Digital Workplace Management Blog

Zero-Touch Deployments With Microsoft AutoPilot

Written by Barry Angell | Jul 18, 2017 5:13:20 PM

Getting a new work PC should be a “magical experience for an employee,” as it shows the employee that he or she is valued and that the organization is investing in his or her productivity and user experience — at least according to Microsoft's marketing material. You might think that this refers to working in Windows 10 or Office 365, but the software giant is taking it even one step further: to the unboxing of a brand new PC! 

Microsoft recently announced a new zero-touch, self-service deployment service called AutoPilot. It sets out to empower IT to customize the Windows 10 out-of-box-experience. This announcement does not come entirely unexpected as the last Windows 10 updates already included enhancements and improvements to prepare for this step. 

Also part of the announcements were exciting Mobile Device Management enhancements as well as the new Device Health features (agent to optimize UX on Windows) in Windows Analytics. 

What Is Microsoft AutoPilot?

Microsoft defines AutoPilot as a "suite of capabilities powered by cloud-based services, designed to simplify deployment and management of new Windows 10 PCs." All this is done cloud-based with automatic provisioning, so IT does not need to waste resources on creating custom images or manually reimaging machines and drivers — leading to cost reductions while optimizing results and creating better end-user experiences.

The concept is simple: Hardware distributors and other Microsoft partners can work with your IT department to set up the user profiles on your Azure Active Directory and Intune mobile device management (MDM) services. This way it is possible to "pre-assign a new Windows 10 device to a specific user" to deliver a "highly personalized" out-of-the-box provisioning experience.

Since Windows AutoPilot is a cloud-only device deployment and management service, it relies heavily on existing Azure Active Directory and Intune mobile device management (MDM) services. Once the PC arrives at the end user, the employee will unbox his or her new device, power it up, and be greeted by a highly customized log-in screen. The employee will now sign in using his or her corporate credentials, and AutoPilot will configure their PC. 

With the help of AutoPilot, the PC is automatically turned into a business-ready device. It is joined to Azure Active Directory, enrolled in Intune, and the clean Windows 10 install is transformed into a Windows 10 Enterprise install with the latest Windows version and updates applied.

Because of its integration with Intune, all personal settings are applied, corporate policies are pushed through, and Office 365 apps as well as required line-of-business apps are installed — without having to apply a custom image, although you could if you wanted. If you want to use images, you need to kick off the out-of-the-box experience process at the end of your image, according to Per Larsen who also provided a step-by-step walkthrough of how to set up AutoPilot. 

You also don't have to think about license management, security roles, admin rights or having to reboot the device as it works seamlessly with Azure Active Directory with the Windows 10 Enterprise E3 subscription. Speaking of admin rights: IT can determine — before the device even gets turned on for the first time — whether the user will be a standard or an admin user. 

 

Prerequisites 

To make Windows AutoPilot work, you need to have the following in place:

  • Devices must be registered to the organization, have Windows 10 Version 1703 or later pre-installed, and have access to the internet.
  • Microsoft's Azure Active Directory service. Each device needs to be registered to an organization's Azure AD tenancy which requires either Azure AD Premium P1 or P2 licensing and a subscription to Microsoft Intune or other mobile device management (MDM) service.
  • With Windows 10 Enterprise E3 licensing in place, devices can be automatically upgraded from vanilla Windows 10 Pro to Windows 10 Enterprise without user interaction or reboot.

Rollout Schedule & New Features In The Fall

In the Microsoft Partner Center, Microsoft OEMs, distributors, and reseller partners can already create AutoPilot profiles for their clients and link devices to the client organization. However, customers still need to wait until after the fall when Microsoft has rolled AutoPilot out to a few selective Surface customers for testing.

Speaking of the fall: There will be some capabilities available as part of the Windows 10 Fall Creators Update, which is due for Current Branch release this September:

  • Self Service Deployment Active Directory Domain Join – AutoPilot's self-service deployment capabilities enable you to get new Windows 10 devices into Active Directory domain-joined state as well as enroll them into Microsoft Intune. 
  • Enhanced Personalization with Windows AutoPilot Deployment – AutoPilot comes with the ability to pre-assign a brand new Windows 10 device to a specific employee in the organization via cloud-configuration. This will deliver a highly-personalized out-of-box experience even before the employee has entered his or her corporate email address. 
  • Windows AutoPilot Reset – AutoPilot delivers a new reset capability that will allow organizations to quickly reset a fully configured device while maintaining MDM management and Azure Active Directory connection state and automatically get the device back into a business-ready state.

Conclusion

Windows AutoPilot is definitely an interesting announcement that points towards the future being enterprise device management from the cloud, and it is worth looking into further. But details are still sketchy. We suggest you attend the Ask-Me-Anything Session on July 27th and look out for the Fall Creators Update, when things should become clearer as to what this means for enterprise level customers.

What we do know is this: For many enterprises, adopting AutoPilot will require a wholesale shift onto a number of new technologies and adopting more cloud based services. The linkage between SCCM and InTune will start to get some major focus, and those not yet signed up for Azure Active Directory will no doubt shortly be receiving the call.

There will be a time of running hybrid on-premise SCCM and on-cloud Intune – which could increase complexity significantly for some organizations. But it is an exciting development. We have been very used to having our hardware vendors deliver devices pre-imaged at a cost. Now we don't need that service any more.

We’re looking forward with interest to see how this gets adopted, and whether this is the first significant step in the retirement of SCCM as a device management system.