Microsoft AutoPilot with InTune and BigFix

Is anyone provisioning devices using Microsoft AutoPilot with InTune and BigFix but only Azure AD joined and NOT hybrid joined? If so, how are you managing automatic groups for these devices that are only Azure AD joined in BigFix? We currently categorize devices based on their Active Directory path by company brand, sites, regions, manufacturing, etc. This is not possible with Azure AD only and we would prefer to avoid hybrid joining the devices. This would be easy if Azure AD supported LDAP. Yes, I know Azure AD DS is possible but this requires hybrid joining.

We have created a workflow in BigFix to automate the installation of all necessary applications. Devices would be automatically added to AutoPilot by the manufacturer (Dell, Lenovo, etc.) and the goal is to hand it to the user without any or minimal IT interaction. We deploy the BigFix Agent and our VPN client with InTune. All policies formerly in local AD have been moved to InTune. We then deploy all base software, previously in our custom images, through BigFix to leverage the relays for caching and reduce the impact on bandwidth.

The roadblock is how to install the optional and/or licensed software. We controlled these licensed applications by adding the users to a security group and intend to do the same in Azure AD. We need a method to query Azure AD groups so we can build automatic groups in BigFix. This will also help during patching as we currently have 3 patch stages for servers and client devices (Test/Pilot, Office & Manufacturing). We can build the architecture in Azure AD very similar to on-prem AD but not if BigFix can’t query the data. Everything is pushing us to either hybrid join or to use BigFix MDM/MCM. We have also heard our solution may be to deploy the Azure plugin in Plugin Portal. We were looking for some real-world experiences before we go down the rabbit hole and possibly pick the wrong solution. Microsoft recommended us not to hybrid join and hybrid joining also presents a problem with our multiple domains and brands. Moving to MDM/MCM would require us to abandon everything we have built in InTune. Thank you!

In the hopes of reaching a broader audience, is anyone using AutoPilot with BigFix? If so, how are you managing automatic groups in BigFix? Are you performing hybrid join and if so, how well is this working? If hybrid joined, are you joining to on-prem AD or Azure ADDS?

We’re close to deployment of an Autopilot/Intune deployment workflow.

So far as BigFix is concerned, Intune installs the BigFix client, with our usual clientsettings.cfg. BigFix fires up from there and does our usual post-deployment stuff.

That’s exactly how we have the current workflow to leverage the relays instead of the cloud. Are you guys hybrid joining devices?

Hey. Would you be able to share some insights on how you’re deploying the bigfix agent with intune? Thank you

We use the Win32 Content Prep Tool to package the installer .exe, masthead, and clientsettings.cfg files into an .intunewin archve. That’s then uploaded to Intune, and set to automatically deploy against scoped machines.

3 Likes

We also use Autopilot, Intune, and Bigfix for Windows clients and we deploy BigFix the same as @atlauren described with the Win32 prep tool to package them up. The clientsettings.cfg ensures that you are providing your clients the settings to point them to the relays that you want them to connect to. We do pre-provisioning and user provisioned devices with Azure AD only (No hybrid joined devices) but the vast majority of them are done remotely so they go through public facing relays. We have had many of the same challenges as the OP asked earlier in the thread. We use a lot of registry 'tags" that were deployed via intune script or Win32 app that just contained the script and that allows us to target different tasks based on those registry keys.

We also use AutoPilot and InTune with registry “tags” to build our automatic groups in BigFix to target devices. It is a shame BigFix has no Azure integration unless you keep everything in their ecosystem by implementing MCM. We have to come up with workarounds or elaborate workflows where other solutions such as Configuration Manager (SCCM) or Tanium have out of the box. This will become an even bigger issue as we move more to AzureAD as BigFix requires local AD for LDAP.

Azure AD support is coming very soon. I can’t say which release though. I’d guess the next one but the PM’s might kill me. :slight_smile:

3 Likes

That is great news. Thank you for the update!