Modern Work Week

FY21/Q4
https://aka.ms/modernworkweekjuni
Modern Deployment
- deep dive
Jens Grabow
Simon Taylor
Sebastian Meiforth
Traditional Windows deployment // The old way

OFFICE & APPS

DRIVERS POLICIES

SETTINGS

Build a custom image, Deploy image to a new Time means money, making
gathering everything else computer, overwriting what this an expensive proposition
that’s necessary to deploy was originally on it
Modern Windows deployment // The new way

Un-box and turn on Transform with minimal Device is ready

off-the-shelf Windows PC user interaction for productive use

Deploying a Windows device should be as simple as getting a new phone.

The deployment process // Transforming the device
 OEM-optimized Windows 10
 + Software
 + Settings
 + Updates
 + Features
 + User data
 Ready for productive use
The deployment process // Transforming the device
• Office 365 ProPlus
• Single-file MSIs (LOB apps)
• Intune Management Extensions
• Security Baselines
• Administrative Templates
• Software Update rings
• OneDrive for Business
• Kiosk templates
• Device Firmware Configuration
Interface (DFCI)
Windows Autopilot overview

Device IDs Windows Autopilot Autopilot profile sync Intune

Device sync

Configure
Windows
Autopilot profile

Profile download
IT Admin

Hardware Vendor

Ship

Deliver direct to Employee

Employee unboxes
device, self-deploys
Windows Autopilot // One-time preparation tasks

Azure Active Directory

✓ Configure automatic MDM enrollment.
✓ Configure company branding.
✓ Enable Windows Subscription Activation if desired.
✓ Ensure users can join devices to Azure AD (for user-driven mode)

Intune:
✓ Enable the enrollment status page
✓ Ensure users can enroll devices in Intune
✓ Assign licenses to users
✓ (Optional) Set up enrollment restrictions so only Autopilot-registered devices can enroll

 See https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-
requirements for more information
Demo
Autopilot Preparation Tasks
Simon Taylor
Three simple steps

Register devices

Assign a profile

Deploy
Three simple steps

• Have devices registered automatically

Register devices • Request clean images, choice of Windows 10 version at the same
time (if available)
• Specify group tag to help segment devices by purpose
• Devices are automatically tagged with the purchase order ID

• Register devices yourself via Intune for

Assign a profile
testing and evaluation using Get-
WindowsAutopilotInfo PowerShell script
• Register (harvest) existing Intune-managed
devices automatically
Deploy
Registering existing devices manually

To register existing devices:

• Use the PowerShell script available at
https://www.powershellgallery.com/packages/Get-
WindowsAutopilotInfo
• Run for each device (requires Windows 10 1703 or higher)
->new option to upload directly to Intune
• Upload resulting (modified) CSV file via Intune portal
• See https://docs.microsoft.com/en-
us/windows/deployment/windows-autopilot/add-
devices#collecting-the-hardware-id-from-existing-devices-
using-powershell for more information
• No DFCI Support at this time if customer loads HW hashes
themselves.

Great for testing and validation with existing devices and

virtual machines
Get Device Hardware ID via PowerShell
Registering existing devices automatically

If you have existing Windows 10 devices:

• Enable new Windows Autopilot profile setting for all
targeted devices
• Ensure the Windows Autopilot profile is assigned to a
group containing the existing Windows 10 devices

If your existing Windows 10 devices are not yet

Intune-managed:
• Enable co-management with Endpoint Configuration
Manager via the “Automatic enrollment into Intune”
setting. (See https://docs.microsoft.com/en-
us/sccm/core/clients/manage/co-management-overview#enable-
co-management)

• Ensure all new Intune-enrolled Windows 10 devices

are part of a group with an assigned Windows
Autopilot profile
Registering new devices
Supply chain integration

 OEMs, distributors, and resellers make the

process easy:
• Automatically add new devices to Azure tenant at
time of shipment
• Associate devices to customer’s purchase order for
easy device grouping
• Tag devices with a customer specified label
• Provide an preinstalled image that is ready for
configuration*

 For a list of those supporting Windows

Autopilot supply chain integration please visit:

https://aka.ms/WindowsAutopilot
Registering devices // Summary

OEM API Partner Center Microsoft Intune

Windows Autopilot // Registration Anforderungen
Partner (Empfohlen) Endkunde/ Unternehmen

