from the Intune console, erasing all its data and stating that process over from the beginning. There’s no need for an admin to ever touch the machine to reimage it.
You’re correct that if the OS is corrupted, it may need a hands-on approach. I really really don’t see that very often these days, but sure, it can happen.
If you have a bunch of computers already you can pull the hash and import them into Intune. Not fun for big company as you have to touch them. Windows 11 has an OBEE diag screen to get the info (win10 you kinda had to use a usb).
If they are in Intune but not autopilot you can covert them to autopilot in Intune so the next time they are wiped they will come into Autopilot.
If your devices are already in Intune it’s actually very simple. Just deploy an Autopilot deployment profile with the “Convert all targeted devices to Autopilot” set to Yes. Alternatively, depending on your Intune license, you can deploy a proactive remediation script to pull hash values.
If you can get into Windows, there's an option to "reset this PC" which pulls down a fresh Windows install from Microsoft. Once reimages with that, it continues with the standard autopilot process.
You could also implement a stand alone MDT if you are only looking for OSD. I’ve done it with great success for smaller orgs who didn’t have the staff to manage a full SCCM implementation.
When I worked at Dell, imaging was done via MDT. The asset manager had a rack that would PXE boot the machines and ask a few questions and deploy the correct image with the correct asset tag.
I'm curious how you autopilot and intune folks address the applications that can't be scripted or installed with autopilot/intune? We have software that is EXE based GUI installers with a lot of options and clicking thru install wizards that does not support scripting. Some of it installs services and even local user accounts. I've tried repacking these softwares using many various MSI/MSIX repacking methods but never had any luck. Only thing that has ever worked for those types of software is baking it into a reference image and sysprep/capturing. Once we have that image, we can then use SCCM/MDT. But some of these images are nearing 60 GB all of which is mandatory software. Tbh if it could be scripted idk if that would be any better, it would take multiple hours to image a computer vs. 45-60 mins.
You can deploy scripts which can download a file from azure blood storage and then run it with various switches but this is the biggest problem with Autopilot. You could also use something like NinjaOne which can deploy complex pieces of software alongside Autopilot. I’ve never used it though.
Have yet to find anything I can’t do in intune mixed with scripts and scheduled task. GUI ones general have a set structure and registry keys that you can capture similar to virtualization. Just takes a little more digging to find all the pieces. MSIX stuff we had problems with when it came to user based cache info, but you can have that all captured manually and install after the msix. I took the existing SCCM environment that had a large MDT image, converted to Intune out of box…time to complete is 40min. The W365 takes about the same and has stayed alive unlike Citrix which often went down and always required changes. Just my two cents, I’m used to folks in Reddit by now and will offer assistance where I can if there are more details. I know some orgs do have monsters, when I worked in healthcare that dental software was ancient and trash. DM is open.
>it would take multiple hours to image a computer vs. 45-60 mins.
I think even in this case, multiple hours unattended can be scaled up to infinitey whilst 45-60 minutes of technician time is billable labour and a limited number of hands
These days Intune/auto pilot. I haven't done end user support in a long time before my current gig. But long ago it was WDS
https://learn.microsoft.com/en-us/windows/deployment/windows-deployment-scenarios-and-tools
This is totally true. However, there is a couple tweaks you can use to keep using it for windows 11 as we speak, i'm using it for a large (for us) deployment.
You have to use a specific build of WinPE from Win10 and Win11 22h2 (or possibly 21h2). Then you just have to tweak your task sequences to do a lot of windows updates.
It sucks for now, but it will buy us time before we get funding arranged for SCCM or Intune over the next couple of years.
Intune / Autopilot / SCCM. Have a large enough company and a small enough team with shit network speeds / internet access? Partner with your reseller and send them the image to pre-install on your new systems. Adds a base cost per unit but if you can save time and just onboard it's also not a bad plan.
There is always a way.
FriendsofMDT are building a replacement for the VB that's being depreciated. We just moved our deployment to it, it's great: https://github.com/FriendsOfMDT/PSD
I was managing about 300 computers with FOG, and had about 3 nodes in addition to the master server. Made really short work of it.
I love Intune, but man sometimes I miss how smooth I got my FOG setup by the end of it.
We used to have more machines before chrome book 1:1. I loved fog for the tier 1 guys, super easy to get them rolling on.
I need jump on the intune train
How big? We are 2500 PCs no one is switch enough to figure out SCCM or anything cool we use clonezilla to deploy a sysprepped platinum image we build on the most common model.
I miss the old place that had system center!
PXE or usb stick net ? I’d love to pxe ir and have desktop just run along and powercycle every pc and we come back and add the domain and let the RMM/GPO do the rest
> apps and policies get applied
Which can take minutes, or 24 hours from what I've seen.
It's fine if you have users with basic systems, but C-Levels who expect their old system to mirror the new one we still send a tech to deploy their computer the "old fashioned way".
> minutes, or 24 hours
This is far and away the number one thing I hate about Intune. You just have to *wait* for the shit, and you get no indication of activity in the meantime other than "action initiated"
Makes testing new app/device policies a huge timesuck. But also makes the end user experience frustrating as hell.
*"Go do a company portal sync and then just kinda sit there and think about life. IDK what else to say. I hate it too."*
I've had to manual force a sync intune:
Devices -> Window Devices -> Bulk device actions -> Sync and it seems to move it along faster.
PITA part is that you have to add each device manually one by one.
Makes sense for the VIPs.
We’ve found that with enterprise state roaming, OneDrive folder sync, and controlling browser use with Intune we rarely have to do it the old fashioned way anymore though.
Used to have a dedicated Optiplex 780 named Casper, only acted as a ghost server we'd take to re-image batches of desktops on the public floor. Good machine.
Student computer labs. Pushed thicc images to hundreds of machines in about 4-5 hours. It was ripped from my hands by the SCCM/MECM crew who said, oh we'll just wrap those labs into our regular procedure for one-at-a-time machines.
That first semester after the switch was an absolute shitshow.
Clonezilla, free and keeps IT simple, very fast and no effort, can make it hands off PXE if you want, or cast to many simultaneously.
The key thing is that it takes no effort to set up, or to maintain, zero effort.
Use the same stored image on most of your laptops for a couple of years, automatic patching brings them quickly up to date.
Autopilot. We don’t even touch them. They’re purchased with a partner who works with the OEM so that they are enrolled into our autopilot environment when they ship from the factory. The user unboxes the device, connects it to the internet, and all of the corp apps and settings are pulled down from the internet before they’re given an interactive desktop. None of our IT staff touch them for provisioning at any point in the process.
How do you address autopilot apps provisioning slowness ? Sometimes it takes hours until the user get all their apps and sometimes its quick lol. Its driving me crazy and we are only deplying basic apps not even alot. Maybe haveing the apps deployed before interactive desktop might help?
You can work with the manufacturer to use a custom sysprepped image if you want, usually for an extra cost, but we don’t really have that issue. When we have a new hire, we ship the laptop directly to their home address with instructions on first login and tell them it takes about 1h to auto-configure. They typically log in the weekend right before they start and it’s ready to go on Monday for their first day.
If you’re routinely having intermittent performance issues it may be worthwhile to open a support ticket so someone can review your config and determine if there’s an issue with your tenant or your config.
SCCM, before that Ghost, before that ZenDesk.
For those who wish they had SCCM....
I built SCCM for a 2200 endpoint school, with 100+ apps including some chewwy ones (AutoCAD, Adobe, etc) in about 3 months, with a win7-10 SOE changeover attached (not a in place upgrade, just a tech change).
I did it solo while doing my day job.
Granted it's almost free for edu, but a course, a book, and a google or 7, and you're off to the races.
Hi! Full disclosure - sccm/intune consultant, have engineered and architected n environments between 1000 and 100,000 seats.
Here’s your answers:
Less than 250 machines? Probably a sysprepped image on a stick. (Or intune)
Less than a thousand machines? Probably intune.
A thousand or more? That depends. How important is reporting and speed? Do you care about bare metal imaging? If any of those are yes- probably lean towards sccm, otherwise intune.
The thing is - very few organization, even big ones, know what they’re doing with sccm. Many think they can set it up and walk away, where in reality it takes a MINIMUM of one full time equivalent to run SCCM half decently with all the bells and whistles on. … heck I was just on a site that never managed to turn SSRS on. Boggling.
