'Autopilot in the Real World' is the topic of the second episode of 1E’s Modern Endpoint webinar series. Amy Collins from 1E and my friend, and fellow Microsoft MVP, Petri Paavola hosted this 45 min discussion about real world Autopilot implementations.
Petri is an expert when it comes to this topic because he has been doing cloud-based Windows 10 management for years and he also has a long experience with traditional Windows management using on-prem technologies. Thus, he can compare the real pros/cons between traditional OSD and Autopilot with authority. Petri gives an excellent five-minute intro about the basics of Autopilot process. The main idea is to make Windows deployment as easy as smartphone enrollment.
The key concept is that, with Autopilot, the enterprise trusts the Windows image the OEM is providing. Thus, you need to get a “clean” image without additional trial software. The major OEMs provide the clean image either free or with an additional price. At the same time, you trust the drivers and BIOS versions/settings the OEM provides with the device.
Petri correctly emphasizes that you need to think about all device lifecycle states when moving from traditional OSD to Autopilot. The initial OS deployment is only the part of the solution. You also need to figure out how to recover PC hardware problems, as well as onboarding new employees easily – even in remote locations.
While Microsoft is heavily marketing Autopilot, it is not suitable for all situations. Because Autopilot requires Azure AD, you cannot use it in on-prem AD-only environments. Autopilot supports Hybrid Azure AD Join (HAADJ), where the device is joined to on-prem AD and is also registered to Azure AD. Microsoft doesn’t recommend HAADJ with Autopilot, and HAADJ adds complexity to the Autopilot process.
From a security perspective, Petri points out the implications if you open a command prompt during the Autopilot process (F8/shift+F10 depending in what phase the process is running) and how you can disable it.
The non-technical aspects of Autopilot are also important. People normally like the things they are knowledgable about, and many IT professionals have a deep understanding of current OSD. They might be hesitant to learn the new technologies and be afraid of how it affects their careers. All IT professionals who work with Windows management should know the possibilities and limitations of cloud management so they may evaluate which scenarios cloud management is a better option for than traditional on-prem management.
"If [current internal IT] don’t do it, someone else will” -Petri Paavola
Petri's point here is very valid. Cloud management also affects ISVs like 1E, who need to have products that seamlessly work with cloud-managed environments to be relevant in the future.
Autopilot is only one piece in the puzzle. The main challenge is the rest of the management. If you move from on-prem AD/ConfigMgr OSD to AAD/Autopilot/Intune, you need to figure out how to do all GPO settings – including security settings with Intune, how to deploy all the applications with Intune, etc.
Co-management, where the same Windows 10 device is managed by Intune and ConfigMgr, is one option. You can then deploy existing ConfigMgr applications to the devices without the need to re-create them in Intune. Intune doesn’t have a great inventory and ConfigMgr inventory and reporting adds a lot of value. ConfigMgr collections, with its better inventory capability provides a much more granular way to group devices to target policies/applications. The flexible targeting is one of ConfigMgr benefits in the modern world.
To test Autopilot is a relatively easy and fast process if you have the necessary equipment available. For the basic operations virtual machines are enough, but some features like pre-provisioning/self-deploying mode require physical hardware with TPM 2.0 and wired network connection. Petri’s estimation that you can test Autopilot within one working day is pretty accurate.
One Autopilot area that was not covered in the webinar was how Autopilot affects networking. Because Autopilot is a cloud service, it needs a fast internet connection. You also need to evaluate peer-caching technologies like delivery optimization to minimize the load of the internet connection.
Another aspect you need to remember when comparing OSD and Autopilot is the speed of the process. Autopilot process is divided into two main phases:
When using Autopilot pre-provisioning (white glove), the machine-specific part is done with a separate process. Sometimes pre-provisioning is not possible, and the user must also wait for the machine specific tasks and even then, Autopilot can easily take hours. If the device is pre-provisioned the user experience is much faster. The traditional OSD might be faster because local network performance is usually much higher than internet connection.
1E’s Modern Endpoint Series contains interesting technical, not marketing, webinars for anyone doing endpoint management. 1E has done a great job finding the right experts to the series, like Petri Paavola for Autopilot.
Even though you cannot cover all the Autopilot related gotchas in 45 min (hopefully there will be a sequel!), the webinar is highly recommended if you are planning to utilize Autopilot or if you are already using it.
If you're keen to see the webinar for yourself, you can watch it on-demand today! Be sure to keep your eyes peeled for the next blog in this series in the upcoming weeks, and check out the first in Panu's reviews, 'Modern Policy Management for Windows 10', here!