Partner Center Endpoint Manager / M365 Admin Portal

1 2
• Product Key ID only
• Hardware hash
-oder-
• Serial number
• Serial number
• Manufacturer name
• Model name

Partner können Informationen durch Jemand muss CMD/PS öffnen und

Scannen der Strichcodes auf der ein PowerShell-Skript ausführen,
Verpackung oder anhand der um den Hardware-Hash zu
Bestellung bei dem Distributor erhalten
generieren.
Windows Autopilot Methoden der Registrierung

Endkunde

Device serial number Windows product ID Hardware hash Manufacturer name Device model

Yes Yes

Partner

Device serial number Windows product ID Hardware hash Manufacturer name Device model

Yes Yes

Yes Yes

Yes Yes Yes

Demo
Device Registration
Jens Grabow
Windows Autopilot // Lizenz Anforderungen
Für die Bereitstellung von Azure Active Directory (automatische MDM-Registrierung und
Firmen-Branding) und MDM-Funktionalität ist eine der folgenden Lizenzen erforderlich:
• Microsoft 365 Business Premium subscriptions

• Microsoft 365 F1 or F3 subscriptions

• Microsoft 365 Academic A1, A3 or A5 subscriptions

• Microsoft 365 Enterprise E3 or E5 subscriptions

• Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features

• Intune for Education, which include all needed Azure AD and Intune features

• Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service)

Siehe Windows Autopilot licensing requirements | Microsoft Docs für mehr Informationen
Partner Center CSV Option 1: PKID only

The Microsoft Product Key ID

(PKID) now on the product box
for:

Surface Pro 7

Surface Pro X

und Surface Laptop 3

Partner Center CSV Option 2:
Serial Number + PKID
Anmerkung: Wir empfehlen, die Seriennummer hinzuzufügen, um die Geräte im Partner Center und
Intune zu identifizieren.
Partner Center CSV Option 3: Serial Number +
Manufacturer + Model

Für alle Surface-Geräte, die nach Januar 2018 hergestellt wurden,

können einfach die folgenden drei bekannten Elemente
verwenden werden:
- Serial number
- Manufacturer name
- Device model

Tip: Identifizierung des Herstellungsdatums des Geräts über die Seriennummer: 002123683853
Week 38
Year 2018
Surface Geräte Modell Namen
Name Geräte-Name im CSV Format
Surface Studio Surface Studio
Surface Book 3 Surface Book 3
Surface Laptop 4 Surface Laptop 4 Surface wurde zur Unterstützung des
Windows-Autopiloten entwickelt. Der
Surface Go 2 Surface Go 2
UEFI-Herstellername und die
Surface Pro (5th gen) Surface Pro Modellbezeichnung sind bei allen
Geräten einheitlich.
Surface Pro (5th gen)
Surface Pro
with LTE Advanced
Surface Studio 2 Surface Studio 2
Surface Laptop 2 Surface Laptop 2 Andere OEM-Geräte sind genau zu
evaluieren, um sicherzustellen, dass
Surface Pro 6 Surface Pro 6 der eingegebene Wert exakt mit
den BIOS/UEFI-Einstellungen des
Surface Pro 7 Surface Pro 7 Geräts übereinstimmt.
Surface Pro 7+ Surface Pro 7+
Surface Laptop 3 Surface Laptop 3 Surface System SKU reference - Surface |
Microsoft Docs
Surface Pro X Surface Pro X
Partner Center CSV – Weitere Optionen
Es gibt eine Vielzahl von gültigen Kombinationen, abhängig von dem jeweiligen OEM:

Hardware Hash + PKID

Hardware Hash + Serial Number

Hardware Hash + PKID + Serial Number

Hardware Hash only

PKID only

Serial Number + OEM Manufacturer Name + OEM Model Name

Surface und Windows Autopilot
Surface und Microsoft-Vertrieb/-Support sind so
konzipiert, dass sie den Einsatz des Windows-
Autopiloten unterstützen:
• Surface wird mit dem Microsoft Signature-Image mit
vorinstallierten Microsoft 365-Anwendungen für eine
nahtlose Windows-Autopilot-Bereitstellung
ausgeliefert
• Das Microsoft Cloud Solution Provider (CSP)-
Netzwerk kann Surface-Geräte über automatisierte
APIs oder mit vereinfachten CSV-Dateien im Partner
Center registrieren (High Trust).
• Geräte, die über die Garantie an Microsoft
zurückgegeben werden, werden automatisch entfernt
und aktualisiert
• Die Surface-Geräte sind so konzipiert, dass sie sich in
Kunden-Tenants schnell registrieren und die
Verwaltung der Firmware über DFCI unterstützen.
Windows Autopilot – Top Facts (Surface)

