question

RocheTechnology-3670 avatar image
0 Votes"
RocheTechnology-3670 asked JarvisSun-MSFT commented

Autopilot - Azure AD Interactive Logon Message

Hey everyone!

I was hoping I could get some assistance with configuring a Logon message for our end users. We have a brand new Azure AD environment with ~300 Azure AD Joined PC's. As part of our SOC2 compliance, we need to have a message on the logon screen with terms/conditions for using a company device.

I've configured the 'Interactive Logon Message Text' payload, which works totally fine. However, the issue comes when trying to Autopilot a new device. I've done a bit of researching on this, and I'm far from the first person to run into Autopilot problems with this payload configured. Autopilot simply gets stuck in a loop when this payload is enabled.

My first thought to solve for this is to have our base 'Autopilot Devices' Azure AD Dynamic Group, and then once autopilot is complete, move the device into a 'Autopilot Configured Devices' group or similar, and have the Logon Message policy applied there. However, if a system is wiped & re-staged, maintaining this group membership becomes a manual task.

Not using this policy or having to manually update device groups for this policy are not acceptable or scalable solutions. I'd love to know if anyone has a decent workaround for this, or if Microsoft plans on fixing this anytime soon. Again, this is part of a SOC2 control for us, so while it may not seem like a big deal, it's something we really need to have in place.

Thanks so much for any insights!

Robert

mem-intune-generalmem-autopilot
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JarvisSun-MSFT avatar image
0 Votes"
JarvisSun-MSFT answered JarvisSun-MSFT commented

@RocheTechnology-3670 Thanks for posting in our Q&A forum.

For our problem, I did some research and found out that Windows Autopilot pre-provisioning does not work when Interactive logon payload settings are enabled. This is the current state of affairs, from the link below:
https://github.com/MicrosoftDocs/memdocs/blob/main/memdocs/autopilot/policy-conflicts.md

I noticed you mentioned: if a system is wiped & re-staged, maintaining this group membership becomes a manual task.
Create device categories to automatically add devices to groups based on categories that we define. It can effectively help automatically update groups. Please refer to the following links:
https://docs.microsoft.com/en-us/mem/intune/enrollment/device-group-mapping

Hope the above can help and if there is any misunderstanding, please do not hesitate to tell us.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JarvisSun-MSFT avatar image JarvisSun-MSFT ·

@RocheTechnology-3670 How are things going on? We are waiting to see if our problem is resolved. If there is anything update, please feel free to let us know.

0 Votes 0 ·