Get Users Working Faster with Windows 10 Autopilot White Glove Provisioning

Screen Shot 2015 10 12 at 9.03.51 AM.png

Part of Microsoft’s modern management initiative for Windows 10, Windows Autopilot is a suite of technologies designed to simplify the setup process for new and existing devices. When combined with the Windows Autopilot Deployment Program, which enables OEMs and distributors/resellers to link devices to organizations’ Azure Active Directory (AAD) and Intune Mobile Device Management (MDM) services, a new device can be provisioned by the user out of the box rather than having IT do all the heavy lifting. This means that a device can be automatically enrolled in Intune, transformed to Windows 10 Enterprise, local settings/security applied, Office 365 ProPlus, and line-of-business apps installed all without intervention by IT.

Furthermore, if a machine does run into an issue with software corruption or a similar problem during its lifecycle, Autopilot Reset allows the machine to be reset to a known good configuration while maintaining the MDM management and AAD connection state. Autopilot’s main task is to enroll devices with Azure AD or Windows Server Active Directory using Hybrid Azure AD join, and then auto-enroll with an MDM service. MDM then takes over to configure the device as specified by the IT department.

Windows Autopilot Deployment Scenarios

There are several different ways that Autopilot can be used. User-driven mode transforms Windows 10 devices from their initial state to a ready-to-use business configuration without involvement by IT. Users turn on their new device, choose a language, locale, and keyboard; connect to either a wireless or wired network; and finally specify an organizational email address and password. Autopilot takes care of the rest. User-driven mode for hybrid Azure AD join is supported on devices running Windows 10 1809 or later.

Other deployment modes include Self-deploying mode, which is for AAD only and is intended for devices that will be shared, used as a kiosk or for digital signage. Autopilot Reset does what it says on the tin and redeploys devices in a business-ready state. And support for existing devices provisions Windows 10 1809, or later, on existing devices running Windows 7 and Windows 8.1 in user-driven mode.

Windows 10 1903 Introduces White Glove Deployment

Starting in Windows 10 version 1903, the May 2019 Update, organizations can use white glove deployment with Windows Autopilot. From the user’s perspective, white-glove deployment works the same as user-driven mode but there are three key differences:

  • WIFI connectivity isn’t supported. Devices must be connected to a wired network.
  • IT, partners, or OEMs must perform the pre-provisioning process before handing devices to users.
  • The end-user part of the provisioning process is faster so users can start working with their devices sooner.

White glove deployment splits the provisioning process so that the time-consuming parts are performed by IT, partners, or OEMs, and don’t happen during the user part of the process. Standard user-driven deployment provisions apps and device settings during the user part of the provisioning process.

Figure1 3
Windows Autopilot user-driven provisioning (Image Credit: Microsoft)

But white-glove deployment configures device apps, settings, policies, and user apps during the OEM/Partner/IT phase and leaves just user settings and policies to be deployed during the end-user phase.

Figure2 1
Windows Autopilot white glove deployment (Image Credit: Microsoft)

Windows Autopilot White Glove Prerequisites

Before you can use Windows Autopilot white-glove provisioning, there are some prerequisites to meet. Windows 10 1903 or later is required and an Intune subscription. Virtual machines are not supported, and physical devices must support TPM 2.0 and device attestation. And as previously mentioned, a wired network connection is required. White glove provisioning only works with user-driven scenarios and both Azure AD and hybrid Azure AD join are supported.

Windows Autopilot White Glove Pre-Provisioning

The white glove deployment pre-provisioning process applies all device-targeted policies from Intune, including certificates, security templates, settings, apps, and anything else targeting the device. Apps configured to install in the device context and targeted to the user that has been assigned to the device also get installed. During pre-provisioning, configuration changes can be made in Intune, like assigning a user and adding the device to groups for app and policy targeting. At the end of pre-provisioning, devices are resealed ready for shipping to users.

Pre-provisioning doesn’t require access to on-premise Windows Server Active Directory in a hybrid Azure AD joined deployment scenario. The device is resealed at the end of pre-provisioning before a reboot would normally occur. Only during the reboot phase is domain connectivity is required. But in a white glove provisioning scenario, the device is already in the user’s hands during the reboot phase.

Windows Autopilot white glove provisioning gives organizations another option when using modern management with Windows 10 and should be useful in scenarios where users demand access to new devices faster. For more information on white glove provisioning, check out Microsoft’s website here.