From Chip-to-Cloud Easy Access & Approach: Comprehensive Toolset: Support:

Security: • Mit “No-Touch” zu • Fokus liegt auf Cloud Unterstützung bei
Erweiterte einem “Zero-Touch Only Infrastrukturen verschiedenen
Sicherheitsfunktionen beim Deployment” • Tools für den Einsatz in Szenarien der
Booten der Surface Geräte • Microsoft Surface Hybrid- oder OnPrem Registrierung von
über Windows Autopilot Geräte werden in der Architekturen Geräten durch den
Datenbank der sog. notwendig Microsoft Support
Schnittstelle: “Trusted Devices”
• DFCI registriert Schnittstelle:
• TPM 2.0 • Data Eraser
• Windows Update • Recovery Images
• Windows on ARM
 Surface Registrierung-Support für Windows Autopilot

Angebot Vereinfachtes Verfahren zum Registrieren von Surface-Geräten für

die Windows Autopilot-Bereitstellung über den Microsoft-Support

Windows Adressaten Kunden und Microsoft Cloud Solution Provider (LSP) können

Autopilot Szenarien
Anfragen an den Support stellen (Beginn: September 2020)
# Autopilot-Registrierung für Surface Geräte
Anforderung zum Registrieren von Surface-Geräten in Windows
Autopilot durch den Support

# Hardware-Hash Anforderung für Surface Geräte

Anfrage an den Microsoft-Support für die Bereitstellung von
Hardware-Hashes

# Autopilot-Deregistrierung für Surface Geräte

Anforderung zum Löschen von Geräten von Windows Autopilot
(„Device Lifecycle“ Ende)
https://support.microsoft.com/de-
de/supportrequestform/0d8bf192
-cab7-6d39-143d-5a17840b9f5f
Three simple steps

• Use Intune:
Register devices • Select profile scenario (user-driven, self-deploying)
• Configure needed settings
• Assign to an Azure AD group so Intune will automatically assign
to all devices in the group

• Use a dynamic Azure AD group to

Assign a profile
automate this step
• Consider static Azure AD group for exceptions

Deploy
Creating an Autopilot profile
Configure important details:

• Deployment mode

• Specific settings required for the deployment mode

• New! BitLocker encryption even for non-admin users (requires

Windows 10 1809)

• Out-of-box experience (OOBE) settings

• New! Hide change account options (requires Windows 10 1809)

• New! Device naming pattern, supporting variable

substitution (requires Windows 10 1809):

• %SERIAL%

• %RAND:x% (where X is the number of digits)

Assigning an Autopilot profile
Automated using groups

If you have existing Windows 10 devices:

• An Azure AD device object is automatically created for each imported Autopilot device

• Create one or more Azure AD groups

• Assign an Autopilot profile to the Azure AD group

• Intune will automatically assign the profile to all members of the assigned group

Options for grouping:

• Dynamic group with all Autopilot devices

• Dynamic group based on purchase order ID

• Dynamic group based on device tag (orderID)

• Manual
Demo
Deployment Profile Creation
Simon Taylor
Registrieren von Geräten // Ablauf
Three simple steps
• Boot up each device
Register devices
• Connect to network (Wi-Fi, Ethernet)
• Enter credentials (if required)

Assign a profile

Deploy
Windows Autopilot // Deployment Scenarios
AVAILABLE in 1703 AVAILABLE in 1809 AVAILABLE in 1903 AVAILABLE in 1903 AVAILABLE in 1809

User-driven User-driven Pre-provisioned Self-deploying Windows

mode with mode with Deployment mode (preview) Autopilot for
Azure AD Join Hybrid Azure existing devices
AD join
Join device to Azure Join device to AD, PPD partners or IT No need to provide Windows 7/8.1 to
AD, enroll in enroll in Intune/MDM staff can pre- credentials, Windows 10
Intune/MDM provision Windows 10 automatically joins
Deploy over VPN, PC to be fully Azure AD ConfigMgr task
(available since 2004 configured and sequence, followed
& backported to business-ready for an General availability by Windows
1903 & 1909) org or user targeting CY21 Autopilot user-driven
mode

