Microsoft Adds Windows 10 Provisioning Tools to AutoPilot
- By Kurt Mackie
- June 08, 2018
Microsoft's out-of-the-box PC-provisioning service is getting some new features to make it easier for end users to set up company-issued Windows 10 devices themselves.
The new features are now in preview for Windows AutoPilot, Microsoft announced this week. Launched about a year ago, Windows AutoPilot is an effort between Microsoft and participating original equipment manufacturers (OEMs) that allows for a new device to be shipped directly to the end user, who then initiates the self-provisioning process by logging in to the device with their Azure Active Directory credentials.
Windows AutoPilot works with Windows 10 version 1703 or later and requires a subscription to Azure AD Premium P1 or P2 plans, plus organizations need a subscription to Microsoft Intune or another mobile device management (MDM) service. Those details are described in this "Overview" document.
Current OEMs participating with the Windows AutoPilot program include Microsoft itself with its Surface PC-tablets and Lenovo. Microsoft is currently working with "Dell, HP and other OEM partners" on adding Windows AutoPilot support, according to another Microsoft announcement on Windows AutoPilot.
Two of the new previews require using Windows 10 build 17672 or later as part of the Windows Insider Program. Other previews are based on using Windows 10 version 1803, the "April 2018 Update," which had a release date of April 30.
Self-Deploying and Reset Features
Participants in the Windows Insider Program can try the new "Self-Deploying" and "Reset" capabilities.
The Self-Deploying preview streamlines the new PC provisioning process for end users. Instead of making them specify details like keyboard, language and region during the setup process, they get more of a "zero-touch experience" and just have to power up the device to set it up, explained Brad Anderson, corporate vice president of Enterprise Mobility + Security, in Microsoft's announcement. A prerequisite for using the Self-Deploying mode preview is having a Trusted Platform Module 2.0 device installed in the PC.
Essentially, Self-Deploying mode turns a PC into an "intelligent device that knows how to deploy itself," explained Siddharth Mantri, principal program manager lead for Microsoft 365, in Microsoft's other announcement. The Self-Deploying mode for Windows 10 will "join your organization's Azure AD tenant, enroll the device into Microsoft Intune (using automatic MDM enrollment), and ensure that all policies, applications, certificates, and networking profiles are provisioned on the device (using the enrollment status page)," he added.
It's also possible to use Self-Deploying mode to turn a Windows 10 tablet device at power-up into a "kiosk" device or a handheld device that's used for specialized purposes. The steps needed to carry that out are outlined in this TechNet post by Michael Niehaus, a principal program manager on the modern deployment team at Microsoft.
Self-Deploying mode is apparently so automated that it doesn't even require credentials from end users.
"Because Self-Deploying mode doesn't require a user to enter their organization credentials, it is important that you physically secure possession of your devices before assigning a Windows Autopilot profile, and Self-Deploying mode, to the device," cautioned Mantri.
Another preview available to Windows Insider Program testers is a new Windows AutoPilot Reset capability. It's similar to Windows 10's Automatic Redeployment capability, except that it works with Intune to remotely reset a device.
"Windows Autopilot Reset removes personal files, apps, and settings, resetting Windows 10 while still maintaining Azure AD Join and Microsoft Intune enrollment," Mantri explained, adding that it also retains keyboard, language and region settings.
IT pros can use Windows AutoPilot Reset to automatically reset "hundreds of thousands of devices" into business-ready states using a single click in Intune, Mantri contended.
Enrollment Status and Other Previews
Other previews now available for Windows AutoPilot are enabled with Windows 10 version 1803, including Enrollment Status, Automatic Profile Assignment and Device Deletion features.
Enrollment Status adds better controls over the end user experience when a new PC hasn't been fully provisioned as specified by IT policies. IT pros can specify certain actions to take. They can block access, specify what end users can do in the event of a failure, specify when an error message should show, and also craft a particular message to display.
Another preview is the Automatic Windows AutoPilot Profile Assignment feature, which lets IT pros set up a profile that gets automatically applied to Windows AutoPilot-registered devices. It works by adding a "ZTDID" tag to registered devices. IT pros create an "Azure AD group with a dynamic membership rule looking for the ZTDID and assign a Windows AutoPilot profile to that group," Mantri explained. Microsoft is currently working on the ability to create custom tags that can be used when ordering devices from OEMs.
Lastly, Microsoft is previewing a Delete capability for removing devices from Windows AutoPilot. Delete is a two-step process right now. Windows AutoPilot devices enrolled using Intune must be first get deleted from Azure AD. Next, they must be removed using the Windows AutoPilot Devices blade. Microsoft is working to simplify this process.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.