New device prep

katos

Hi team!

What do you guys do when you get a new device, either for home or for work purposes?

katos

Personal:

1. Remove bloatware
2. Install applications (usually stored on a Portable Hard Drive) and update as required. (Incl. Windows Updates)
3. Run Windows 10 Powershell to remove unwanted applications and change registry for tracking etc.
4. Update Drivers / Firmware
5. Install device-specific applications (depending on the role of the device)

Business:

1. Install from image.
2. Run powershell to ready the device to our pre-approved stage.
3. Install Office, antivirus and business applications that are not dished by GPO.
4. Disable power settings on the network adapters
5. Update as far as possible.
6. Add device to domain and run GPO.
7. Configure for end user (department-specific).
8. Full disk encrypt the device if portable or in specific departments.
9. Run Windows updates.
10. Test all applications.
11. Peer-review device, and prep additional equipment (keyboard / mouse / bag / etc)
12. Arrange installation.

tankerkiller125

Personal:

1. Remove windows, replace with the latest Ubuntu (usually LTS, but not always)
2. Install the apps I need/want
3. Install Steam Proton (notably the GE version)

Business:

1. Ship laptop to employee
2. When it's a new employee, email their personal account with their new company email and password 24 hours before start date.
3. Employee signs in with work account
4. Intune/Autopilot take care of installing core apps, running PowerShell scripts to remove bloatware, and apply policies.
5. Use FleetDM 24 hours after deployment to make sure that all the policies are being met (notably full disk encryption)

Working for a small company, and using Intune makes deploying laptops stupid easy, and so far we haven't had any issues despite technically being in a hybrid environment (a lot of our VMs are still on-prem domain joined)

katos

tankerkiller125 said in New device prep:

Intune/Autopilot take care of installing core apps, running PowerShell scripts to remove bloatware, and apply policies.
Use FleetDM 24 hours after deployment to make sure that all the policies are being met (notably full disk encryption)

Curious - Why are you using FleetDM and not an Intune Compliance policy?
If you wanted, you could then leverage a conditional access policy to lock out the device UNTIL it was compliant with the disk encryption, AV, etc?

tankerkiller125

katos We do use FleetDM because I can run realtime queries, we do have a compliance policy in intune as well, but we find that it's very slow to update if something changes.

katos

tankerkiller125 said in New device prep:

katos We do use FleetDM because I can run realtime queries, we do have a compliance policy in intune as well, but we find that it's very slow to update if something changes.

Ahh that's very fair, InTune can indeed be slow to do things - one of the things that annoys me about it!