New! Hybrid Azure

AD Join support
Windows Autopilot
User-Driven Azure AD join
 User-Driven Azure AD Join

• Connect to a network

• Authenticate to Azure AD

Password-less with phone sign-

in

Coming soon! Authenticate

with FIDO2

• Enroll in Intune

• Track progress with the

Enrollment Status Page

Policies
Apps (Win32, MSI, UWP)
Certificates
Network, VPN connections

Coming soon! Integration with

ConfigMgr task sequences
(H1CY20)
Windows Autopilot
User-Driven Hybrid Azure AD join
Windows Autopilot // User-Driven deployment with
Hybrid Azure AD
Windows Autopilot
Intune
Offline Domain Join Connector
Deployment Service

DC

Ping DC to establish connectivity

MDM Autopilot Hardware
Receive ODJ
enrollment profile ID

Sign in using domain credentials

IT Admin Employee unboxes

device, self-deploys
Windows Autopilot // User-Driven deployment with
Hybrid Azure AD
Windows Autopilot
Intune
Offline Domain Join Connector
Deployment Service

DC

X
Ping DC to establish connectivity
Receive ODJ
MDM
enrollment
Autopilot
profile
Hardware
ID

Sign in using domain credentials

IT Admin Employee unboxes

device, self-deploys
Windows Autopilot Hybrid Azure AD Join (VPN)
Windows Autopilot Hybrid Azure AD Join // The process
• Use supported Windows 10 version:
• Windows 10 1903 + September 26th Cumulative update + Autopilot Update

• Windows 10 1909 + Autopilot Update

• Windows 2004

• Specify to skip connectivity checks in the Windows Autopilot Hybrid Azure AD Join profile

• Apply needed configuration during the device ESP phase

• VPN client (Win32 app)

• Per-machine VPN profiles

• Machine certificates, if required

• Make the VPN connection automatically, or manually from the Windows logon screen
• “Pre-logon authentication module” (PLAP)
Windows Autopilot Hybrid Azure AD Join // The process
Windows Autopilot Hybrid Azure AD Join // VPN clients
Expected to work: Not expected to work:

• Cisco AnyConnect (Win32 client) • UWP-based VPN plug-ins (can’t be

• Pulse Secure (Win32 client)
• GlobalProtect (Win32 client)
• Checkpoint (Win32 client)
used prior to user sign-in)
• Anything that requires a user cert
(chicken-and-egg problem)
• DirectAccess (no way to provision)

• Citrix NetScaler (Win32 client)

• SonicWall (Win32 client)
• In-box Windows VPN client
Anything else? Unsure, but if it can either make an automatic connection or integrate via pre-logon
authentication module (PLAP) hooks, it should work.
Windows Autopilot Hybrid Azure AD Join // VPN clients
Expected to work:

• Cisco AnyConnect (Win32 client) : “Start before logon”

• Pulse Secure (Win32 client) : “Credential provider”
• GlobalProtect (Win32 client) : “Pre-logon”
• Checkpoint (Win32 client) : “Auto Connect / Always Connected”
• Citrix NetScaler (Win32 client) : “Always On”
• SonicWall (Win32 client) : “NetExtender On Startup”
• In-box Windows VPN client :
Add-VpnConnection "Contoso" -ServerAddress contoso-vpn.guest.corp.microsoft.com -
TunnelType Automatic -AllUserConnection $true -Force -AuthenticationMethod MSChapv2 -
EncryptionLevel Optional
Windows Autopilot // Hybrid Azure AD join process

AAD Connect sync

Azure Active Directory

DC

Device
Device registration
certificate

AD-joined computer
 User-Driven Hybrid AAD Join

• Connect to a network

• Authenticate to Azure AD

Password-less with phone

sign-in

Authenticate with FIDO2

• Enroll in Intune

• Perform offline domain join

VPN support (implemented in

2004, backported to 1903+)

• Track progress with the

Enrollment Status Page

Policies
Apps (Win32, MSI, UWP)
Certificates
Network, VPN connections
Windows Autopilot
Self-deploying mode (preview)
How would you use Autopilot to deploy…