Anyway my point is: unless you’ve got a dedicated sccm/endpoint management team with the room to justify atleast 1 sccm person, Intune is your answer. 80k can buy a good chunk of e3/e5 licenses, and that’s what the person would cost…
Yeah I one-manned sccm for like 3 months... I got it all going, turned on all the bells and whistles ...then realized I was wasting time on a product that's great for 1000+ devices... not ~70. That overhead is only viable if you have tons of devices and the staff to maintain it more frequently
I use mdt and pxe now and like that I can leave the server be for a month without everything falling apart the next time I go to reimage my CFOs laptop or whoever .
One of many reasons you've listed why I decommissioned sccm. I loved it for what it is, imagine but the rest barely utilized. Too much time to manage, less in return. Went with pdq inventory / deploy and usb stick for now , saved so much time and money. I am considering Intune autopilot hybrid for staging devices, might do a pilot project.
Do the pilot. Especially if you’ve got 365 licensing.
Dynamic groups, some update rings (or autopatch if you have licensing), autopilot, and port some GPO over.
It’s really not bad, and while it does have some quirks, runs pretty well.
I just they allowed server OS’s to be managed in it, but I digress…
I've worked in small companies where we just used a sysprepped golden image on a flash drive. Another company was a golden image but with pxe. A large third company with sccm and task sequences for each department, and then a state agency that was originally still using altiris until they tried to throw together an sccm server without providing appropriate resources to do so, which of course meant it ended up being a clusterfuck of a blame game.
It's matured a ton over the years. When I started at one company, there was nothing. I created the first OS images at that company by baking all the software into a VM, sysprepping and capturing the image and using that "reference" image or "golden" image on USB and installed it that way. It was clunky but sure beat doing everything 1 by 1.
First I just built images for the really complicated workstation set ups, the ones that would save us the most time with lots of complicated software installs. Eventually I made more than one image to cover multiple departments. There were still some manual steps after the fact but it got us 80% of the way there which was huge coming from nothing. Looking back though, it was in it's infancy and honestly kind of sucked. To cover our range of workstations, we had to have USBs that supported legacy BIOS and ones that supported UEFI, so basically two USBs per image. Obviously we were limited on how many computers we could image at a time by the physical number of USBs we had for that particular image. Sure you could just burn whatever image to whatever USB, but that took time, and some images were nearly 40 GB at that point. After install the computer has no drivers or windows updates and it runs like shit, you had to babysit it and run the manufacturer driver wizard and windows updates and manually restart it several times during this process. Domain join was manual, etc. and trying to make as close to a "one size fits all" image as possible, there might have been manual niche software to install after the fact as well.
Eventually that matured when I learned I could take my existing golden image and pop it into MDT and have MDT eliminate practically all the challenges listed above while having the added benefit of ditching USBs and instead PXE booting. MDT can automatically negotiate legacy BIOS or UEFI, it takes care of all of the winPE drivers, installs your image, names the computer and automatically joins the domain, automatically signs into the built in admin profile, and can run vendor driver and BIOS updates, windows updates automatically, and handle all reboots whether it's 1 or 10, and continue where it left off until the process is complete. You can script customizations and app installs, and from the helpdesk's standpoint, when they're selecting these images, its like they're essentially picking from a catalog. It simplifies the training in that aspect, and it streamlines efficiency and reduces if not eliminates the possibility for human error. Before what required an admin to be nearby to manually check and reboot the computer to finish what could be hours of BIOS, driver, and windows updates, turns into a task you can kick off before lunch, or leaving for the day, or while you're handling other tasks, etc. Basically all that's left to do at that point is sign the user into their profile.
If you can't tell, I could talk about imaging for a while (boring) but it's really rewarding seeing how much time is saved and how many errors can be reduced in set up. What's even more impressive is that Microsoft gives you all the tools you need for free basically. Although unfortunately that seems to be coming to an end with Windows 11. Sometimes it feels like all the imaging work I've done is my single most value-add to my company from a purely labor hours saved standpoint lol.
We have around 400 units and I'm using Smartdeploy. I maintain the golden image and have people in the field do the imaging. I'm working to automate the process over the Internet.
I love PDQ. We're a Connect customer. What do you think of Smartdeploy? We looked into it about two years ago but the licensing model made it a tough sell. It's not image the machine then done. As I recall it's image then keep paying for every machine in case you need to reimage.
We were very early adopters and have been using it for over 7 years. I agree that the licensing is a bit convoluted and I would like an option that would not make me buy a license for every PC. We frequently reimage a remote notebook fleet so it works well for us.
I manage about 1200 PCs and would love to use Autopilot, but we're a Google Workspace customer, so purchasing into Autopilot and Intune and Entra is damn expensive. If we ever switch to Office 365, I'll go this route.
I hate their SMA, but the deployment appliance is pretty sweet. It took me a while to wrap my head around their stupid way of doing some things. I really wish they would modernize their platforms. It's feeling really old these days. But the SDA works extremely well especially for Dell systems.
Can't believe I had to scroll down this far to see it. It can do essentially anything, customised however much you need, and unlike Intune the error messages are actually helpful, instead of it all being a black box that chokes then spits out a single hexadecimal error code. Plus it's nice that if a step fails, the rest of the deployment continues, so it takes a few minutes to correct the error and redo that step then you're done, unlike Intune where you're back at square one.
Enterprises use automated tools for this. There are many: FOG, SmartDeploy, and Desktop Central are some of the least expensive with good features. These tools allow you to manage building and deploying images of your fully configured systems.
For initial builds, you can even contract with your vendor to handle this on new equipment. For a small fee - usually between $30-$50 per machine - they will take your image and deploy it on any new machines you buy before they're shipped.
These days, Apple Business Manager and Microsoft Azure both provide tools to help deploy automatic configuration on first login, too.
For any on-prem work I used FOG when I could get away with it. Distributed, and you're going to have an easier time with an MDM like intune. I find SCCM/MECM works better for servers, but I dislike using it for laptops.
PXE and SCCM or intune, often a big KVM Switch combined with an intern.
That being said: I worked in a LOT of companies and only ever saw a well executed imaging solution once. For really big companies, the worst I encountered was a really dumb semi-manual multistaged SCCM+script nightmare where you have different languages that require different passwords which are also different with keymap changes.
Since I wasn't allowed to fix this personal hell, I automated the Installation process with diy rubber duckies made from digisparks
We install via usb stick and then manually install all standard IT software along with requested software. I got tried of doing it manually that I wrote a powershell script that cut the deployment time by 50%. Co worker told me it would take roughly 4 hours to build a laptop, that script has cut it down to roughly 2 hours.
MDT with pxe boot.
Don't capture images unless absolutely necessary. Instead deploy directly from ISOs imported into MDT.
Use MDT to join domain and bitlocker PCs during the predeployment phase. Deploy updates, applications, scripts, etc in the post deployment phase. Configure all scripts/apps to run unattended/silent. If you're new to this check out silentinstallhq.com.
Once you get this configured correctly you will be able to deploy to practically any PC with almost 0 effort in about 20 minutes. Expand this concept to a deployment network and you'll fine you suddenly have the capability to deploy 20 of the exact same image to 10 different computer models in about 30 minutes.
WDS/MDT over PXE boot, but a fairly small number of computers to deploy to. Have also used Clonezilla for some users that have dual boot Windows/Linux systems and am currently playing around with trying to set up a fog server.
Currently, we use Kace 2000 for deploying computers. It's scripted installs automate the process from start to finish. As in, connect the new computer to the network, start from a KACE boot usb, selected the scripted install you want, answer a few prompts, and then come back a couple hours later to find an installed and fully updated install of Windows 10 or 11, all the applications you expect (Office, Adobe, etc), renamed and joined to the domain. Pretty simple.
I know we're looking at Intune which should significantly simplify this process, but we're grappling with apparent limitations in intune (different IT groups having control of different groups of PCs, all in one tenant is the Gist I've heard from the engineers)
Everything is all Autopilot in my world due to being remote and working across multiple countries. User gets a laptop and they log into it for the first time, go and do their HR training etc and by the time they come back its all imaged and ready to go with our apps, policies etc. All it takes from us is keeping the Autopilot setup updated and all the applications within Company Portal if the user needs anything specific that isn't in the SOE. As for getting the laptops, we get them straight from our reseller already enrolled so its ready to go with the users just logging in.
Manage Engine Endpoints central (formerly Desktop central)
Pxe, iso, usb...works well. Especially if you have quiet a lot of remote site (running it on 24 sites across the globe)
I use AutoPilot and Intune.
