Windows Autopilot deployment Scenarios and upcoming features are announced in Ignite 2018. This post is based on the two sessions, BRK3014 and BRK3015, by Tanvir Ahmed and Michael Niehaus.
New Windows Autopilot capabilities and expanded partner support simplify modern device deployment. The most catching phrase related to Windows Autopilot is “White Glove.”
Read this post to get more details about this white-glove feature of Autopilot.
[Related Posts – Step by Step Guide Windows AutoPilot Process with Intune & Beginners Guide Setup Windows AutoPilot Deployment & Windows Autopilot Video Starter Kit]
Intune Connector for Active Directory (ODJConnector)
Update (07 Nov 2018) – Microsoft released a preview for Intune connector for Active Directory (ODJConnector). More details – Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot (Preview).
Reset Devices – Local/Remote – Windows Autopilot Deployment
The Autopilot reset options are important in the device management life cycle break-fix scenarios. One
Windows Autopilot reset – local – This feature is available
Window 10 1703 and above
Join device to AAD, enroll in Intune/MDM
Device Rename options
Windows Autopilot reset -remote – This Feature is Public Preview
Windows 10 Insider Preview Build 17672 and later. And Windows 10 1809
Execute a device reset via Intune and maintain AAD join and MDM enrollment
Device Rename options
Self-Deployment – KIOS – Windows Autopilot Deployment
This self-deployment option is already available in public preview.
Public Preview
Windows Autopilot Self-Deployment mode
Windows 10 Insider Preview Build 17672 and later. And Windows 10 1809
Execute a device reset via Intune and maintain AAD join and MDM enrollment
Hybrid AD Domain Join with Windows Autopilot Deployment
Hybrid AD Domain joins during Windows Autopilot is a private preview feature. The process is explained in the following paragraphs.
Hybrid Azure AD joins is -Devices joined to on-premises Active Directory and registered in Azure AD.
Employees unbox devices and start self-deployment. The device sends hardware ID to the Windows Autopilot deployment service. Windows Autopilot deployment service provides an Autopilot profile to the device.
The device performs MDM enrollment with Intune. After this MDM enrollment, Intune contacts On-Prem Domain Controller via the Offline Domain Join connector.
[Related Posts – Step by Step Guide Windows AutoPilot Process with Intune & Beginners Guide Setup Windows AutoPilot Deployment]
The device receives ODJ blob from Intune, and with the help of ODJ blob, the device would be able to join the on-prem AD Domain controller.
Once the device is joined to a domain, you would be able to get GPOs and other policies from the AD. Also, Intune can deploy SCCM clients to the device so that SCCM can be used to deploy apps if required.
Hybrid Azure AD Join (Azure AD)
Windows 10 1809 and above
Join device to AD, enroll in Intune/MDM
The ODJ connector allows Intune to generate machine objects in your DC on your behalf. This creates ODJ blobs, then transported to Intune using the connector.
Let’s talk about ODJ blobs. Stands for an Offline Domain Join blob. At the center of the Hybrid Autopilot flow. You can generate your blob from any domain-joined machine if you have the right to join.
Existing Devices – Windows 7 Devices to Windows 10 Using Windows Autopilot Deployment
This feature has been on private preview till now. This Autopilot explanation is for existing devices. I hope soon Microsoft will release more details about this feature and the Json script used in the SCCM TS.
Windows 10 1809 and above
Windows 7 to Windows 10
OneDrive for Business Known Folders Group Policy
SCCM Task Sequence, followed by Windows Autopilot user-driven mode
Autopilot for existing devices is explained in the Ignite session. It’s true that not all hardware running Windows 7 is ready for disposal just yet (for most of the organization).
Many organizations have continued to install Windows 7 on the new hardware.
The remaining hardware lifecycle often goes beyond 2020. Learn How to upgrade Windows 7 to Windows 10 using AutoPilot using SCCM and OneDrive for business.
[Related Posts – Step by Step Guide Windows AutoPilot Process with Intune & Beginners Guide Setup Windows AutoPilot Deployment]
The biggest challenge is hardware hash not available in Windows 7. So it’s impossible to pre-register existing devices with Windows 7 OS.
SCCM task sequence can help lay down a signature image of Windows 10 and collect HardwareID via task sequence.
Windows device then boots into Windows Autopilot user-driven mode. This required Windows 10 1809 or later.
White Gove, Cortana, and Enrollment Status Page Improvements
Windows Autopilot White-Glove
What is the biggest challenge in adopting Autopilot today? Yes, it’s Apps.
When employees start an enrollment process, they need to sit a long time to complete it, mainly because of the application download.
There could be bandwidth issues and many other issues causing this slow download of applications like Office Pro Plus.
Microsoft came up with a new solution/option that your OEM vendors can do this app download for you in their factory itself.
This process will be done as part of the onboarding process. Microsoft thinks that would give a better end-user experience while the Autopilot enrollment process.
The code name of this process is the White Glove.
[Related Posts – Step by Step Guide Windows AutoPilot Process with Intune & Beginners Guide Setup Windows AutoPilot Deployment]
Cortana
You would be able to disable the Cortana during Windows Autopilot deployments.
Enrollment Status Page
Enrollment status page can target specific Azure AD groups.
The enrollment status page will give you a more granular option to track or skip the status of configurations (and applications, maybe?) that you want to follow.
You would be able to skip some of the configurations which are not important to track during enrollment.
The enrollment status page can track the configurations from other sources. What does this mean? Would you be able to track Security Baseline policies, Wind 32 apps, and PowerShell deployments?
Resources
- Overview of Windows Autopilot
- Windows Autopilot: What it is and how it works
- Video: Windows Autopilot zero-touch deployment and device reset
- Video: Windows Autopilot walkthrough
Great article, thanks Anoop! I am a Microsoft Solutions Architect for my company and am looking for any more detail specifically for the Offline Domain Join Connector. Is it a feature built in to Win10 1809, a new feature for a new version of the Azure AD Connect tool or just Intune/Autopilot itself?
I have not tested it. This process is explained in https://myignite.techcommunity.microsoft.com/sessions/64504. Have you already seen this?
I did watch the Ignite sessions and scanned the videos and .pptx decks for both of the sessions at Ignite and found that although they described how the technology works, I was unable to find any of the details or infrastructure requirements outside of simply selecting the ‘Hybrid AD Joined’ option in in the properties of the Intune profile itself. I guess I’m questioning if it will just be that simple to implement or is there more, like having to upgrade the current version of Azure AD Connect or similar?
If I understand correctly, this is not released yet. It was in private preview. I think that could be the reason that there is no documentation on the prerequisites. I heard there is one component needs to be enabled on your DC (I could be wrong).
Although I don’t see it in my tenant yet, I found this article on the ‘What’s new in Microsoft Intune’ site and wanted to share:
https://docs.microsoft.com/en-us/intune/windows-autopilot-hybrid
Apparently the hybrid join option for profiles should be rolled out in the next few days.
Looking forward to trying it out!!
I could see it my tenant now 😉 and even downloaded the connector application!
Check out the already released Provisioning Service for VMware Workspace One. https://blogs.vmware.com/euc/2018/08/dell-provisioning-workspaceone.html