Multi app kiosk Shared PC

Digital signage

Single app kiosk VDI clients

 Self-Deploying Mode (preview)

• TPM attestation to
authenticate to Azure AD

• Enroll in Intune

• Track progress with the

Enrollment Status Page

Policies, including Kiosk

profiles
Apps (Win32, MSI, UWP)
Certificates
Network, VPN connections

General availability in CY21

Windows Autopilot
for existing devices
 Windows Autopilot for Existing
Devices

• Support for Hybrid Azure AD

Join

• ConfigMgr task sequence to

deploy Windows 10

No state migration

Data is already in the cloud

with OneDrive for Business

Reformat drive, apply image,

inject drivers

Drop in
AutopilotConfigurationFile.js
on

• Standard user-driven process

once booted into Windows 10
Windows Autopilot
Pre-provisoned Deployment (PPD) (aka
White Glove)
Windows Autopilot // Today

Windows image and Apply apps, settings,

drivers policies
Windows Autopilot // Pre-provisioned Deployment (PPD) (> W10
1903)

Windows image and Device apps, settings,

User settings, policies
drivers policies; User apps
First, the technician does the
pre-provisioning work
 PPD
technician flow

• Press Windows key five times

to start

• Choose Windows Autopilot

provisioning option

• Confirm settings

Configure user with

companion app, refresh

Configure group tag,

computer name with
companion app

• Click provision to start

• Reseal when done

Green screen for success, red

screen for failure
Pre-provisoned Deployment
Once you click the Windows Autopilot
provisioning, a QR code appears
• Download the Windows Autopilot
Companion app from GitHub and scan
the QR code
• Only needed if you want to track
externally or make changes to the device
configuration
Pre-provisoned Deployment
Device-targeted apps and policies are being
applied

Depending on the number of Win32 apps

targeted to the device, this could take a
while
• This will change from Getting things
ready…
Pre-provisoned Deployment
User-target apps and policies (if applicable)
are being applied

Depending on the number of Win32 apps

targeted to the device, this could take a
while
• This will change from Getting things
ready…
• To Working on it...
• To Still working on it…
• And then to Complete
Pre-provisoned Deployment
White glove provisioning is complete

Reseal the device and ship to the end-user

Now the device (with all apps,
updates, and policies applied)
can be shipped to the user…
Then, the user quickly
finishes the process
 PPD
user flow

• Standard user-driven process

For Azure AD Join: Enter

credentials, go through device
and user ESP

For Hybrid Azure AD Join: Enter

AD credentials to sign in, go
through user ESP
Windows Autopilot // Cross-scenario features
AVAILABLE in 1803+ AVAILABLE in Intune AVAILABLE in Intune ONGOING ONGOING AVAILABLE in 1903+

Enrollment Device lifecycle Reporting and Windows and Delivery Windows

status page management monitoring device config optimization Autopilot update
Track progress of: Register and de- See information Make it easier to set Cache content so it Automatically install
• Policies register devices about Windows up Windows 10 doesn’t need to be the latest Windows
• Certificates Autopilot defaults, features, downloaded Autopilot features
Coming soon! deployments firmware repeatedly from the and updates
• Win32, MSI and
Improved configuration, etc. server
UWP apps
performance Coming soon! Windows 10 1903
• Office Windows Autopilot New! DFCI firmware Microsoft 365 apps (September
Edit group tags deployment report configuration for Enterprise install KB4517211+) or later
Disable for Nth
support
users Assign computer Coming soon! Planned! Remove
names Windows Autopilot list of in-box apps Planned! Automatic
Coming soon!
log collection Connected Cache
Integration with Planned! Add discover for
ConfigMgr language packs and Preprovisioned
features Deployment
Options for skipping
user ESP, targeting
users and computers
Windows Autopilot // Deployment report
New Windows Autopilot deployment report showing results, duration
 Solution website: aka.ms/endpointmanager

Zero-Trust overview (includes eBook): aka.ms/zero-trust

Resources
How-To documentation #MSIntune: aka.ms/device-security-docs

Co-management of Windows 10: aka.ms/comanagement

Zero-Trust device mgmt. overview: aka.ms/zero-trust-device

© Copyright Microsoft Corporation. All rights reserved.