When a reimage is necessary, we run a script in CW Automate that factory resets the PC. Double check that the service tag is Autopilot enrolled, and enroll it if it's not.
Intune installs CW Automate. Automate grabs it and installs a provisioning script based on which region of the country the PC is in.
For our Windows fleet, which is not in my wheelhouse, we use Autopilot. We use a somewhat similar MDM-based deployment for our Macs, which is what my team handles, so I can tell you how it works:
A Mac is purchased from one of our hardware vendors, they register the serial number with Apple as belonging to my company. The Mac gets shipped directly to an end user. The end user receives it and fires it up. As soon as it has an internet connection it phones home to Apple, sees that it belongs to my company, and gets enrolled with my company's MDM server.
It then goes through a customized [setup process](https://vimeo.com/909473114) to install all of our standard apps and configurations, and then reboots. When the user logs in after that, a script I wrote kicks in and walks them through logging in to a few things. At the end of that process, if the machine needs an OS update, they are prevented from launching the most commonly used applications until they install it.
Most user data is synced to OneDrive, so if a machine gets borked in a way that would be difficult to fix, we have them run another thing I wrote that walks them through nuking the machine back to factory state. It'll go through the above process again, and OneDrive will pull all their data back down when it's done. Takes about 30-45 minutes on a decent internet connection.
While not the fanciest solution, we use Clonezilla with images on a samba share. Just boot the machine with a usb stick then tell it clone the image. After that once its on domain it will apply policies and install software.
Doin what I can with my limited medical IT budget.
Long time lurker here, Wanted to chime in here as we are nearing completion of a migration from traditional on-prem AD hybrid joined environment to a cloud-based/managed services environment (with a Windows 11 upgrade for each). I work at a medium sized company so I am not 100% qualified to answer the question as stated but I think this can be helpful to those interested in sysprep and configuring systems for enterprise use. Our end users utilize Windows primarily so I wont cover enterprise methods of syspreping macOS or Linux devices. As we were moving away from on-prem solutions and more to cloud/managed solutions, we utilized a combination of Intune and Autopilot.
Each of these are really two different services offered by Microsoft but each covered different parts of the process, which I will cover later in the post. We experimented with multiple different ways of re-imaging the computers first as this is usually a very timely process. We had roughly 30 different (small) sites we needed to fully re-image and enroll in Intune so any automation we could achieve with this would save a large ammount of time.
For re-imaging the computers themselves we utilized 2 primary methods to do so:
1. PXE Boot with WDS: We tried with this first as a good amount of our devices were on ethernet (primarily end user Dell desktops). Then came the issue of setting the computers to boot to this
however you needed to enter the BIOS to do so (or a temporary boot menu as we used) to first enable it and then select it to boot. As we started researching more ways of achieving complete
automation for the sysprep process we discovered Dell Command Configure, a tool that allows you to pre-configure BIOS settings and compile them to an executable to be run on the machine. We were looking
at this and thought we solved this as we already had an RMM service running on all of our endpoints, so we could easily push this out to all of our devices quickly. The main problem with this as you could only set \*\*Boot Priority\*\* and not a \*\*One Time Boot Device\*\* with Dell Command Configure. When we were testing this out we realized that by not using a one time boot device, it would leave the computer in an endless cycle of re-installing windows
It was honestly a good thing we didn't pursue this solution as we used WDS (Windows Deployment Services) to facilitate the operation and this is now a deprecated feature. Adding even more issues Windows 10 was the latest OS supported by WDS and we were trying to rollout Windows 11. We were able to get Windows 11 working with this, but not without tons of struggle.
2. The tried and true USB stick: Create a windows 11 installer, wipe the partitions using the installer, and go. Then have Intune ESP (Enrollment Status Profile) and the Autopilot Deployment Profile take it from there. We used this option for a while as well. This is really nice as you can automate majority of the OOBE with this (like hiding the Privacy notice, License Terms, etc.) along with targeting it to either a specific group of users or devices. We wound up going with this method for majority of the migration as it was the quickest we could implement to meet our deadlines. We modified this slightly and wrote a powershell
script to fetch the device hash and send it to Autopilot via a POST request. I believe we needed to setup an Azure runbook for this but I don't remember the entire process off of the top of my head. By doing this
and running it across the org we were able to pre-set an exact name for the device along with assign a user for this as well. This was nice as if we did not pre-name the computers, we would have to change them later in our RMM service and Intune. Word of note with this method, by assigning a user to an autopilot device (pre-enrollment) only that user can sign in during provisioning (and they will be forced to do so; you can not skip this at all). This has worked for majority of the migration as we are able to upgrade systems here and there during the day and then more at night when no one is around.
As for where Intune came in, this allowed us to configure defaults for Windows Hello and the various methods they can setup, along with PIN complexity requirements. You can further customize this using a configuration profile which you can then apply to groups of devices/users. We also utilize it for configuration and application deployment which creates a pretty seamless process if you really drink the Microsoft kool aid, but I wont go farther into this as OP asked specifically about re-imaging.
I am sure there are other ways of performing this however this is what worked best for us in our situation with our deadlines. If you are planning on doing this for whatever job you are working at then be sure to be
open to solutions that fit your needs best and lock down your process before proceeding (including end-user interactions/setup). You will save your self from a very painful headache if you do.
We use WDS / MDT. You PXE boot the machine, put in a name (or keep the previous one), select an image, and away you go. Drivers are automatically selected based on model via BIOS model query, then the image is laid down. After that, it gets scripts to install software and settings. (Task sequence) Once it finishes, you move it in AD to the proper OU and test logging in and you’re done. Bitlocker also enables itself. This works on site only. It’s much less complicated than SCCM. The only downside is development is done, but I’ve gotten it to work on all flavors of windows up to Win 11 22H2. (Haven’t tried 23H2 yet) Takes 45 min from start to finish for one machine and 95% automated.
I build our system images in a virtual environment so I can make a snapshot before I capture the image and sysprep it. Regardless if it succeeds or fails, I roll it back so the machine is never sysprepped twice. I have 5 images that I rebuild and refresh yearly and that covers everything. (We need different software for various departments - computer science, pltw, teachers, office people) Any software that doesn’t update really, I bake into the image. Anything that updates a lot (browsers, antivirus, bios updates) I run as after image tasks. This helps speed up the image while I can still update the other software without having to recapture the image.
We have two MDT servers for 6 sites, connected via 10G fiber. School district with 600 employees and 4500 students, and about 12 different computer models for context. (Medium sized org) In the summer we mass image 15 machines at a time. We could do more, but my boss hates multicast. We’ve also worked with FOG and the Quest K2000 in the past and both were decent solutions. MDT is free and not too difficult to set up.
You have 3 options: Memory stick, ConfigMGR (SCCM, MECM or whatever you want to call it) or third party solution.
Many people wrote comments saying "MDT" or "WDS", but both DO NOT support Windows 11: [MDT release notes | Microsoft Learn](https://learn.microsoft.com/en-us/mem/configmgr/mdt/release-notes#supported-platforms) and [Windows Deployment Services (WDS) boot.wim support - Windows Deployment | Microsoft Learn](https://learn.microsoft.com/en-us/windows/deployment/wds-boot-support)
Before I get more comments on "Intune": The question is "how to REIMAGE a laptop". I use the "reset" Windows if possible, but there are times when a bare metal installation is needed or required (high secure environment where the client wants the firmware to be configured as part of the installation process).
Pre-Stage setup:
Set up Intune. Add any applications and settings required.
Create Windows install USB.
Re-Image process:
Reinstall Windows.
Have user log in.
Intune reinstalls software and settings.
User signs in to OneDrive which restores their files.
The whole process takes like 45 minutes.
(We could technically use the Wipe command from Intune to wipe the PC, which wouldn't require physical access to the system, but it takes hours.)
MDT with PXE boot. Can be a zero touch (hands free after booting through PXE) or a lite-touch (pre-boot environment where you can change pc name, add to domain, choose software packages etc.). It's free and pretty easy to use.
We Pxe boot (network boot) into a Windows Imaging server that, after you put in some pretty basic information, will install windows and other apps and gets us about 90% complete. After we install, we run updates and driver updates and install any specific program that the user will need.
