<img src="https://secure.leadforensics.com/51024.png" style="display:none;">
arrow_back

What I Learned About Windows Autopilot At Ignite

What was the most impactful announcement for your organization at Microsoft's Ignite this year? For me, it was probably Michael Niehaus' session on Windows Autopilot, the software giant's new way to dynamically provision devices. While Autopilot isn't new — in fact, it was announced with the release of Windows 10 version 1703 over a year ago — it now has some new features and significant improvements that are worth mentioning.

If you missed it at Ignite or you don't want to sit through 75 minutes watching the recording, I summarized the most important points for you below.  In addition, I sprinkled in some real-world insights I have gleaned from several customers who have tried it.

WindowsAutopilot2018Ignite

The Broader Purpose, Goals, And Benefits Of Windows Autopilot

Windows Autopilot was introduced as a way to facilitate zero-touch, self-service deployments in enterprises or large educational organizations. Within the past 18 months, the scope of Autopilot has significantly broadened to include the full lifecycle of a device. Now, it can be used to deploy, repurpose, break-fix, and retire a device.  

6  Modern deployment with Windows Autopilot and Microsoft 365  Part 1 of 2    BRK3014   YouTube (2)

Image Credit: Microsoft, 2018.

According to Microsoft, one of the main goals for using this new service is to change the way we deploy Windows devices. Traditionally, large organizations purchase thousands of new devices every year, ship them to IT, wipe them completely, and re-image them with a new, custom corporate image. However, while this image may include many common corporate applications, it usually does not include the user's personal data or specific business applications. 

Microsoft Autopilot_ Changing The Way We Deploy Windows Devices_

The promise of Autopilot is that these new devices can be unboxed by the user and are dynamically configured in the background while the user interacts with a Status Enrollment page. All configuration and data can flow down to the device out-of-the box with Intune and can be secured and configured without IT interaction. After a few minutes, or sometimes a few hours depending on how large your download is, the device is ready for productive use, including:

  • The appropriate OEM-optimized Windows license (usually Windows 10 Pro, but can be stepped up to Windows 10 Enterprise without any difficulty if that's what you want the user to use)
  • The latest Windows 10 feature update (Intune will automatically recognize the new license and update and push all newly enabled features through.)
  • Custom software load (e.g., productivity apps such as Office; however, it is important to know that Autopilot/Intune will only push down Universal Windows Platform and MSI applications.)
  • Any personal settings, configurations, and security settings
  • Any user data

Microsoft's promise is that this would lead to an improved user experience as well as time savings for IT as they now do not have to wipe a clean version of Windows to add a custom legacy version of Windows. In addition, the upcoming hybrid join with Active Directory allows you to include more users, e.g., for a Windows 7 to 10 migration.

This is achieved by joining the device into the Azure Active Directory, enrolling it into Intune, and letting Intune push the configuration down (Microsoft's Modern IT Vision) or in a hybrid scenario that includes traditional desktop management tools (the Microsoft Configuration Manager and Active Directory).

WindowsAutopilotOverview

Image Credit: Microsoft, 2018.

Windows Autopilot Usage Scenarios

During his talk, Michael Niehaus introduced several usage scenarios for Autopilot. His session largely focused on the first three, while the other three had their own dedicated session the next day:

  1. User-Driven, Self-Service Deployment. This first, most widely spoken of scenario is user-driven, self-service deployment for single users (not used for shared devices), Essentially, the end user authenticates a previously joined device with Azure AD by signing into the corporate network for the first time. This action triggers the Autopilot process to start. During the preliminary set-up tasks, the IT Pro can choose whether or not this device should have admin rights. If the device is a non-admin machine, IT can still later sign in with a different tenant to gain admin rights to the machine. 
  2. Local Reset. Formerly called Windows Automatic Redeployment (since 1709), the local reset option allows IT to wipe any unwanted clutter that has accumulated on local devices. In this scenario, everything but the MDM enrollment, the Azure AD join details, and the options picked during the initial setup (Microsoft refers to that as Out-Of-The-Box-Experience (or OOBE) will be gone. Afterwards, you end up with a fully managed device ready to be used for the next person.
  3. Remote Reset. The Remote Reset is a feature new with Windows version 1809 (October 2018 Update). It is the same as the local reset but it can be initiated remotely through Intune.
  4. Self-Deploying Mode. Also new in Windows 10 1809 is the self-deploying mode which, in contrast to the user-driven scenario, should be used for shared devices that have no primary user. Initially intended for larger educational organizations with a changing student population using school-owned devices, this scenario is equally suitable for help desks or call centers. Users can put in their credentials and the device can be deployed quickly.
  5. Hybrid AD Join. This new feature is not yet available as a Public Preview, but will be soon. This will allow you to include more devices through Microsoft's new co-management capabilities by joining devices to Active Directory and enrolling them in Intune or any comparable MDM solution. 
  6. Windows Autopilot for existing devices. Last, but not least, users with Windows 1809 and above can now also leverage Windows Autopilot for existing devices. IT pros can now facilitate for example a Windows 7 to Windows 10 migration through Autopilot by utilizing a ConfigMgr task sequence, followed by an Autopilot user-driven mode.

