Is Windows Autopilot worth the effort?!
HTML-код
- Опубликовано: 3 авг 2024
- In this video, Dean takes a look at whether Autopilot is worth the effort! We look at both Autopilot and Non-Autopilot devices, side-by-side.
Use this link for an exclusive youtube discount on the full course:
www.udemy.com/course/learn-au...
Dean Ellerby is a Microsoft Enterprise Mobility MVP, Certified Trainer, Organiser at CloudManagement.Community, Contributor at Petri.com, Pluralsight Author and a Senior Cloud Security Architect. He's on Twitter @dean_ellerby. Any views or opinions expressed here are his own. 
Наука
My 2 cents.. autopilot aside from azure ad join, as mentioned stream lining the user setup process, apply security policies but for us the biggest part is the rolling out of apps and settings. Autopilot allows the easy deployment of systems without IT being at deskside.
Business case.. we are moving a 80 people client to Azure VDI multi-session setup and all their workstations are going to be wiped and turned into "thin-clients". We want auto-pilot to post OSDcloud setup to be able to able login and have core apps installed and users being given the appropriate access.. autopilot is our champion :) to streamline simplicity of rollout at the the endpoint level :)
Using AP with AAD join and love it. Great for redeploying the same device for a new remote staff member.
Also very good for asset management. AP guarantees the device stays in your inventory through out the asset's lifecycle.
Thank you as well!
Haha. I loved this video! Thanks
Thank you very much
Interesting video, great stuff :)
Working for an MSP, Autopilot is more of a selling tool for us. We make a big song and dance about shifting a potential new client to the cloud and any new device just works out the box. For the client, it's quite cool.
In my mind, there are only two real benefits of Autopilot
Users won't have local Admin rights.
The machine is enrolled into their tenant.
Autopilot lost some of its magic, for the end user, when they got rid of the personalised experience
Hello, thanks for the video. I think you missed one major area of autopilot enrollment, yes you can adjust the users enrollment like you mentioned. But there is the Administration side of enrollment. AutoPilot forces the administration task of logging, assigning a user, device groups… etc. If you are a business you want this. I call it chain of custody.
i work on a school and we re-image all the returned laptops so autopilot is a must for us since laptops already get the same policies we assigned to them.
but if you are not gonna be re-imaging devices on a regular basis. i would not even boder
I think in my situation half the battle is really getting the buy in from our service techs who are so used to the 'relative ease' of the old PXE boot Task Sequence provisioning method. For new devices its so much easier provisioning and getting it ready - otherwise any new hardware I have to get drivers etc... so socializing new hardware is a pain. Sure, at the moment our implementation for various reasons isn't much quicker than the PXE method, but with new models it does seem to be marginally quicker. Some techs have taking to it like a duck to water, others need a bit more persuasion - to improve it we need them to use it and we can iron out the issues... Great video and a pertinent question!
“If you want to build a ship, don’t drum up the men to gather wood, divide the work and give orders. Instead, teach them to yearn for the vast and endless sea.” - Antoine de Saint-Exupéry :-)
Thank you! Nice insight!
So, how about if it's laptop purchased from a local store with Windows 10/11 Home pre-installed... Will those devices be allowed to sign in to (Azure AD) (work/school account)
And once the user signs in, we apply policies on InTune for:
Upgrade to Windows 10/11 Pro
Join Hybrid AzureAD/AD
Push apps
Push policies
EPP/Bitlocker Encryption
and etc..?
Home Editions aren’t supported, but other than that - yes.
Haven't done a windows 11 like the examples. But from my experience, windows 10 give you the option to setup as personal. So it will skip enrolment which a user can do in non autopilot
Thats because this man in the video used enterprise or education which doesnt have normal setup but most pcs run pro or home so this is more for windows pro devices so the setup is more automated like what can be seen in the video
How did you get the icon for your org to show up on the autopilot device? My devices are autopilot enabled and I don’t see it even though i have the icon set up in Azure?
Tenant Administration -> Custom Branding is probably what you're looking for.
