I should probably keep track of this stuff I'm doing.

So I created a new security group with the ability to assign Enter ID permissions. I call this Intune Admin. So this will be assigned to people who are allowed to manage things in Intune.

I then created a security group for autopilot device importers so that we can manually specify who is able to import devices and who isn't, because we shouldn't be allowing all users to do that. Created in the same way, I said, allow enter ID roles to be assigned to it, and I called it autopilot device importers, I guess. I may rename those later based on a specific role or a specific delegation, like by position.

And then, because there isn't a default security group, or there isn't a default role, like for Intune administrators, there is a default role, but not for device imports. I had to go in to, that was in Entra. I went in to tenant administration, I went to roles, I created a new custom role, and I pretty much selected anything to do with importing devices and reading device configuration and reading information in Intune. So this will be assigned in the future to people who are going to be allowed to import devices. And now I'm assigning that role, actually I'm going back, I have to go back in to groups, I select my group policy, oops, it says not found, Intune is doing it again, Autopilot device importers, okay, and now I'm going back into Autopilot device importers, I click on role and administration, and, and, for some reason, I cannot, ah, sorry, I have to click Azure, ah, no, why can't I add assigned roles, okay, active assignments, now add assignment, okay, so, I can't do that, ah, what the fuck is going on, okay, tenant administration, into roles, Autopilot device importer, okay, okay, now why can't I add that, add assignments, search for a role, okay, what, for fuck's sake, go into group, okay, and now I can't add the fucking group, man, Microsoft, you are fucking killing me right now, holy fuck, man, minister roles, Microsoft enter ID, recommend using built in roles, yada, yada, yada, okay, for fuck's sake, I can't even add any if I wanted to, oh, my God, okay, so, I can't even add, okay, so, what the fuck do I do now, holy fuck, members, owners, roles and administration, yes, and I want to add a fucking role, and I can't add a fucking role, okay, Azure role assignment, select a subscription, man, this is absolutely stupid, this identity has role assignment that you don't have permission to read, they won't be able to show up on the list, I do because I made it, I just fucking made it, I see it, oh, fuck, man, it's not under fucking administrative units, it's not under, it's not going to be,...

Yeah, so you used to be able to assign security groups directly to EnterID roles, but now you can't. Now Microsoft decided that they want to separate that so that you have this little toggle, because that used to never exist before. Like, when I was doing this a couple years ago, this option never existed. So what's actually happened here is Microsoft has pretty much said, we want to make more money. So instead of giving everybody full control, like what we've been giving, and making it fucking simple and easy to use, no, no, instead, now we're going to split everything up. So we're going to introduce Entra-assignable roles. So any kind of security groups that you want to assign Entra roles to, we've now separated into a whole separate group, and you've got to choose how you're going to set that group up before you actually get started. That actually makes a lot of fucking work. If you have to make a change halfway through, you have to create a new security group from scratch before you delete the old one, probably, and delegate all the members and users, adjust any kind of dynamic fields or anywhere that it's part of a membership, you have to literally port everything over, and then create a new one and delete the old one. You can't change once you've created it in a certain way. You can't change back and forth. And so what they've done now is if you want to be able to assign Entra ID roles, you have to have a P1 or Entra P1 or P2 license. So they literally just want to get more money, and they've complicated things just to get more money. This is absolutely fucking stupid.

Another piece of stupidity here in the out-of-box experience for the deployment profile it's asking to create a unique name for the device which is stupid because for self-deploying mode the serial number and hardware hash is already going to be in there and there's already an option to to set the device name so does this override it or why doesn't it just peel it out from there why is why why is this taken care of in this specific case like there should be no instances in v1 where the computer is not already added as a device so like that doesn't make sense

So this is the other problem, there's two deployment modes, user-driven and self-deploying. And so first of all, going back to find out whether the naming template will override or not, seems to be taking a long time to find any information on Google about that. So the only way for me to do that is for me to actually set this up, try it on one of the computers, see how it assigns a name, if it overrides or not, and if it does override it, then I have to change it and remove it, and then I have to try it again and see if it will automatically apply the name, and if it doesn't, then I gotta find another solution. So just doing this one process on its own, that's like about an hour and a half, two hours just to figure out whether the naming template will automatically apply. I don't know why things are not simpler, why don't they think of this kind of stuff, why don't they provide better instructions, like it's pretty fucking annoying to be honest, I'm getting really fucking annoyed.

I need to set some DNS records, some CNAME records, Automatic Discovery of MDM on magentaconstruction.com. I'm adding CNAME for Enterprise Enrollment and for Enterprise Registration. So I don't think we really need it. I do remember seeing some issues with the MDM not being found before, so I'm going to set this. I hope this addresses those issues and a couple of other issues. Okay, so I set that right now. Okay, that's good. Okay, I'm going to keep tweaking things here. I created a security group with Dynamic Devices as well to target the Autopilot devices in the list.

I gotta create a new logo, all white, I thought I had one created somewhere, but I don't, for magenta, thought I had it, I think that's not. So, gotta make it now.

All right, finish the tenant customization, and what was I working on? Oh, yeah.

I'm doing some more branding configuration.

Branding is done.