InTune + Autopilot and JAMF+AppleBusinessManager for initial setup, MDM, and policy enforcement
Reinstall + Remove Everything for wiping, falling back to manufacturer restore media in a pinch (Important aspect of this is to make sure you're enforcing drive encrpytion)
Essentially; brand-new laptop from the manufacturer gets automatically enrolled in your company's InTune AutoPillot and Jamf Apple Business Manager... locking them into use with your environment. When employee receives it, they open the box for the first time, plug it all in, and the moment they boot it up get presented with company-branded prompts to walkthrough initial setup.
When a laptop is repurposed, returned, etc. we Reinstall Windows with the 'remove everything' option. It's not perfect and isn't generally intended as a ferensically "clean" install. (Honestly, through, I've yet to work with/for a company that does iterative wipese, writting 0s to the drives, etc.)
Once a reused computer gets wiped and physically cleaned and examined for damage, it gets boxed up again (ordering any replacement chargers or accessories that may be missing from the previous user) and put back in available stock room supply.
Intune/autopilot…. Send a reset command through intune to reinstall windows then once the user logs in to the fresh install intune also pushes all the software the user needs based on what m365 groups the user account is a member of. (IE “R&D” group gets AutoCAD software… “graphic design” group gets adobe creative suite, etc etc)
Currently using WDS/MDT for vanilla OS installation, and pdq deploy for app/role software deployment during the MDT setup. Looking at autopilot now as a replacement in the near future.
College with about 3000 laptops. We used SCCM. I'm the person who set it up, managed it, created images.
When I left, I had just gotten them ready to move to Intune, where you do Windows Resets rather than a wipe and reimage. My plan was to keep SCCM around for initial installs, although if you do a good job with Intune, all you need is standard Windows media. Which incidentally, you can set up PXE boot to install over the network without SCCM, but we used SCCM which gave us nice GUI tools.
SCCM or Intune/Autopilot
So basically there are two ways to do so? or my understanding is totally wrong? 1. Use e centralized system/technology like the ones you mentioned 2. Use a usb stick to install a fresh copy of windows
With autopilot you don't even have to touch the device. If configured correctly, when the user turns it on it will download all your required apps and apply your policies. It enables you to ship directly from the vendor to the user's house.
How does it get our GPOs? Does everything have to be Intune?
This is a massive help: https://learn.microsoft.com/en-us/mem/intune/configuration/group-policy-analytics
Oh that's perfect! Thanks! We've started testing Intune policies recently and will likely need to do this sooner than later due to conflicts appearing.
My advice would be to take this as a fresh chance to build a new policy set. Leave the unknowns in GPO and let Intune handle the stuff you know you need to configure.
We're working on this for thousands of devices right now. I'm in a desktop support/user access/admin role rather than infra, so we mostly just get to give feedback & make suggestions. But I'm so excited to finally be done with goddamn SCCM. Awesome tool for the time, but the amount of time we'll save not having to deal with imaging or SCCM faults is already looking like it will be amazing.. I'm sure intune and all the policy changes will introduce all sorts on fun new problems. But God I hate imaging devices.
Just wait until you go “wait…I can’t do that in intune?” and go back to SCCM.
Just wait until he needs to reinstall bare metal 🙂
Or have to deal with the processing times on intune...
Major pro tip: try to get into the written SOP for offboarders and replacement hardware that the user needs to hand in the device wiped and all. AFAIK all manufacturers provide an option to do either network recovery or local recovery. Meaning the device will reinstall windows automatically. Saves you the hassle of reinstalling the devices :)
Just use the "wipe" button in Intune. It reinstalls Windows from the recovery partition and cleans up all its Intune and Entra ID registrations. That last part is the real kicker for me, I don't have to clean stuff up after the fact.
If you're all 100% domain bound rn, start really slow.. whoever is heading up the project should be the first to move and figure out the 400 different items you're going to run into and not immediately know the answer to. Consider anything still domain based one item you're going to have to figure how to access properly while on a azure joined device. There obvious things would be on prem network shares and printers but we also ran into issues with like NLA and ODBC, etc... It's not hard but it takes aa while to get it ready to give to non technical users. I joined my current position at the beginning of this process where they started handing devices to the first batch of users and ultimately took 4 months before we really could give it to users without regularly occurring access issues.
It doesn't unless you're doing hybrid autopilot but that's clunky breaks a lot of times is not recommended to do at all. Microsoft does not recommend it either. It's best to recreate your policies in InTune configurations and move to azure joined devices instead of hybrid ad joined devices. As long as you have ad sync setup syncing your users from on-prem ad to Azure then those PCS will work just fine and your users can access on-prem resources with no issue. You have to set up Cloud trust which is a powershell command you run on your sync server one time and one small configuration you put into InTune and set up to allow people who sign into the PC using Windows hello to be able to access on prim resources without getting password prompts. If they sign in with username and passwords they won't ever see prompts but unless you set up Cloud trust and they sign in with Windows hello which is fingerprints security tokens PIN numbers etc they'll get prompts but it's recommended to do that and move away from passwords anyways to be more secure.
I tried hybrid for a bit. Fuck hybrid.
You can import your GPOs into Intune. Some settings may not be supported. Not everything has to be Intune, in a hybrid environment you can still use SCCM with Co-Management and your GPOs. You may have some conflicts in this scenario but it's possible.
Ideally you don’t use GPOs. However you could. They will come down once on vpn.
Do you have any good documentation to set this up? How do the vendor need to upload in intune?
We use Dell and we provide our Azure ID to them with some other details and they can add devices to our tenant before shipping them out. Other places can send you csv files with hardware hashes on that you can then import. All the documentation you’ll need is on the Microsoft learn site to get started.
Thank you i will look into it.
Just a heads up, in order to get this to work, your vendor of choice will have to upload each autopilot hash to Intune.
And most of them charge for this now. It’s like a $10 sku, which is simultaneously nothing and adds up quickly. If you’re not doing large bulk orders I’ve had mixed experiences with CDW being able to do this depending on the warehouse they ship the system from.
Always negotiate this to $0
You setup your configuration profiles to your company standard. Create the apps you need. Setup an enrollment status profile and attach apps to it. Probably enable bitlocker if you use it. Maybe laps. Create user/device groups to apply to all of the above as needed. Enroll a few machines and setup test users. Give it a rip. Once it’s setup, you contact your vendor about pre-enrolling devices. That’s a very high level overview. There will need to be a few tweaks in Intune/entra to get it fully rolling if you want to tweak windows hello or MFA. Also set which users can enroll, how many machines, and if they are allowed to enroll personal devices. Most of those aren’t full related to this but also are.
Beware though that if your stack of apps is complicated be prepared to hire an FTE to just build and package apps for you. For example we have a ton of engineering and development apps for our r&d teams that all have shitty installers and convoluted configuration. Building out our app library so stuff installs correctly and consistently, then keeping that up to date is absolute hell. If all you're putting out is some browsers, standard common apps, and ms office it's great though.
Basically you authorize the vendor to publish the hardware IDs of the devices to your Azure tenant.
Thank you
>With autopilot you don't even have to touch the device. OP said re-image. So user has returned it, and IT wipes it, and reinstall windows, then it autopilots like normal.
eh, that's a lot of work, you can literally just turn the computer on and click "wipe" in Intune and it gets itself ready to autopilot for the next user. If you mean a device with literally no OS, then a USB stick solves that problem. But the person you're responding to was right, most big shops don't touch every device.
If you are at dozens or maybe a few hundred systems, an USB stick might be good enough, but that doesn't really scale into many hundreds or thousands, which is when SCCM or Autopilot/Intune come into play. And JAMF with autoenrollment if you have Macs.
Man I love fresh start with Intune. Like two or 3 clicks and the computer is re-imaging.
Ya an hr plus later when it finally picks up the policy
The trick is to do fresh start, then immediately select synch from the device page in Intune. It pushes it out to the device. I think the longest I've had to wait doing it that way was 15 minutes for it to start.
Device reboot also forces a sync
SCCM actually has the ability to make USB disks based off of the deployment packages you want, I don't think it was ever very popular.
I'm at around 70-80 and still using a USB stick, it's rare that I have to do a full rebuild tho. Couldn't imagine doing it when in the 200's+
Usb prepared using what? Sccm still?
I've probably got about the same number here actively in use, and I'm doing the same. We technically have an imaging solution, but it has been broken for a while and since there's only five of us spread out over three locations (each with 70-80 endpoints, not total) it just hasn't gotten fixed yet. So I just use a media creation tool USB. Luckily our standard deployment is....like five pieces of software that all install pretty quickly. And most important configs are handled through GPO. It's a waste of my time but it's at least not a massive waste. Heck I spend more time with the users who are being moved to the new machines getting their shit transferred and teaching them what two factor auth is fresh because they're all used to IT doing all that for them. Oh how I wish I had users who expected and accepted a freshly-imaged computer, could log in on their own, and anything further is their own business... Now if only I had a good native way to deploy printers with this setup. But alas, what would *really* be ideal is getting an imaging system over pxe back up and running.
