No more SCCM and WIM files
There’s a new cloud-driven Windows deployment program for Windows 10 that was announced circa June 2017, along with the “Creators” edition of Windows 10 (1703). It’s called Windows Autopilot and promises to be the future of modern PC deployment and management.
The scenario that is used as an example of how AutoPilot will work is this:
- A user from an organisation goes into a store and buys a new Windows 10 device. The implied view here is that the new device is stock standard commercial hardware with preloaded commercial use software.
- The user connects the device to any WiFi network with internet access, logs in with his or her company credentials and Boom the device is configured and installed as per the organisational standards that you as IT would ordinarily have deployed with other imaging and packaging tools such as System Center Configuration Manager (SCCM).
In reality, there is a bit more to that than let on. Let me explain what has to happen from a technical perspective for Windows AutoPilot to work:
- A requirement for Windows AutoPilot is Azure Active Directory Premium (either P1 or P2) – More specifically, MDM auto-enrollment, Self-Service Bitlocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join, Enterprise State Roaming.
- Intune or Other Mobile Device Management (MDM)* solution.
- Windows 10 Auto-enrollment enabled on your Azure AD Premium configuration.
- The Hardware ID of all the new devices uploaded to Autopilot**. (And this is where it gets tricky, the idea is that OEM vendors would supply your autopilot system all the Hardware IDs in advance so you can use them, however this still being negatiated with the OEM manafacturers. Until this is in effect, you have to boot up all the devices and read the hardware ID and product information manually or using a PowerShell script. Which kind of defeats the object.)
- Windows Autopilot Deployment profiles need to be configured. (Configure the OOBE settings, skip user options to specify a device as a home device, and to configure OEM, OneDrive, and Cortana configurations.)
* Other MDM solutions need to be able to integrate into Azure AD.
** In my testing I was only able to upload Hardware IDs to Microsoft Store for Business and then Synchronise in Azure Intune Windows Device Enrollment (Autopilot blade)
Some optional configuration you may want to test:
- Multi-Factor Authentication (MFA) for users.
- Azure AD Conditional access rules so that only certain people can sign in from any network and provision Windows 10 PCs and Applications.
- Window Hello for Business which can require or prefer a TPM (Trusted Platform Module) – Windows Hello for Business lets users access their devices using a gesture, such as biometric authentication, or a PIN.
- Windows 10 Edition Upgrade Policy in Intune.
- Windows Information Protection Policies. Protects an organization’s data within an application.
- Intune App Deployment Profiles and App Suites.
To conclude, the Windows Autopilot (Preview) feature in Azure/Intune is very new and as such lacks some maturity. Having said that, at the rate at which functionality and features are being released on the Enterprise Mobility + Security front from Microsoft, I expect this feature to be a really smart way deploying and managing Windows 10 devices in the not so distant future. For updates, in this space, follow my blog and subscribe to the Enterprise Mobility + Security RSS Feed and Intune RSS Feed.
Oh, and to the bolshie heading “No more SCCM and WIM files“, that was meant with tongue-in-cheek. I don’t see SCCM going away any time soon and I respect SCCM and it’s deployment capabilities.
Let me know what you think of Autopilot, also what features and functionality would you like to see in Autopilot?