Azure / EMS / Intune / Windows

Windows AutoPilot Deployment Q&A

Yesterday there was a webinar about Windows AutoPilot with a Q&A. Because it contains some good to know information, you can read the questions and answer below:

In which build of Windows 10 will AutoPilot be enabled and ready?
Windows 10 1703 (already released) includes the necessary support for Windows AutoPilot.

Can I use 3rd party MDM with AutoPilot?
Yes, any Windows supported MDM – AirWatch, MobileIron, etc – are all supported by AutoPilot, in addition to InTune.

What happens if the Laptop WAS wiped by IT due to malware, will this AutoPilot still work, since the LT has no boot img?
Windows AutoPilot starts from the preinstalled OS that comes on the device. If the devices needs to be rebuilt due to malware, typically you would recover it using OEM-provided media or recovery images.

How do I find out which OEMs support this?
Several OEMs are in the first wave of supporters, including HP, Dell, Lenovo, etc. We are working and hope all OEMs will support AutoPilot in the months ahead.

How do I get from my wireless to the corporate network?
Windows AutoPilot will join the device to Azure AD and enroll it in Intune or another MDM service. A VPN profile can be deployed to the device via MDM; that can connect to the corporate network.

What additional licenses/subscriptions are needed?
You need the following: Win 10 1703 build with 7b cumulative update, AAD Premium subscription, an MDM.

Is this only available with AD Azure or can a local AD use this feature?
Today this supports Azure AD only. We will add support for Active Directory in the Fall Creators Update.

Can more that one profile be assigned to a single device?
No, however a single profile can be assigned to a group of devices.

Is the AutoPilot program really meant for remote users and laptops, or do you see this as a way to deploy desktops internal desktops as well?
It can be used with any device. The goal would be to move away from image-based deployment on all devices; if you do it for “all devices except desktops” you are still having to build images.

What if you already own your PCs or your reseller does not share info with MS, can the devices be pre-loaded with a wireless profile for the corporate wireless network, so that it’s able to connect to the corporate wireless network with knowing the wireless password?
Windows AutoPilot joins the device to Azure AD and enrolls it in an MDM service; that MDM service (e.g. Intune) can push a VPN connection profile to the device/user.

How does the PC know to go talk to the Autopilot?
If the PC has been registered and a profile assigned (either by IT admin, partner, or hardware vendor), then as soon as the PC is powered on and connects to the Internet, it will know to talk automatically to the AutoPilot service.

Which editions of Win 10 are supported?
Windows 10 Pro, Enterprise, and Education are supported. Windows 10 1703 is required; using the latest cumulative update (at least through July) is recommended.

Will the device be enrolled as mobile device in Intune or will it receive the intune client?
The device will be enrolled as a mobile device, using the in-box MDM components. The Intune Client is not recommended on Windows 10; it’s primarily to support Windows 7 clients that don’t have an in-box MDM agent.

What kind of information does the DeviceID contain when it registers it?
The device ID is a unique identifier that can identify the device over its life. It is a hardware hash generated by collecting hardware fingerprints and accounting for the fact that the device might have parts replaced, added, etc.

Is the profile something the end user could remove? With Apple’s DEP the profiles are not allowed to be removed by the end user.
If you are asking if the employee (end user) can remove the profile, no, the end user will not have privileges to register, create, assign or remove profiles. Only those employees with admin privileges will be able to do these tasks.

Can AutoPilot deliver a provisioning package?
No, all settings are deployed to the device using the MDM enrollment, e.g. Intune.

How are 3rd party applications installed? (i.e. Java, Adobe Reader, Flash, LOBs, QuickBooks, LiteShow3, etc.,)
Software installation is performed via the MDM service, e.g. Intune. This supports MSI, App-V, and UWP app installation.

Can the bits be downloaded from an SCCM distribution point?
Today, Windows AutoPilot supports Azure Active Directory and MDM services like Intune. The content will come from the cloud. We are looking at future scenarios that leverage Active Directory.