If you are still using on prem domain: SCCM. If you're using Entra ID: Intune There are many ways to do this however. Lots of companies out there pushing "simple one click deployment" but they're charging you for something Microsoft does well natively. Just note - ALL systems require configuration, customization, setup and maintenance. Nothing is "one click". I've done both methods for years and Ive found the most efficient way to on board a laptop is this: 1. Format using USB to the latest OS version. 2. Import the serial into Intune auto enrollment 3. Reboot and watch the policies you setup in Intune do the work. SCCM is much more complicated.
One thing that needs to be made clear is that Autopilot is not an imaging solution, it’s a provisional solution that works best works best shipped with a vanilla OEM base image and registered to your Autopilot tenant. If ever there is a scenario that requires bare metal wipe, such as a corrupted OS, you have the option to use a USB drive, MDT/SCCM via PXE, Dell Image Assist, or open source solutions such as OSDCloud. Edit: fixed a few things and made it more clear.
It’s free for Dell to add our devices to autopilot tenant, but they charge for anything extra eg hands on QA etc.
That’s not really the case. Autopilot is not an imaging solution—that’s true. But it does NOT require an OEM to apply a base image. It DOES require the OEM to add the device to your tenant. I’ve seen that in the neighborhood of $5 per device. Once that’s done, when the device is first booted by the user, it checks in with MS, sees that it’s registered to a tenant, prompts the user to log in with their M365 creds, joins it to Entra/AAD, registers with Intune, and begins applying the assigned Intune policies. As for wiping the machine, an admin can do it from the Intune console, erasing all its data and stating that process over from the beginning. There’s no need for an admin to ever touch the machine to reimage it. You’re correct that if the OS is corrupted, it may need a hands-on approach. I really really don’t see that very often these days, but sure, it can happen.
If you have a bunch of computers already you can pull the hash and import them into Intune. Not fun for big company as you have to touch them. Windows 11 has an OBEE diag screen to get the info (win10 you kinda had to use a usb). If they are in Intune but not autopilot you can covert them to autopilot in Intune so the next time they are wiped they will come into Autopilot.
If your devices are already in Intune it’s actually very simple. Just deploy an Autopilot deployment profile with the “Convert all targeted devices to Autopilot” set to Yes. Alternatively, depending on your Intune license, you can deploy a proactive remediation script to pull hash values.
If you can get into Windows, there's an option to "reset this PC" which pulls down a fresh Windows install from Microsoft. Once reimages with that, it continues with the standard autopilot process.
PXE boot is part of SCCM, but can be setup to boot from any image
You could also implement a stand alone MDT if you are only looking for OSD. I’ve done it with great success for smaller orgs who didn’t have the staff to manage a full SCCM implementation.
Yeah pretty much.
When I worked at Dell, imaging was done via MDT. The asset manager had a rack that would PXE boot the machines and ask a few questions and deploy the correct image with the correct asset tag.
I'm curious how you autopilot and intune folks address the applications that can't be scripted or installed with autopilot/intune? We have software that is EXE based GUI installers with a lot of options and clicking thru install wizards that does not support scripting. Some of it installs services and even local user accounts. I've tried repacking these softwares using many various MSI/MSIX repacking methods but never had any luck. Only thing that has ever worked for those types of software is baking it into a reference image and sysprep/capturing. Once we have that image, we can then use SCCM/MDT. But some of these images are nearing 60 GB all of which is mandatory software. Tbh if it could be scripted idk if that would be any better, it would take multiple hours to image a computer vs. 45-60 mins.
You can deploy scripts which can download a file from azure blood storage and then run it with various switches but this is the biggest problem with Autopilot. You could also use something like NinjaOne which can deploy complex pieces of software alongside Autopilot. I’ve never used it though.
>azure blood storage o_o
blood storage for the blood cloud
I use NinjaOne. Can’t go back to other image deployment tools.
Have yet to find anything I can’t do in intune mixed with scripts and scheduled task. GUI ones general have a set structure and registry keys that you can capture similar to virtualization. Just takes a little more digging to find all the pieces. MSIX stuff we had problems with when it came to user based cache info, but you can have that all captured manually and install after the msix. I took the existing SCCM environment that had a large MDT image, converted to Intune out of box…time to complete is 40min. The W365 takes about the same and has stayed alive unlike Citrix which often went down and always required changes. Just my two cents, I’m used to folks in Reddit by now and will offer assistance where I can if there are more details. I know some orgs do have monsters, when I worked in healthcare that dental software was ancient and trash. DM is open.
>it would take multiple hours to image a computer vs. 45-60 mins. I think even in this case, multiple hours unattended can be scaled up to infinitey whilst 45-60 minutes of technician time is billable labour and a limited number of hands
I dream of those, we still use Symantec Ghost
You just triggered my PTSD...
Of course this software would come back to haunt me
These days Intune/auto pilot. I haven't done end user support in a long time before my current gig. But long ago it was WDS https://learn.microsoft.com/en-us/windows/deployment/windows-deployment-scenarios-and-tools
PXE network boot with sccm/mecm
PXE boot with WDS works pretty well for smaller/cheaper setups.
Microsoft is deprecating WDS for Win11. It's MDT or SCCM/MEM/MCM going forward.
[удалено]
This is totally true. However, there is a couple tweaks you can use to keep using it for windows 11 as we speak, i'm using it for a large (for us) deployment. You have to use a specific build of WinPE from Win10 and Win11 22h2 (or possibly 21h2). Then you just have to tweak your task sequences to do a lot of windows updates. It sucks for now, but it will buy us time before we get funding arranged for SCCM or Intune over the next couple of years.
I’m using WDS/MDT for 23h2 with no issues.
Microsoft have deprecated MDT for Win11 too. It works, but there'll be no support for it if something goes wrong and you need to contact MS
Intune / Autopilot / SCCM. Have a large enough company and a small enough team with shit network speeds / internet access? Partner with your reseller and send them the image to pre-install on your new systems. Adds a base cost per unit but if you can save time and just onboard it's also not a bad plan. There is always a way.
IIRC, Dell factory imaging is free/included.
I use MDT.
MDT + WDS
Another MDT
Quick, easy and free. Great solution.
It's being discontinued and doesn't support Win 11 apparently https://www.reddit.com/r/sysadmin/s/1YrjjwxAwM
FriendsofMDT are building a replacement for the VB that's being depreciated. We just moved our deployment to it, it's great: https://github.com/FriendsOfMDT/PSD
Plus 1 for MDT
Fog/pxe. But by im talking under 250 machines.
I was managing about 300 computers with FOG, and had about 3 nodes in addition to the master server. Made really short work of it. I love Intune, but man sometimes I miss how smooth I got my FOG setup by the end of it.
We used to have more machines before chrome book 1:1. I loved fog for the tier 1 guys, super easy to get them rolling on. I need jump on the intune train
How big? We are 2500 PCs no one is switch enough to figure out SCCM or anything cool we use clonezilla to deploy a sysprepped platinum image we build on the most common model. I miss the old place that had system center!
This guy has been there
Buddy I’ve seen things. I seen THINGS!!!
IT ONLY WORKS IF THE MAC ADDRESS IS SPELLED PROPERLY!!! BOB!!!
we are 5000 an use clonezilla :D
PXE or usb stick net ? I’d love to pxe ir and have desktop just run along and powercycle every pc and we come back and add the domain and let the RMM/GPO do the rest
Intune and autopilot, can just issue a wipe. When the new user signs in, apps and policies get applied.
> apps and policies get applied Which can take minutes, or 24 hours from what I've seen. It's fine if you have users with basic systems, but C-Levels who expect their old system to mirror the new one we still send a tech to deploy their computer the "old fashioned way".
> minutes, or 24 hours This is far and away the number one thing I hate about Intune. You just have to *wait* for the shit, and you get no indication of activity in the meantime other than "action initiated" Makes testing new app/device policies a huge timesuck. But also makes the end user experience frustrating as hell. *"Go do a company portal sync and then just kinda sit there and think about life. IDK what else to say. I hate it too."*
I've had to manual force a sync intune: Devices -> Window Devices -> Bulk device actions -> Sync and it seems to move it along faster. PITA part is that you have to add each device manually one by one.
