What’s everyone using for imaging as of lately? We used clonezilla but it’s become a hassle to guide a non techie user through plugging in the USB stick and following the prompts. There’s gotta be an easier way. TIA
Honest answer? In 2021 I consider “imaging” to be a product of the deepest regions of Hell and responsible for a HUGE portion of the issues we get when onboarding new clients. The conversation should really be around autopilot/onboarding and automations.
Like @CGreenTX points out, Autopilot/Intune included with M365 Business Premium donations is a Godsend for Christian ministries. Don’t image at all, there’s no point in doing it these days, just focus on configuration management and bringing systems into standards/compliance via configuration policies, PowerShell scripts, and then checking endpoints against compliance policies.
If you need to blow systems away and rebuild them, it’s pretty trivial to do that remotely with Autopilot. It’s pretty much click the button and go back to your day. 
Interesting thoughts. Definitely need to look into autopilot.
Even without AutoPilot I would look seriously at the effort of imaging versus just automating compliance. Intune can handle pushing your apps/scripts to get a system back up to ready pretty easily, particularly in a world where the majority of users just need their data, MS Office, and a browser.
Here’s my main issue. Best dealing with OOBE computers if they are now
being sent directly to end users first.
It sounds like you are dealing with a similar issue to me. You have a number of computers that you need to manage, but you have little control over what is happening with them.
From my perspective, if I do not get the computer first in order to configure it correctly to work with our network, it will be ‘unmanaged’ and will get no support from me. If the end user wants my support, their computer MUST come to me in order to be configured into our Active Directory system and be set up correctly with me and the ICT team as Administrator of the device and be linked into our MDM solution.
If the user wants to use their own device, I can configure them with BYOD access, but that is significantly more limited. E.g. if they need support, they will only get enough to access some very limited file directories, but they are completely on their own with regards to supporting their own device.
For example, the network I run is entirely macOS and iOS, with no Windows systems. We have 2 or 3 Windows users who have remote access only (e.g. no links to printers, network resources other than their personally configured VPN connection, very limited access to a file server and help setting up their email address in our internet domain - e.g. everything I have complete control over in such circumstances). I will not provide support for their device, their printer, their phone, or anything else.
You perhaps need to have a conversation first with your leadership about what they believe is reasonable in terms of access to the church’s IT systems, confidential information, use of the church’s domain and email addresses, etc. Ensure they understand the Information Security risks of their policy requests, then implement what they ask for. At least then when they complain that they can’t do X, Y or X you can refer them back to the policy they created and say I can’t do X, because your policy says I can’t!
MS has a way to do this, including autopilot. I don’t remember the details, but there are recipes you can use to get it all configured