What alternative path we have for Group Policy in AutoPilot
Settings would be deployed to the device using the MDM service, e.g. Intune. With Windows 10 1703, we added support for pushing many group policy settings via MDM to the device, which simplifies this. The MMAT tool available on GitHub will analyze your GPOs to tell you the equivalent MDM setting.

Can Multiple Profiles be created?
Yes, a tenant/customer can create multiple profiles. A profile can then be assigned to one or more devices.

What kind of subscription do I need?
Windows AutoPilot joins the device to Azure AD, which triggers automatic MDM enrollment. That MDM auto-enrollment feature requires Azure Active Directory Premium. That’s the only subscription requirement, although we’d recommend Windows 10 Enterprise E3 or E5 subscriptions to get the additional Windows 10 Enterprise features.

For Public Sector with only O365 accounts (no Azure-AD) Is it possible to Autopilot a device, and then return it to our on-prem management (non SCCM) afterwards?
That’s a scenario that we’re looking at for the Windows 10 Fall Creators Update later this year. We will add Active Directory support.

MMAT tool available on GitHub, any link?
https://github.com/WindowsDeviceManagement/MMAT

What happens if the user doesn’t have Internet access when signing in?
The user will not get the AutoPilot customizations and policies. The device will get set up as if it isn’t registered with AutoPilot.

Two questions regarding Multiple User Profiles were asked, and 2 different answers were given:Q1. Can more that one profile be assigned to a single device? A1. No, however a single profile can be assigned to a group of devices. Q2. Can Multiple Profiles be created? A2. Yes, a tenant/customer can create multiple profiles. A profile can then be assigned to one or more devices. Can you please reconcile this contradiction?
Both are true. A customer/corp can create multiple profiles, one for their HR department, one for their sales department, etc. (A2) THen the HR profile can be assigned to all HR employee owned devices. (A1) No, a single device owned by Anna in HR cannot receive two profiles.

In a previous question regarding InTune, the following answer was given “The Intune Client is not recommended on Windows 10; it’s primarily to support Windows 7 clients that don’t have an in-box MDM agent.” – So regarding the answer to “How are 3rd Party applications installed?” which the answer was “Software installation is performed via the MDM service, e.g. Intune. ” – These two answers seem to contradict each other.
The in-box MDM support in Windows 10 supports software installation using MSI, AppX/UWP, and App-V. So you can deploy software from Intune without the Intune agent. There are some limitations with this support (e.g. only single-file MSIs at this point); we are working with Intune and other MDM providers to address this.

What happens if the user doesn’t have Internet access when signing in?
The user will not get the AutoPilot customizations and policies. The device will get set up as if it isn’t registered with AutoPilot. —– is there remediation after some Tim?
They can continue through OOBE and create a local account. Without an internet connection, they won’t be able to use Windows AutoPilot.

Is a restore partition required for this?
We recommend all Windows 10 devices have a recovery partition, but typically this partition just contains a boot image. The OS itself can be rebuilt from the files on the main Windows partition.

The disk layout partition remains the same before the autopilot process?
Windows AutoPilot uses the OS that’s already on the device. So no partition changes are made.

How do you get a MSfB account?
Go to http://businessstore.microsoft.com and sign in with your Azure AD tenant admin account.

I missed the last slide:( could you show it again or will this presentation be available later?
We’ll post a recap of the event, the Q&A, and the instructions on that last slide in a post on the Windows 10 management space on Microsoft Tech Community later today. https://techcommunity.microsoft.com/t5/Windows-10-management/bd-p/Windows10Management

Can we get a link of the PowerShell script?
https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/1.0/DisplayScript

Is there an option to test Autopilot without a WSfB account? When will this be coming out of private preview so it can be tested by all?
It is really in public preview now 🙂

 

Leave a Reply

Your email address will not be published. Required fields are marked *