Windows AutoPilot Feasibility

I recently carried out a feasibility study on Windows AutoPilot with a view to replicate as much as we can from my current Windows 10 task sequence for our staff devices. This is a quick post with my findings and recommendations.

Requirements for AutoPilot:

Windows 10 1703 or higher

All of our Windows 10 computers are 1809 or higher.

Microsoft Intune license

Covered by our EM+S E5 license

Azure Active Directory Premium

Covered by our EM+S E5 license

Device registration in Intune

Devices will need to be registered by Dell (OEM) or CDW (Reseller). Dell will register devices for free but will charge £30 fee per device to remove bloatware.
We will need to find out from CDW if they provide a service to register devices to Intune/AutoPilot and what the associated costs are.

Azure Active Directory custom branding

Custom branding has already been done in our tenant

Azure Active Directory automatic enrolment

This will need to be configured. This allows users to enroll devices to Intune (the enrolment takes place as part of the device set up process). However, enabling this raises the question “can we enable this and stop users from enrolling their personal devices into Intune as well?

Configure Autopilot profiles

This is a collection of rules and configurations to set up the computer during the device set up process.

Source: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements

Replicating the Task Sequence in AutoPilot and Intune

AutoPilot will only make sense for the standard Staff build since it is designed to be handed over to the user who goes through a few simple steps and then Intune kicks in.

Step

Notes

Clean Windows image

Possible options include:

BIOS Configurations (password, secure boot, TPM, etc)

BIOS configuration will need to be set either from the OEM or will need to be done after the computer is handed over to the user.

All computers come with UEFI, Secure Boot and TPM activated. The only exception is password and UEFI Network Stack. UEFI Network Stack is only required for PXE-boot which we don’t need for AutoPilot. However, password will need to be set using ‘Dell Command Configure’ post-deployment.

https://ccmexec.com/2019/09/configuring-dell-bios-settings-using-intune-win32app-and-powershell/

BIOS Updates

Although the BIOS updates can be packaged as an application and deployed via Intune it would be easier to manage this using SCCM (to be updated after deployed)

Set computer name

Naming ‘patterns’ can be set in the AutoPilot configuration profile. The %SERIAL% macro but unsure how flexible this is (for example truncating Surface Pro serial numbers and adding WT).

https://blog.basevision.ch/2019/06/ultimate-guide-to-define-device-names-in-windows-autopilot-hybrid-join-scenario/

Join on-premise domain

By default AutoPilot computers join Azure Active Directory. To join on-premise AD as well then additional configuration need to be done to enable Hybrid Azure AD Join.

https://docs.microsoft.com/en-us/intune/windows-autopilot-hybrid

Also requires TPM 2.0:

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

Move to correct OU

You can select an OU to move all computers to as part of the AutoPilot configuration profile.

Currently in our environment we move laptops and desktops to separate OUs, which we cannot do using AutoPilot.

Our options are:

  • Setup AutoPilot for laptops only (and continue using SCCM for desktops)
  • Move both laptops and computers to the same OU but maintain separate AD groups to identify computers by hardware

Add to AD security groups

Computers can be added to Azure Groups but not to on-premise AD groups. Since this functionality is not provided natively by AutoPilot a solution will need to be engineered.

Driver updates

Similar to BIOS updates this will need to be managed using SCCM post deployment.

SCCM Client

Options are:

  • Deploy as a win32 app from Intune
  • Rely on SCCM client push installation (AD object gets discovered and client is deployed to the machine

Local admin account

https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

https://www.risual.com/2019/02/05/managing-local-admins-with-intune-azure-ad-join-devices/

Install staff build applications

Win32 applications can now be deployed through Intune

https://docs.microsoft.com/en-us/intune/apps-win32-app-management

https://www.robinhobo.com/how-to-deploy-win32-applications-with-microsoft-intune/

Install Office 365

Can be packaged as a package and deployed through Intune or Office 365 apps can be “assigned” to devices/users using Intune

  • If we deploy this as a package then it will continue to be patched through SCCM
  • If assigned to devices/users then it will be patched directly from Microsoft thus will need more work to understand how this works

https://docs.microsoft.com/en-us/intune/apps-add-office365

OneDrive auto sign in

This is possible using Azure AD Join.

Redirect user folders to OneDrive

Options are:

  • OneDrive Known Folder Move
  • Group Policy redirect

(will rely on Hybrid Azure AD Join)

Install Symantec

Although this is possible to be deployed using a package moving to AutoPilot might be an opportunity to trial Windows Defender?

This will require more discussions and input form the of Information Security.

Applications chosen by service desk

This feature will NOT be available through AutoPilot.

Alternative options are:

  • We enable applications to be deployed to users so Service Desk deploys the applications to users in advance and when the computer is in SCCM the application will be deployed to the user. However, we will need to make sure the application can only be installed on one device when deployed to the user.

Apply Start Menu Layout

A custom Start menu layout can be applied using Intune

https://docs.microsoft.com/en-us/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management

Enable BitLocker

BitLocker can be enabled using Intune

https://www.sepago.de/blog/bitlocker-how-to-configure-bitlocker-drive-encryption-on-windows-10-clients-in-microsoft-intune/

Further research is required to make sure BitLocker uses TPM and the recovery key can be stored in the computer object in on-premise AD.

Run PowerShell scripts (Corporate font, registry tweaks, etc.

PowerShell scripts can be run from Intune

https://matthewjwhite.co.uk/2019/06/13/deploy-custom-fonts-to-intune-managed-devices/

https://docs.microsoft.com/en-us/intune/intune-management-extension

https://albertneef.wordpress.com/2018/06/01/part-16-configure-microsoft-intune-powershell-scripts/

Launch TrustNet at log on

TrustNet shortcut can be deployed using a PowerShell script in a package and deployed to the device using Intune.

Recommendations

With the ‘work from home’ scenario amid the current pandemic there is a real need to provision end user devices for new staff and making the onboarding process as simple as possible without access to the office. It is therefore absolutely necessary to take this work a step forward and carry out a proof of concept of Windows Autopilot which has the potential of simplifying the end user device provisioning and onboarding process.

References:

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven
https://www.scconfigmgr.com/2019/04/01/replicating-task-sequences-in-autopilot-part-1-bare-metal/

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s