New Windows Autopilot Deployment Options in Windows 10 1803 and Redstone 5
In this Ask the Admin, I’ll look at the new deployment options for Windows Autopilot in the current and next version of Windows 10.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Windows Autopilot was first introduced in the Windows 10 Fall Creators Update (Professional, Enterprise and Education SKUs, version 1703) and it allows IT departments to provision off-the-shelf PCs to users without having to create, maintain, and deploy custom Windows images. From a user’s standpoint, they can get their new PC up and running in a few simple clicks with no intervention from IT. Windows Autopilot requires Windows 10, Azure AD Premium, Microsoft Intune, or other Mobile Device Management (MDM) service. All users need to do when receiving their new PC is to select a region, select a keyboard layout, and then enter the credentials associated with their Azure AD account.
Windows 10 April 2018 Update
Before getting on to what’s new in Redstone 5, there are several new Autopilot features in the April 2018 Update. The most prominent new capability is the enrollment status page. It’s an optional feature that IT can enable to show users the status of the device during and after enrollment. In the first release of Autopilot, users can log on to the desktop before the device is in a business-ready state. I.e. not all applications, profiles, and certificates are fully installed by the time a user is enrolled. The enrollment status page shows the deployment status, so users can understand whether the device is fully configured before they start using it. IT can also prevent users from using devices until it is fully configured. For more information about setting up an enrollment status page, see Microsoft’s website here.
Windows Autopilot now integrates with Azure AD dynamic groups. Dynamic groups use advanced rules to assign users to groups based on AD account attributes, like givenName, department, and city. Automatic Windows Autopilot profile assignment can be based on dynamic group membership. Finally, device vendor supply chain integration means that when you purchase devices from your reseller, Autopilot integration with their supply chain and fulfillment systems allows devices to be registered to your organization. Both organizations and vendors get a completely zero-touch experience.
New in Redstone 5
Starting in Redstone 5, the next major release of Windows 10 that’s due in September 2018, Windows Autopilot will get a new feature called Self-Deploying mode that extends the zero-touch experience. The aim is to enable users to provision new devices by just powering them on. In this new mode, IT can choose to self-deploy devices as locked down kiosks, for digital signage. This is, for example, a digital sign or display created with Windows for Business Digital Signage Software Solutions or a shared productivity device. Self-Deploying mode only works with devices that have a TPM 2.0 chip.
Windows Autopilot’s capabilities are being extended to deployment scenarios where IT needs to reset devices. Windows Autopilot reset will allow IT to reset devices, which are managed using Intune, to a business-ready state at the click of a button.
The Future of Windows Deployment
I haven’t had a chance to get hands-on with Autopilot yet but Microsoft is billing it as the future of Windows deployment. At this time, there appear to be several disadvantages. For example, if your vendor doesn’t support Autopilot, you’ll need to boot and manually register devices with Autopilot before users get their hands on them. MDM is the way you configure Windows 10 devices with Autopilot. But MDM doesn’t have the same comprehensive set of configuration options as Group Policy and System Center Configuration Manager (SCCM). Plus, any software installed by the vendor would have to be removed using a script during the provisioning process.
Despite these drawbacks, it’s still early days for Autopilot. Lenovo has already announced that it is testing Autopilot, so hopefully, more vendors and partners will come onboard in time. Microsoft is gradually expanding Windows 10’s MDM configuration capabilities, such as the introduction of MSIX installer technology. This promises to make it easier to install legacy applications from the Microsoft Store for Business and therefore MDM, even if organizations don’t have access to the application’s code.
For more information on MSIX, see MSIX Installer to Bring More Win32 Apps to Microsoft Store on Petri. For more information on the Microsoft Store for Business, see Windows Store for Business and App Management Using Microsoft Store for Business on Petri.
I hope to look at Autopilot in more detail over the next few months, so stay tuned!
Follow Russell on Twitter @smithrussell.