Details: Last Updated: 29 May 2025

Lab Setup for MD-102 Microsoft 365 Certified Endpoint Administrator Associated

This article contain my notes regarding the Lab Setup for MD-102 Microsoft 365 Certified Endpoint Administrator Associated

Deploy Windows Clients Upgrade, Clean Install and Migration
Windows inTune

1. Deploy Windows Clients Upgrade, Clean Install and Migration

After an upgrade, you can roll back by default on 10 days, that's why the "Windows.old" is there after an upgrade. You can extend the default period to 60 days by using:

USMT Tool: use to migrate profiles from computer A to computer A, using this script:

net use f: \\dc01\shared$
scanstate f:\store /o /ue:*\* /ui:computerA\User1 /i:miguser.xml /i:migdocs.xml /i:migapp.xml /encyrpt /key:"encryppassws"
#the above copy the User1 profile to the f:\store share
#the /o means to override any profile on f:\store if they exist
#the /ue:*\* means to exclude all users, but because you later on specify User1, it works
#the encryption is optional

To migrate the profile back, use the 'loadstate' command as below:

loadstate z:\store /mu:computerA\User1:computerB\User1 /i:miguser.xml /i:migdocs.xml /i:migapp.xml  /decrypt /key:"secretpasswd" /c

The "Proximity Senser" in Windows 11 can be cool!

Windows LTSC (Long-Term Service Channel) can postpone windows update for a long time, meaning it will need way less frequent reboots

Assessment and Deployment Kit (ADK) is a number of tools that allow you to install Windows more efficiently; WinPE, Deployment Image Servicing and Management (DISM), Volume Activation Management Tool (VAMT), Windows System Image Manager (WSIM), etc. You can also download the Microsoft Deployment Toolkit (MDT) to deploy Windows more efficiently https://www.microsoft.com/en-us/download/details.aspx?id=54259

Autopilot

Is a deployment tool that needs to infrastructure whatsoever on-prem, only a license for the user is needed, as all the config is done on the cloud. With Autopilot you can:

Join Azure AD or AD DS (Hybrid Azure AD)
Prevent admin first account
Assign a device profile based on configuration groups
Customise the wizard for OOBE (out-of-box experience)

Autopilot depend on an OS already being pre-installed. It doesn't support Home edition. A preview of the licenses for M365 Business: https://m365maps.com/files/Microsoft-365-Business-Premium.htm

Autopilot pre-requisites:

To use auto-enrollment you need to have Azure AD Premium P1 or P2. Need to have Intune setup
Ports 80, 443 and UDP 123 need to be open
Hardware ID (Hash) needs to be uploaded and register for every laptop; this is not really a 'hash' but a base64 encoding of XML text. You can use the Desktop Hash Export on a Windows11 computer by visiting Settings >> Accounts >>
Use this script to get the hardware hash and serial number of a client, then visit InTune Admin Center >> Windows Enrollment >> Devices Autopilot >> import

md C:\HWID
Set-Location C:\HWID
Set-ExecutionPolity -Scope Process -ExecutionPolicy Unrestricted -Force
Install-Script -Name Get-WindowsAutopilotInfo -Force
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Get-WindowsAutopilotInfo.pas1 -OutputFile AutopilotHWID.csv

Settings >> Update and Security >> Recovery >> Reset this PC

whoami /all
rapid zip

For troubleshooting visit the Event Viewer >> Windows >> Provisioning-Diagnostic-Provider for hints about why inTune has failed. You can also run this diagnostic script:

Set-ExecutionPolicy ByPass
Install-Script Get-AutopilotDiagnostics -force
Get-AutopilotDiagnostics -online

You can remotely Reset a computer using AutoPilot, when you reset it, you are giving it ready for the next user.

Microsoft inTune

Configure the "Device cleanup rules", to ensure you remove all computers that no longer connect to inTune

References