What was the most impactful announcement for your organization at Microsoft's Ignite this year? For me, it was probably Michael Niehaus' session on Windows Autopilot, the software giant's new way to dynamically provision devices. While Autopilot isn't new — in fact, it was announced with the release of Windows 10 version 1703 over a year ago — it now has some new features and significant improvements that are worth mentioning.
If you missed it at Ignite or you don't want to sit through 75 minutes watching the recording, I summarized the most important points for you below. In addition, I sprinkled in some real-world insights I have gleaned from several customers who have tried it.
Windows Autopilot was introduced as a way to facilitate zero-touch, self-service deployments in enterprises or large educational organizations. Within the past 18 months, the scope of Autopilot has significantly broadened to include the full lifecycle of a device. Now, it can be used to deploy, repurpose, break-fix, and retire a device.
Image Credit: Microsoft, 2018.
According to Microsoft, one of the main goals for using this new service is to change the way we deploy Windows devices. Traditionally, large organizations purchase thousands of new devices every year, ship them to IT, wipe them completely, and re-image them with a new, custom corporate image. However, while this image may include many common corporate applications, it usually does not include the user's personal data or specific business applications.
The promise of Autopilot is that these new devices can be unboxed by the user and are dynamically configured in the background while the user interacts with a Status Enrollment page. All configuration and data can flow down to the device out-of-the box with Intune and can be secured and configured without IT interaction. After a few minutes, or sometimes a few hours depending on how large your download is, the device is ready for productive use, including:
Microsoft's promise is that this would lead to an improved user experience as well as time savings for IT as they now do not have to wipe a clean version of Windows to add a custom legacy version of Windows. In addition, the upcoming hybrid join with Active Directory allows you to include more users, e.g., for a Windows 7 to 10 migration.
This is achieved by joining the device into the Azure Active Directory, enrolling it into Intune, and letting Intune push the configuration down (Microsoft's Modern IT Vision) or in a hybrid scenario that includes traditional desktop management tools (the Microsoft Configuration Manager and Active Directory).
Image Credit: Microsoft, 2018.
During his talk, Michael Niehaus introduced several usage scenarios for Autopilot. His session largely focused on the first three, while the other three had their own dedicated session the next day:
There are several portal options to access and administer Autopilot:
Image Credit: Microsoft, 2018.
The cloud-driven deployment of Windows Autopilot is done in three steps: registering the devices, assigning the devices to an Autopilot profile, and shipping the device to the user.
1) Registering Existing Devices
The easiest way to register your device "is to have someone else do it", according to Michael Niehaus. He referred to the device manufacturers that are participating in the Autopilot program. At this moment, Dell (soon: no extra charge), HP, Lenovo, Microsoft Surface, and Toshiba devices can be ordered, registered, and shipped utilizing this new deployment service — Panasonic and Acer will be joining the vendor roundup soon.
Image Credit: Microsoft, 2018.
Please note that in addition to automatically adding any new devices to your Azure tenant at a time of shipment, you can also associate your ordered device to a purchase order and/or tag specific devices with a customer specified label (e.g., laptop, desktop) for easy device grouping in Intune. You may also ask them (nicely) to provide a preinstalled image ready for configuration.
2) Assigning Profiles
In order to be able to assign devices to an Autopilot profile, you will have to create Azure AD groups first. This allows you to apply specific deployment modes and settings required for the deployment mode, e.g., the new BitLocker encryption even for non-admin users with Windows 10 1809, the out-of-the-box (OOBE) settings that now let you change the account options with Windows 10 1809, as well as device naming patterns and support for variable substitutions.
Image Credit: Microsoft, 2018.
Once created, you can assign your Autopilot profile to your Azure group manually or use Intune to assign the profiles of a certain group automatically. Microsoft recommends using dynamic grouping, but other options are available.
Image Credit: Microsoft, 2018.
Please note that every Windows 10 device (even consumer devices) check in with Autopilot as soon as it connects. If Autopilot recognizes the device as one registered with an organization and it has an AP profile, it kicks off a process internally. After the user receives the device and walks through some very basic set-up questions (e.g., preferred language and location), they can connect to the corporate network — kicking off the Autopilot gears.
In order to take advantage of Autopilot, you must fulfill one of these prerequisites:
It is clear that Autopilot is a very interesting piece of technology that could change the way we deploy and upgrade devices forever. For most enterprises this is an evolution, not a revolution since many deploy new machines with corporate applications and security settings using existing technologies already. This point was even apparent as the showcase customer on Ignite stage, Rockwell Automation, explained that they are currently using Autopilot in a co-management scenario and will only while roll out the Modern IT Vision to "a very small population" [...] "in the near future".
Most of the vendors supporting Autopilot will already extend your SCCM environment to enable a personalized corporate build image per user. What is changing here is that the process is standardizing to remove IT staff from the process entirely. The big challenge for many corporations will be the shift to co-management (Intune & SCCM) which will create an even more complex environment, and then to shift again to Modern IT Management (Intune only).
At Juriba, we are watching with interest as our first customers start to make this switch, and whether the marketing matches the reality. Certainly the principle of user un-boxing and setup is a desirable one for many organizations — reducing cost and improving efficiency. Whether the tooling is quite mature enough to support an MDM only approach for every device will be a fascinating question to be answered.
We will be covering Autopilot extensively in the future, focusing on how it plays with your organization's asset lifecycle strategy and the kind of dependencies that need to be in place to make it work effectively.
All slides shown above are from the Ignite 2018 presentation. Image Credit: Microsoft, 2018.