Windows AutoPilot: What is zero-touch device deployment?

For any business, streamlining the new device set up process with faster and smarter automation is never an unwelcome capability.

With its ease-of-use and intuitive management tools, it’s no surprise Windows AutoPilot is rapidly gaining popularity among businesses looking to set up devices for new employees faster - and its ‘zero-touch’ provisioning promise for even easier new device deployment will officially released in the next few months. In this article, we breakdown the best upcoming features presently in preview, what’s already out and how AutoPilot can help your business now.

 

Windows AutoPilot: New zero-touch deployment capabilities

Zero-touch deployment and reset are the new buzz-words being thrown around Windows AutoPilot circles, and for good reason. These two new features are set to change AutoPilot dramatically when they’re officially released later this year - and they’re currently available to test if you’re in the Windows 10 Insider Preview Build 17672 (and later).

 

What is Windows AutoPilot self-deploying mode?

Self-deploying mode is the most compelling new ‘zero-touch’ feature of Windows AutoPilot and a big reason you should start registering devices with the program. With this capability, any new Windows 10 device will be user-ready without any manual IT setup. The idea behind self-deploying mode is achieved in three simple steps:

  1. The user powers on the Windows 10 device
  2. They connect the device to the Internet
  3. They watch as Windows AutoPilot automates the new device setup process

The current version of Windows AutoPilot still requires new users to specify basic settings during the new device setup process, like language, keyboard and region, but self-deploying mode allows system admins to pre-configure them for an AutoPilot profile so it automatically performs these steps for every registered device under that profile.

The biggest benefit of the self-deploying mode is it doesn’t matter if the Windows 10 device is existing hardware or brand new and sent directly from your vendor -  it will self-deploy itself regardless and perform the following steps without system admins needing to do anything:

  • Join your company’s Azure AD tenant
  • Use Microsoft Intune to enrol using automatic MDM enrolment
  • Provision all applications, certificates, policies and profiles automatically

As with all new features there are some prerequisites. You need to go through the Windows 10 OOBE and connect the device to the Internet to allow self-deploying mode to activate, and also select self-deploying mode for the AutoPilot profile in Microsoft Intune for devices assigned to that profile to use it correctly upon setup.

Self-deploying mode is a big game-changer for organisations with tons of new Windows 10- devices to manage. If you’re searching for greater efficiency when it comes to new device setup, it's essential to leverage when it launches.

 

What is Remote Windows AutoPilot Reset?

Windows AutoPilot Reset is the second upcoming ‘zero-touch’ feature and aims to make the reset and re-deployment process significantly easier for businesses, especially those who regularly need to re-purpose existing Windows 10 devices for new employees or customers.

Imagine a school that has to hand out devices to students every year, or a business that has malfunctioning devices. IT admin would have to reset them all manually, as well as configure policies and apps in a time-consuming process.

AutoPilot Reset aims to consolidate all of this with a single setting in Microsoft Intune and remove the need to physically access a device and reset it. You fully retain the following settings configured prior to the latest reset:

  • Language, keyboard and region settings
  • Existing network credentials for faster connection to Internet
  • Azure AD Join and Microsoft Intune enrolment

All you need to do is make sure the device’s enrolment status is configured to trigger AutoPilot Reset in Microsoft Intune, and from there the device can be business-ready upon setup. While still in preview, AutoPilot Reset is another great feature that can help you manage and streamline the new device setup process across the organisation.

 

Windows AutoPilot: Version 1803 latest features

Zero-touch AutoPilot

 

The two zero-touch features are set to be game-changers, but there's already several new benefits to using AutoPilot in your business presently available.

Automatic device registration with OEM and hardware vendors

AutoPilot once required all businesses to pre-register their Windows 10 devices with the Windows Autopilot Deployment Program to enable it properly. You had to acquire device IDs from hardware vendors and upload it into Azure Active Directory (AAD) tenant to claim ownership, or email Microsoft to permit the OEM to do it for you.

Thankfully, the latest release has streamlined things further and now hardware vendors and OEMs have fully integrated their systems with Windows AutoPilot programmatically.

Now, your vendor automatically registers your devices into the program for you as part of your order fulfilment, and IT team does not need to manually enrol devices to get started.

Presently, Lenovo and Surface are two of the biggest vendors to automate the Windows AutoPilot registration process for their customers, but other companies like Dell and HP will reportedly follow suit later this year.

 

Pre-configure policies faster with enrollment status

Windows AutoPilot presently has a new feature in preview called enrolment status, which allows businesses to prevent new users from accessing the desktop on a Windows 10 device before applications and profiles are installed and all configurations and IT policies are set.

Enrolment status gives device managers an easy way to check the status of the device’s configuration in the Windows 10 Out of Box Experience (OOBE) and ensures IT admins don’t have to rush the configuration process when new employees join and require hardware fast.

Device managers can currently access enrolment status with Microsoft Intune, by heading over to its dedicated page under the Windows AutoPilot enrolment sub-section. You can select each new user profile to configure options specific to that profile, including:

  • Prevent the device’s Windows 10 OOBE until all apps and profiles are installed
  • Write custom message to appear in OOBE if any errors during device setup occur
  • Select which actions users can perform if errors happen
  • Set how long the device waits for enrolment status before alerting the user to errors

While you can only configure enrolment status for new users as one unified group, upcoming Microsoft Intune upgrades will support the capability to create new separate groups, so you can change configurations and policies for certain users more flexibly.

 

Easier Windows AutoPilot profile assignment

Microsoft has now integrated Azure Active Directory (AAD) groups with Windows AutoPilot profile assignment through Microsoft Intune. Earlier versions once required admin to manually select new devices registered with the AutoPilot program and assign them a profile, but now you can use the same AAD group to assign other Intune policies, applications and configurations.

In summary, each Windows AutoPilot registered device is essentially automatically assigned whichever profile you specify. Microsoft handles this by tagging every registered device with the tag ‘ZTDID’, and all you have to do is create an AAD group with a dynamic membership rule looking for this tag and assign your desired AutoPilot profile to that particular group.

Every AutoPilot profile automatically enables the following options for faster new device setup:

  • Skip OEM registration
  • Skip OneDrive configuration
  • Skip user authentication in OOBE
  • Skip Work or Home usage selection

Later this year, Microsoft plan to allow users to create custom tags when devices are ordered from vendors, giving greater control over AutoPilot profile assignment.

 

Windows AutoPilot device deletion with Microsoft Intune

The original release of Windows AutoPilot was a little less streamlined when it came to being able to delete devices from the program, but thankfully the latest updates have included easier device deletion using Microsoft Intune, which displays the serial number, model, deployment group, profile status and purchase order of each device in one place for quick reference.

To delete your registered devices, you must first remove them from the Azure AD portal. Then in Intune, tick the devices you want to delete under the ‘Windows AutoPilot devices’ blade. If it wasn’t already easy enough, the whole process will apparently be further simplified in the next planned AutoPilot update in the coming months.

 

BitLocker encryption is now pre-installed

The release of Windows 10 (1803) has introduced automatic BitLocker encryption for all new devices enrolled with the Windows AutoPilot program. Microsoft’s neat full disk encryption feature provides an extra layer of security that isn’t exactly an unwelcome freebie.

 

How do I get Windows AutoPilot?

Ready to find out how get your devices on the Windows AutoPilot program?

Find out more about how Xello can help you assess your readiness for AutoPilot with a detailed discovery and roadmap showing you how to get your organisation using AutoPilot for easier and more efficient device deployment.