How to run autopilot to our existing destops without SCCM?

EE-9037 526 Reputation points

We have a user-driven autopilot created for our laptops. We would like to achieve two things: To run autopilot to our existing desktops (without SCCM involvement) and without Cisco Anyconnect VPN software on the desktops.

My understanding is that I need to add the hardware hash of the desktop and run the autopilot. The challenge is that we have the Cisco Anyconnect VPN software required to be installed on all devices during the autopilot process that our on-prem desktops do not need. How do I design this without this app?

In addition to adding the hardware hash, do I?

  1. Create a Desktop Group and add the target computers to that group?
  2. Reset the PC
  3. Create a second Autopilot profile and assign it to the Desktop Group.
  4. Create a second ESP page, and assign it to the Desktop group. On this page, select the apps I need except Cisco.

**Wouldn’t #2 and #3 conflict with the existing ESP page and profile because the existing Autopilot Profile and ESP page are already assigned to all devices?

Please advise what is my best route to achieve this. Thank you.

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
406 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,241 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jason Sandys 31,151 Reputation points Microsoft Employee

    Autopilot in no way depends on ConfigMgr. ConfigMgr is just one path to collect the "hash". It's also a path to directly inject a json configuration file and forgo the hash completely.

    First step though is getting the systems enrolled in Autopilot. This can be done by getting the hash from the systems using the PowerShell script. Alternatively, if the devices are enrolled in Intune already, Intune can enroll them into Autopilot for you. If the devices happen to be Surface devices, then a simple support call using the serial numbers in the devices can also be used for this.

    For #1 and 3, there's no specific reason to limit the Autopilot profile to a specific subset of systems necessarily but you certainly can. Generally, folks assign the profile to all Autopilot devices based on the ZTDID.

    For #2, that's something the user must do unless the system is currently enrolled in Intune.

    For #3, the ESP configuration does not assign applications. You must assign the applications in Intune. The ESP configuration makes identified applications that are also assigned blocking for the ESP process. If the app isn't assigned to the device, then it is ignored by the ESP regardless of the ESP config.

    1 person found this answer helpful.