How To Set Up & Administer Autopilot

There are several portal options to access and administer Autopilot: 

  • Microsoft Store for Business (this was the initial portal intended to administer Autopilot, but the management was since transitioned to Intune. However, if you are an enterprise using a different MDM solution, you can use this portal option.)
  • Partner Center (primarily to distributors, re-sellers, etc.)
  • Microsoft Intune (Microsoft recommends that enterprises who are using Intune should only use this as their portal.)
  • Microsoft 365 Business (for small and medium businesses with fewer than 300 seats only)

Modern deployment with Windows Autopilot and Microsoft 365  Part 1 of 2    BRK3014   YouTube

Image Credit: Microsoft, 2018.

The cloud-driven deployment of Windows Autopilot is done in three steps: registering the devices, assigning the devices to an Autopilot profile, and shipping the device to the user. 

1) Registering Existing Devices 

  • Existing Windows 10 devices: Enable new Autopilot profile setting for all targeted devices and ensure that the profile is assigned to a group containing the existing Windows 10 devices. This is done automatically for all Intune-managed Windows 10 devices.
  • Existing devices that are not yet Intune-managed: Enable co-management with ConfigMgr via the "Automatic enrollment into Intune" setting and ensure all new Intune-enrolled Windows 10 devices are part of a group with an assigned Autopilot profile. This could be used to reset any machines in case of future breaks.
  • Manually: Use a PowerShell script, run for each device that runs Windows 10 1703 or higher. Upload resulting CSB file via your Intune portal. While this works great for testing purposes and virtual machines, this is not scalable for thousands of users.

The easiest way to register your device "is to have someone else do it", according to Michael Niehaus. He referred to the device manufacturers that are participating in the Autopilot program. At this moment, Dell (soon: no extra charge), HP, Lenovo, Microsoft Surface, and Toshiba devices can be ordered, registered, and shipped utilizing this new deployment service — Panasonic and Acer will be joining the vendor roundup soon. 

Modern deployment with Windows Autopilot and Microsoft 365  Part 1 of 2    BRK3014   YouTube (2)

6  Modern deployment with Windows Autopilot and Microsoft 365  Part 1 of 2    BRK3014   YouTube (4)

Image Credit: Microsoft, 2018.

Please note that in addition to automatically adding any new devices to your Azure tenant at a time of shipment, you can also associate your ordered device to a purchase order and/or tag specific devices with a customer specified label (e.g., laptop, desktop)  for easy device grouping in Intune. You may also ask them (nicely) to provide a preinstalled image ready for configuration. 

2) Assigning Profiles

In order to be able to assign devices to an Autopilot profile, you will have to create Azure AD groups first. This allows you to apply specific deployment modes and settings required for the deployment mode, e.g., the new BitLocker encryption even for non-admin users with Windows 10 1809, the out-of-the-box (OOBE) settings that now let you change the account options with Windows 10 1809, as well as device naming patterns and support for variable substitutions.

Assiging an Autopilot profile using groups

Image Credit: Microsoft, 2018.

Once created, you can assign your Autopilot profile to your Azure group manually or use Intune to assign the profiles of a certain group automatically. Microsoft recommends using dynamic grouping, but other options are available.

6  Modern deployment with Windows Autopilot and Microsoft 365  Part 1 of 2    BRK3014   YouTube (8)

Image Credit: Microsoft, 2018.

Please note that every Windows 10 device (even consumer devices) check in with Autopilot as soon as it connects. If Autopilot recognizes the device as one registered with an organization and it has an AP profile, it kicks off a process internally. After the user receives the device and walks through some very basic set-up questions (e.g., preferred language and location), they can connect to the corporate network — kicking off the Autopilot gears.

Autopilot Prerequisites

In order to take advantage of Autopilot, you must fulfill one of these prerequisites:

  • Windows 10 1703 or higher (specific capabilities require higher version)
  • One of the following to provide AAD (automation MDM enrollment and company branding features) and MDM functionality:
  • MS 365 Business subscription
  • MS 365 F1 subscription
  • MS 365 E E3 or E5 subscription which includes all Windows 10, O365, and EM&S features (AAD and Intune)
  • Enterprise Mobility & Security E3 or E5 subscription, which includes all needed AAD and Intune features
  • Azure AD Premium P1 or P2 and Intune subscription (or alternative MDM service)

Conclusion

It is clear that Autopilot is a very interesting piece of technology that could change the way we deploy and upgrade devices forever. For most enterprises this is an evolution, not a revolution since many deploy new machines with corporate applications and security settings using existing technologies already. This point was even apparent as the showcase customer on Ignite stage, Rockwell Automation, explained that they are currently using Autopilot in a co-management scenario and will only while roll out the Modern IT Vision to "a very small population" [...] "in the near future".

Most of the vendors supporting Autopilot will already extend your SCCM environment to enable a personalized corporate build image per user. What is changing here is that the process is standardizing to remove IT staff from the process entirely. The big challenge for many corporations will be the shift to co-management (Intune & SCCM) which will create an even more complex environment, and then to shift again to Modern  IT Management (Intune only).

At Juriba, we are watching with interest as our first customers start to make this switch, and whether the marketing matches the reality. Certainly the principle of user un-boxing and setup is a desirable one for many organizations — reducing cost and improving efficiency. Whether the tooling is quite mature enough to support an MDM only approach for every device will be a fascinating question to be answered.

We will be covering Autopilot extensively in the future, focusing on how it plays with your organization's asset lifecycle strategy and the kind of dependencies that need to be in place to make it work effectively. 

 All slides shown above are from the Ignite 2018 presentation. Image Credit: Microsoft, 2018.

New Call-to-action