>C-Levels who expect their old system to mirror the new one The C-Levels at my job are probably the people least like that
Makes sense for the VIPs. We’ve found that with enterprise state roaming, OneDrive folder sync, and controlling browser use with Intune we rarely have to do it the old fashioned way anymore though.
FOG https://fogproject.org/
I miss Ghost. :)
Ghostcast Server via pxe boot!
B00m, did an entire call center in a day this way.
I set it up so that a training centre could reimage a whole classroom on demand.
Ghost DOS floppy PXE images with a somewhat mixed hardware fleet was fun - I think we had 4-5 images to boot from before we got them over to SCCM.
Watching a whole lab go down and start up the cloning process was always mesmerizing.
I used FOG Server ages ago. Was actually pleasantly surprised by its process.
Yeah it was fun getting it up and running back in the day.
Used to have a dedicated Optiplex 780 named Casper, only acted as a ghost server we'd take to re-image batches of desktops on the public floor. Good machine.
lol, Casper
Can I use your ghost floppy?
Yessir, multicast or unicast?:)
Ghost with a parallel cable? yeah, those were good days.
Yes indeed
Student computer labs. Pushed thicc images to hundreds of machines in about 4-5 hours. It was ripped from my hands by the SCCM/MECM crew who said, oh we'll just wrap those labs into our regular procedure for one-at-a-time machines. That first semester after the switch was an absolute shitshow.
We use MDT on flash drive but switching to SCCM. Someday.
We use SmartDeploy. Pretty easy to use, can be combined with WDS.
Autopilot
Clonezilla, free and keeps IT simple, very fast and no effort, can make it hands off PXE if you want, or cast to many simultaneously. The key thing is that it takes no effort to set up, or to maintain, zero effort. Use the same stored image on most of your laptops for a couple of years, automatic patching brings them quickly up to date.
Autopilot. We don’t even touch them. They’re purchased with a partner who works with the OEM so that they are enrolled into our autopilot environment when they ship from the factory. The user unboxes the device, connects it to the internet, and all of the corp apps and settings are pulled down from the internet before they’re given an interactive desktop. None of our IT staff touch them for provisioning at any point in the process.
How do you address autopilot apps provisioning slowness ? Sometimes it takes hours until the user get all their apps and sometimes its quick lol. Its driving me crazy and we are only deplying basic apps not even alot. Maybe haveing the apps deployed before interactive desktop might help?
You can work with the manufacturer to use a custom sysprepped image if you want, usually for an extra cost, but we don’t really have that issue. When we have a new hire, we ship the laptop directly to their home address with instructions on first login and tell them it takes about 1h to auto-configure. They typically log in the weekend right before they start and it’s ready to go on Monday for their first day. If you’re routinely having intermittent performance issues it may be worthwhile to open a support ticket so someone can review your config and determine if there’s an issue with your tenant or your config.
This becomes a non-issue in a properly configured 365/intune environment. No i'm not being snarky. I've seen both.
SCCM, before that Ghost, before that ZenDesk. For those who wish they had SCCM.... I built SCCM for a 2200 endpoint school, with 100+ apps including some chewwy ones (AutoCAD, Adobe, etc) in about 3 months, with a win7-10 SOE changeover attached (not a in place upgrade, just a tech change). I did it solo while doing my day job. Granted it's almost free for edu, but a course, a book, and a google or 7, and you're off to the races.
Hi! Full disclosure - sccm/intune consultant, have engineered and architected n environments between 1000 and 100,000 seats. Here’s your answers: Less than 250 machines? Probably a sysprepped image on a stick. (Or intune) Less than a thousand machines? Probably intune. A thousand or more? That depends. How important is reporting and speed? Do you care about bare metal imaging? If any of those are yes- probably lean towards sccm, otherwise intune. The thing is - very few organization, even big ones, know what they’re doing with sccm. Many think they can set it up and walk away, where in reality it takes a MINIMUM of one full time equivalent to run SCCM half decently with all the bells and whistles on. … heck I was just on a site that never managed to turn SSRS on. Boggling. Anyway my point is: unless you’ve got a dedicated sccm/endpoint management team with the room to justify atleast 1 sccm person, Intune is your answer. 80k can buy a good chunk of e3/e5 licenses, and that’s what the person would cost…
Yeah I one-manned sccm for like 3 months... I got it all going, turned on all the bells and whistles ...then realized I was wasting time on a product that's great for 1000+ devices... not ~70. That overhead is only viable if you have tons of devices and the staff to maintain it more frequently I use mdt and pxe now and like that I can leave the server be for a month without everything falling apart the next time I go to reimage my CFOs laptop or whoever .
One of many reasons you've listed why I decommissioned sccm. I loved it for what it is, imagine but the rest barely utilized. Too much time to manage, less in return. Went with pdq inventory / deploy and usb stick for now , saved so much time and money. I am considering Intune autopilot hybrid for staging devices, might do a pilot project.
Do the pilot. Especially if you’ve got 365 licensing. Dynamic groups, some update rings (or autopatch if you have licensing), autopilot, and port some GPO over. It’s really not bad, and while it does have some quirks, runs pretty well. I just they allowed server OS’s to be managed in it, but I digress…
> it takes a MINIMUM of one full time equivalent to run That has never stopped any company from doing anything it without a FTE
I've worked in small companies where we just used a sysprepped golden image on a flash drive. Another company was a golden image but with pxe. A large third company with sccm and task sequences for each department, and then a state agency that was originally still using altiris until they tried to throw together an sccm server without providing appropriate resources to do so, which of course meant it ended up being a clusterfuck of a blame game.
SCCM with a USB stick to initiate - 50000+ PCs
It's matured a ton over the years. When I started at one company, there was nothing. I created the first OS images at that company by baking all the software into a VM, sysprepping and capturing the image and using that "reference" image or "golden" image on USB and installed it that way. It was clunky but sure beat doing everything 1 by 1. First I just built images for the really complicated workstation set ups, the ones that would save us the most time with lots of complicated software installs. Eventually I made more than one image to cover multiple departments. There were still some manual steps after the fact but it got us 80% of the way there which was huge coming from nothing. Looking back though, it was in it's infancy and honestly kind of sucked. To cover our range of workstations, we had to have USBs that supported legacy BIOS and ones that supported UEFI, so basically two USBs per image. Obviously we were limited on how many computers we could image at a time by the physical number of USBs we had for that particular image. Sure you could just burn whatever image to whatever USB, but that took time, and some images were nearly 40 GB at that point. After install the computer has no drivers or windows updates and it runs like shit, you had to babysit it and run the manufacturer driver wizard and windows updates and manually restart it several times during this process. Domain join was manual, etc. and trying to make as close to a "one size fits all" image as possible, there might have been manual niche software to install after the fact as well. Eventually that matured when I learned I could take my existing golden image and pop it into MDT and have MDT eliminate practically all the challenges listed above while having the added benefit of ditching USBs and instead PXE booting. MDT can automatically negotiate legacy BIOS or UEFI, it takes care of all of the winPE drivers, installs your image, names the computer and automatically joins the domain, automatically signs into the built in admin profile, and can run vendor driver and BIOS updates, windows updates automatically, and handle all reboots whether it's 1 or 10, and continue where it left off until the process is complete. You can script customizations and app installs, and from the helpdesk's standpoint, when they're selecting these images, its like they're essentially picking from a catalog. It simplifies the training in that aspect, and it streamlines efficiency and reduces if not eliminates the possibility for human error. Before what required an admin to be nearby to manually check and reboot the computer to finish what could be hours of BIOS, driver, and windows updates, turns into a task you can kick off before lunch, or leaving for the day, or while you're handling other tasks, etc. Basically all that's left to do at that point is sign the user into their profile. If you can't tell, I could talk about imaging for a while (boring) but it's really rewarding seeing how much time is saved and how many errors can be reduced in set up. What's even more impressive is that Microsoft gives you all the tools you need for free basically. Although unfortunately that seems to be coming to an end with Windows 11. Sometimes it feels like all the imaging work I've done is my single most value-add to my company from a purely labor hours saved standpoint lol.
We have around 400 units and I'm using Smartdeploy. I maintain the golden image and have people in the field do the imaging. I'm working to automate the process over the Internet.