Doesn't AP also let you have machines be flagged as corporate and not personal so incase you have conditional access configured for both types?
Yes, correct. Although you can set that manually in the portal once enrolled.
@@theCMC There has to be more to it than this! I spent all that time getting it working and now am wondering the same as the person who asked the question.
Isn't a large selling points of autopilot... Autopilot reset?
Idk, I run a hybrid AAD environment and so I've never had an experience where someone was ever an Admin. Also autopilot and hybrid AAD definitely works fine if you want it.
I work for Microsoft as an Intune SME and the biggest reason companies leverage Autopilot is for zero touch deployment, the ability to let the machine install configurations and Apps during the provisioning state
Hmm… but my point in the video was that, even without Autopilot, those things still happen. Config and Apps still install during first login.
AutoPilot allows an admin to pre aprove/auth the hardware to become 'corporate' owned. This is great when you want to limit any computer hardware being AAD joined.
So are you saying just add the machine hash into intune and then once it’s added long as user has an aad account the user can login while also allowing the Intune Admin to manage the device. I guess if the company is 100% cloud it may work 🤔
You can also HAADJ during Autopilot, on-prem and over VPN. HAADJ Autopilot takes longer in my experience, due to waiting for ADConnect sync, but you can add a skip device ESP URI (I've heard this causes issues down the road so I largely skip this).
I was suggesting (on the left VM) that most of the stuff people love about AP is actually AADJoin + ESP + MDM (Intune).
You don’t need to add the device to Autopilot for the Azure AD join to work, nor for Intune to automatically manage the device, or even for Intune Admins to manage and have local admin on the device.
@@TaiwaneseEvelynn agreed you should really stay away from hybrid Azure AD joining a device with autopilot unless absolutely necessary
We’re a large global enterprise organization and we made the decision at the beginning of the pandemic to invest our time in autopilot. But for complex reasons we needed to do this as hybrid AAD for now. Eventually we’ll go to AAD. We’ve spend more than a year on getting this process working right in our test environment and in our tenant in a limited scope. We’re just about ready to start real production testing. While it hasn’t been easy, I will say it has been worthwhile and so far every problem has been solvable.
We aren’t expecting to simply hand a laptop to an end user and let them sign in wherever they are for the first time. We require the device to be joined to on-prem ad. We require the local admin account to have laps set and that the user account be a standard account. We require bitlocker running and the recovery key be uploaded automatically to the object. We require a lot of compliance and configuration policies that need to run and our security software be installed through the ESP before the end user ever touches this. And that’s ok. We have this working through autopilot now in under 35 minutes including domain join and hybrid aad registered.
@@JLALALALA That sounds like something every company wants to do, but the fear of the cloud is ...... anyway please blog/article your experience and share it.
The main factors driving us to AutoPilot were by default creating a standard user account. Theft or loss of equipment, Autopilot devices even if wiped will come back up to the enrolment page. Pre-provioning apps, aka white glove. I will say MS has made a complete hash of Autopilot with hardware vendors, especially when you compare it to something like ABM/DEP.
This is true ABS/DEP is much more advanced. We’re at the point now of working with our vendors and our global purchasing department to get all future orders added automatically but one big issue for us is getting existing on the shelf inventory into Intune and that’s a work in progress. We’ll probably be able to get our vendors to do it because we buy in such large quantities but if we face any type of delays we risk having our techs start grabbing and using these products. It’s like trying to hit a moving target a 100 paces.
I feel like Microsoft ought to rename autopilot. It’s kind of a meaningless word now, at least in the context of what their original intent was don’t you think? A better choice might be a word closer to what most of us are setting up our autopilot systems to do: OOBE, the Out of the Box Experience. OOBE is agnostic; it doesn’t matter if you select AAD or HAAD. It doesn’t matter what type of settings under each of these are selected. The OOBE is what drives everything.
Of course I’m being semi-facetious. 🤣🤣🤣
Agreed. Perhaps Defender for OOBE would be a good choice?
looooooool!