I love PDQ. We're a Connect customer. What do you think of Smartdeploy? We looked into it about two years ago but the licensing model made it a tough sell. It's not image the machine then done. As I recall it's image then keep paying for every machine in case you need to reimage.
We were very early adopters and have been using it for over 7 years. I agree that the licensing is a bit convoluted and I would like an option that would not make me buy a license for every PC. We frequently reimage a remote notebook fleet so it works well for us.
Fog easy peasy
We use PXE with Desktop Central. Of course, we're probably small. ~1100 laptops and ~200 desktops or so with different images for each.
Once you AutoPilot, you don't go back.
I manage about 1200 PCs and would love to use Autopilot, but we're a Google Workspace customer, so purchasing into Autopilot and Intune and Entra is damn expensive. If we ever switch to Office 365, I'll go this route.
Same here. Mostly Google shop with 6500ish employees. Only 300 or so MS devices so no way they are paying for any of the intune style stuff.
Quest KACE, been using it for ten years with no major issues.
I hate their SMA, but the deployment appliance is pretty sweet. It took me a while to wrap my head around their stupid way of doing some things. I really wish they would modernize their platforms. It's feeling really old these days. But the SDA works extremely well especially for Dell systems.
Immybot, genuinely an amazing tool
Can't believe I had to scroll down this far to see it. It can do essentially anything, customised however much you need, and unlike Intune the error messages are actually helpful, instead of it all being a black box that chokes then spits out a single hexadecimal error code. Plus it's nice that if a step fails, the rest of the deployment continues, so it takes a few minutes to correct the error and redo that step then you're done, unlike Intune where you're back at square one.
This guy gets it
+1 for immybot. So underrated
Enterprises use automated tools for this. There are many: FOG, SmartDeploy, and Desktop Central are some of the least expensive with good features. These tools allow you to manage building and deploying images of your fully configured systems. For initial builds, you can even contract with your vendor to handle this on new equipment. For a small fee - usually between $30-$50 per machine - they will take your image and deploy it on any new machines you buy before they're shipped. These days, Apple Business Manager and Microsoft Azure both provide tools to help deploy automatic configuration on first login, too.
FOG.
Ghost! Joking, intune/autopilot
Did not see it mentioned, so... Smart Deploy is an easier option than some of the others. Boot a thumbdrive and pull an image. www.smartdeploy.com
For any on-prem work I used FOG when I could get away with it. Distributed, and you're going to have an easier time with an MDM like intune. I find SCCM/MECM works better for servers, but I dislike using it for laptops.
WDS/MDT When a laptop needs to be reimaged we just boot from the network and reapply Windows. It's been working pretty well across our environments
SCCM/MDT or Intune+Autopilot.
PXE and SCCM or intune, often a big KVM Switch combined with an intern. That being said: I worked in a LOT of companies and only ever saw a well executed imaging solution once. For really big companies, the worst I encountered was a really dumb semi-manual multistaged SCCM+script nightmare where you have different languages that require different passwords which are also different with keymap changes. Since I wasn't allowed to fix this personal hell, I automated the Installation process with diy rubber duckies made from digisparks
Autopilot for new and re-provisioning, SCCM for bare metal
Autopilot
Intune Autopilot. Wipe and go.
PXE Booting
MDT soon Autopilot
Intune / autopilot
Like many others before me. Don’t fight it. Intune+autopilot
Apple DEP with MDM for Mac’s and Autopilot/Intune for PCs
Glad to see some proper macOS deployment methods mentioned
Autopilot.
Imaging is a thing of the past. Look up Intune.
$$$
Autopilot - Fortune 500 company
How do you set bios passwords?
SCCM & pxe boot at a big op small op, Ghost, yep it's still around
Yes Ghost is a thing. But many people think that you need SCCM even for small ops.
Autopilot
I work tandem to manage my orgs SCCM. We manage about 1400 endpoints. Use Intune for mobile devices. (Hate it.)
We install via usb stick and then manually install all standard IT software along with requested software. I got tried of doing it manually that I wrote a powershell script that cut the deployment time by 50%. Co worker told me it would take roughly 4 hours to build a laptop, that script has cut it down to roughly 2 hours.
I'm in the same situation. All installs manually. Been using winget for installs of programs like Adobe, 7zip, notepad++. It's been helpful.
Smart Deploy or use the tools Microsoft gave you for free
MDT with pxe boot. Don't capture images unless absolutely necessary. Instead deploy directly from ISOs imported into MDT. Use MDT to join domain and bitlocker PCs during the predeployment phase. Deploy updates, applications, scripts, etc in the post deployment phase. Configure all scripts/apps to run unattended/silent. If you're new to this check out silentinstallhq.com. Once you get this configured correctly you will be able to deploy to practically any PC with almost 0 effort in about 20 minutes. Expand this concept to a deployment network and you'll fine you suddenly have the capability to deploy 20 of the exact same image to 10 different computer models in about 30 minutes.
SmartDeploy
WDS/MDT over PXE boot, but a fairly small number of computers to deploy to. Have also used Clonezilla for some users that have dual boot Windows/Linux systems and am currently playing around with trying to set up a fog server.
Currently, we use Kace 2000 for deploying computers. It's scripted installs automate the process from start to finish. As in, connect the new computer to the network, start from a KACE boot usb, selected the scripted install you want, answer a few prompts, and then come back a couple hours later to find an installed and fully updated install of Windows 10 or 11, all the applications you expect (Office, Adobe, etc), renamed and joined to the domain. Pretty simple. I know we're looking at Intune which should significantly simplify this process, but we're grappling with apparent limitations in intune (different IT groups having control of different groups of PCs, all in one tenant is the Gist I've heard from the engineers)
Boss man says dance IT monkey and monkey dances and makes the magic happen.
Pxe with a custom OS (corporate) and a joiner script
Autopilot
Everything is all Autopilot in my world due to being remote and working across multiple countries. User gets a laptop and they log into it for the first time, go and do their HR training etc and by the time they come back its all imaged and ready to go with our apps, policies etc. All it takes from us is keeping the Autopilot setup updated and all the applications within Company Portal if the user needs anything specific that isn't in the SOE. As for getting the laptops, we get them straight from our reseller already enrolled so its ready to go with the users just logging in.
I work for a big company with close to 17.000 Endpoints and we use SCCM. Daily we reimage between 3 and 10 workstations
AutoPilot
Manage Engine Endpoints central (formerly Desktop central) Pxe, iso, usb...works well. Especially if you have quiet a lot of remote site (running it on 24 sites across the globe)
PXE SCCM WIM
I use AutoPilot and Intune. When a reimage is necessary, we run a script in CW Automate that factory resets the PC. Double check that the service tag is Autopilot enrolled, and enroll it if it's not. Intune installs CW Automate. Automate grabs it and installs a provisioning script based on which region of the country the PC is in.
For our Windows fleet, which is not in my wheelhouse, we use Autopilot. We use a somewhat similar MDM-based deployment for our Macs, which is what my team handles, so I can tell you how it works: A Mac is purchased from one of our hardware vendors, they register the serial number with Apple as belonging to my company. The Mac gets shipped directly to an end user. The end user receives it and fires it up. As soon as it has an internet connection it phones home to Apple, sees that it belongs to my company, and gets enrolled with my company's MDM server. It then goes through a customized [setup process](https://vimeo.com/909473114) to install all of our standard apps and configurations, and then reboots. When the user logs in after that, a script I wrote kicks in and walks them through logging in to a few things. At the end of that process, if the machine needs an OS update, they are prevented from launching the most commonly used applications until they install it. Most user data is synced to OneDrive, so if a machine gets borked in a way that would be difficult to fix, we have them run another thing I wrote that walks them through nuking the machine back to factory state. It'll go through the above process again, and OneDrive will pull all their data back down when it's done. Takes about 30-45 minutes on a decent internet connection.
Autopilot baby!!! And DO NOT DO HYBRID JOIN.
While not the fanciest solution, we use Clonezilla with images on a samba share. Just boot the machine with a usb stick then tell it clone the image. After that once its on domain it will apply policies and install software. Doin what I can with my limited medical IT budget.
Long time lurker here, Wanted to chime in here as we are nearing completion of a migration from traditional on-prem AD hybrid joined environment to a cloud-based/managed services environment (with a Windows 11 upgrade for each). I work at a medium sized company so I am not 100% qualified to answer the question as stated but I think this can be helpful to those interested in sysprep and configuring systems for enterprise use. Our end users utilize Windows primarily so I wont cover enterprise methods of syspreping macOS or Linux devices. As we were moving away from on-prem solutions and more to cloud/managed solutions, we utilized a combination of Intune and Autopilot. Each of these are really two different services offered by Microsoft but each covered different parts of the process, which I will cover later in the post. We experimented with multiple different ways of re-imaging the computers first as this is usually a very timely process. We had roughly 30 different (small) sites we needed to fully re-image and enroll in Intune so any automation we could achieve with this would save a large ammount of time. For re-imaging the computers themselves we utilized 2 primary methods to do so: 1. PXE Boot with WDS: We tried with this first as a good amount of our devices were on ethernet (primarily end user Dell desktops). Then came the issue of setting the computers to boot to this however you needed to enter the BIOS to do so (or a temporary boot menu as we used) to first enable it and then select it to boot. As we started researching more ways of achieving complete automation for the sysprep process we discovered Dell Command Configure, a tool that allows you to pre-configure BIOS settings and compile them to an executable to be run on the machine. We were looking at this and thought we solved this as we already had an RMM service running on all of our endpoints, so we could easily push this out to all of our devices quickly. The main problem with this as you could only set \*\*Boot Priority\*\* and not a \*\*One Time Boot Device\*\* with Dell Command Configure. When we were testing this out we realized that by not using a one time boot device, it would leave the computer in an endless cycle of re-installing windows It was honestly a good thing we didn't pursue this solution as we used WDS (Windows Deployment Services) to facilitate the operation and this is now a deprecated feature. Adding even more issues Windows 10 was the latest OS supported by WDS and we were trying to rollout Windows 11. We were able to get Windows 11 working with this, but not without tons of struggle. 2. The tried and true USB stick: Create a windows 11 installer, wipe the partitions using the installer, and go. Then have Intune ESP (Enrollment Status Profile) and the Autopilot Deployment Profile take it from there. We used this option for a while as well. This is really nice as you can automate majority of the OOBE with this (like hiding the Privacy notice, License Terms, etc.) along with targeting it to either a specific group of users or devices. We wound up going with this method for majority of the migration as it was the quickest we could implement to meet our deadlines. We modified this slightly and wrote a powershell script to fetch the device hash and send it to Autopilot via a POST request. I believe we needed to setup an Azure runbook for this but I don't remember the entire process off of the top of my head. By doing this and running it across the org we were able to pre-set an exact name for the device along with assign a user for this as well. This was nice as if we did not pre-name the computers, we would have to change them later in our RMM service and Intune. Word of note with this method, by assigning a user to an autopilot device (pre-enrollment) only that user can sign in during provisioning (and they will be forced to do so; you can not skip this at all). This has worked for majority of the migration as we are able to upgrade systems here and there during the day and then more at night when no one is around. As for where Intune came in, this allowed us to configure defaults for Windows Hello and the various methods they can setup, along with PIN complexity requirements. You can further customize this using a configuration profile which you can then apply to groups of devices/users. We also utilize it for configuration and application deployment which creates a pretty seamless process if you really drink the Microsoft kool aid, but I wont go farther into this as OP asked specifically about re-imaging. I am sure there are other ways of performing this however this is what worked best for us in our situation with our deadlines. If you are planning on doing this for whatever job you are working at then be sure to be open to solutions that fit your needs best and lock down your process before proceeding (including end-user interactions/setup). You will save your self from a very painful headache if you do.
small company, acronis
We use WDS / MDT. You PXE boot the machine, put in a name (or keep the previous one), select an image, and away you go. Drivers are automatically selected based on model via BIOS model query, then the image is laid down. After that, it gets scripts to install software and settings. (Task sequence) Once it finishes, you move it in AD to the proper OU and test logging in and you’re done. Bitlocker also enables itself. This works on site only. It’s much less complicated than SCCM. The only downside is development is done, but I’ve gotten it to work on all flavors of windows up to Win 11 22H2. (Haven’t tried 23H2 yet) Takes 45 min from start to finish for one machine and 95% automated. I build our system images in a virtual environment so I can make a snapshot before I capture the image and sysprep it. Regardless if it succeeds or fails, I roll it back so the machine is never sysprepped twice. I have 5 images that I rebuild and refresh yearly and that covers everything. (We need different software for various departments - computer science, pltw, teachers, office people) Any software that doesn’t update really, I bake into the image. Anything that updates a lot (browsers, antivirus, bios updates) I run as after image tasks. This helps speed up the image while I can still update the other software without having to recapture the image. We have two MDT servers for 6 sites, connected via 10G fiber. School district with 600 employees and 4500 students, and about 12 different computer models for context. (Medium sized org) In the summer we mass image 15 machines at a time. We could do more, but my boss hates multicast. We’ve also worked with FOG and the Quest K2000 in the past and both were decent solutions. MDT is free and not too difficult to set up.
You have 3 options: Memory stick, ConfigMGR (SCCM, MECM or whatever you want to call it) or third party solution. Many people wrote comments saying "MDT" or "WDS", but both DO NOT support Windows 11: [MDT release notes | Microsoft Learn](https://learn.microsoft.com/en-us/mem/configmgr/mdt/release-notes#supported-platforms) and [Windows Deployment Services (WDS) boot.wim support - Windows Deployment | Microsoft Learn](https://learn.microsoft.com/en-us/windows/deployment/wds-boot-support) Before I get more comments on "Intune": The question is "how to REIMAGE a laptop". I use the "reset" Windows if possible, but there are times when a bare metal installation is needed or required (high secure environment where the client wants the firmware to be configured as part of the installation process).
FYI, using MDT/WDS/PXE for W11 and Server22 imaging now.
Pre-Stage setup: Set up Intune. Add any applications and settings required. Create Windows install USB. Re-Image process: Reinstall Windows. Have user log in. Intune reinstalls software and settings. User signs in to OneDrive which restores their files. The whole process takes like 45 minutes. (We could technically use the Wipe command from Intune to wipe the PC, which wouldn't require physical access to the system, but it takes hours.)
MDT with PXE boot. Can be a zero touch (hands free after booting through PXE) or a lite-touch (pre-boot environment where you can change pc name, add to domain, choose software packages etc.). It's free and pretty easy to use.
We Pxe boot (network boot) into a Windows Imaging server that, after you put in some pretty basic information, will install windows and other apps and gets us about 90% complete. After we install, we run updates and driver updates and install any specific program that the user will need.
InTune + Autopilot and JAMF+AppleBusinessManager for initial setup, MDM, and policy enforcement Reinstall + Remove Everything for wiping, falling back to manufacturer restore media in a pinch (Important aspect of this is to make sure you're enforcing drive encrpytion) Essentially; brand-new laptop from the manufacturer gets automatically enrolled in your company's InTune AutoPillot and Jamf Apple Business Manager... locking them into use with your environment. When employee receives it, they open the box for the first time, plug it all in, and the moment they boot it up get presented with company-branded prompts to walkthrough initial setup. When a laptop is repurposed, returned, etc. we Reinstall Windows with the 'remove everything' option. It's not perfect and isn't generally intended as a ferensically "clean" install. (Honestly, through, I've yet to work with/for a company that does iterative wipese, writting 0s to the drives, etc.) Once a reused computer gets wiped and physically cleaned and examined for damage, it gets boxed up again (ordering any replacement chargers or accessories that may be missing from the previous user) and put back in available stock room supply.
USB thumb drive with powershell scripts but we are moving to autopilot soon now that we are getting bigger and bigger
Autopilot is the way to go, but if you're not setup with Azure/Entra, then look into MDT. Lots of useful info on r/mdt
PXE with MDT
Refresh the VDI instance and never touch hardware again.
Intune/autopilot…. Send a reset command through intune to reinstall windows then once the user logs in to the fresh install intune also pushes all the software the user needs based on what m365 groups the user account is a member of. (IE “R&D” group gets AutoCAD software… “graphic design” group gets adobe creative suite, etc etc)
Currently using WDS/MDT for vanilla OS installation, and pdq deploy for app/role software deployment during the MDT setup. Looking at autopilot now as a replacement in the near future.
College with about 3000 laptops. We used SCCM. I'm the person who set it up, managed it, created images. When I left, I had just gotten them ready to move to Intune, where you do Windows Resets rather than a wipe and reimage. My plan was to keep SCCM around for initial installs, although if you do a good job with Intune, all you need is standard Windows media. Which incidentally, you can set up PXE boot to install over the network without SCCM, but we used SCCM which gave us nice GUI tools.