Windows Autopilot: What it is and how it works

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] Hello and welcome to Microsoft Mechanics Live! today we're going to take a look at Windows AutoPilot deployment service a new cloud service that Microsoft provides for your organization's IT to completely do hands-free zero-touch deployment deploying Windows 10 devices we're gonna show you how Windows AutoPilot enables IT to accelerate deployment of new Windows 10 devices on PCs as you transition to modern management and my partner in crime today for this show is Sidd Mantri the genesis of the idea for doing Windows autopilot deployment service welcome thank you great to be here Jeremy all right so since it was your idea what does Windows AutoPilot all about so when you think about refreshing it computer or upgrading the OS from an end users point of view or from an IT point of view it can be a fairly challenging experience what we're trying to do with Windows AutoPilot is simplify that experience you know we're all gadget enthusiasts I love the idea of getting a brand-new shrink-wrap machine I love that plasticky smell as soon as I open the box and we want to be able to extend and amplify that experience to every user so that getting a new computer can be this delightful experience you know there's something refreshing and magical about opening a brand-new computer powering it on and the computer just knowing who you are and what you need to do and get you up and running within just a few clicks this is exactly what Windows AutoPilot does it brings together Windows 10 as your ad into an Office into a seamless cohesive experience and in many ways Windows AutoPilot truly embodies the essence of Microsoft 365 now we've had lots of ways in the past to deploy windows hydrate all the different apps and drivers and things we want to do how is AutoPilot different from what we've been doing so today when IT needs to get new devices deployed typically they'll set up a device get all of their settings policies drivers applications and create what we call as a custom golden image and then after that every time a new device needs to be deployed they wipe and reload the beat the the Windows that comes pre-installed on the device with this golden custom image this process is fairly complicated it's expensive it costs time as well as money and Windows AutoPilot essentially makes all of this process get streamlined wherein you don't need a golden custom image anymore right I bet everybody here is familiar with this I was doing Windows deployments even before I started at Microsoft and I always thought that some of the automated stuff was super cool but we can make it different so we can make it even better so how is Windows AutoPilot different than what we're doing today even if we're heavily automating stuff well with Windows autopilot there's no need to reimage the device when we built Windows 10 it was build ground up in a way where it's highly malleable and ductile and so you can easily morph the windows that comes pre-installed an OEM machine into your organizational settings policies so that it's compliant with what you need for your organizational users to be productive and get working IT doesn't have to intercept the machine they don't have to touch the device they don't have to wipe and replace it they'd have to manually provision the device before they hand it out to users they have to use sysprep like this guys got here in a screen so how does it work then what's involved in terms of getting all of this up and running it's a fairly simple process effectively autopilot involves three primary entities the first one is your device vendor the second one is your IT admin and the third one's your user the process involves just three simple steps when you purchase your new devices your hardware vendor will automatically register the devices you purchase into the AutoPilot service will make it possible for the hardware vendors and OEMs to automatically register these devices once that's done your organization has claimed ownership of the device then the IT admin can go to the AutoPilot service portal and configure what deployment configuration you want and what setup experience you want and customize that once you've done that and assign that profile to the devices that your organization owns then all you have to do is just get that device directly shipped to you and the user just unboxes the machine powers it on connects it to the network and they get set up in an extremely easy fashion with just a few clicks now what happens when the user actually receives the device and it arrives at their home or in their office yeah all they need to do once the user gets the machine is power it on connect to the network and then enter that as your ad credentials and everything else goes into autopilot mode in answer ID credentials you just mean their email address and kind of on any network right that's right just their email address and password and the beauty is you can do this on any network so let me show you what this looks like this is a standard Windows 10 out of box experience I'm just gonna connect to a network now as soon as I connect to a network and you can be anywhere in the world you could be sitting in Starbucks you could be in your office you could be at home the device connects to the autopilot service and automatically recognizes the fact that this device is registered to your organization and gives you this highly customized and personalized sign-on experience where you see the logo of your organization you see the name of your organization and that way the users are short of the fact that clearly you're on the right path you can't be going wrong when the device is magically telling you or you're supposed to be this organization's machine now all I need to do over here is just enter my email address and password and once I've I've authenticated the device is going to automatically go register in Azure ad it is going to enroll into in tune in tune is gonna push my line of business apps it's going to install my office apps and the device is ready for productivity and it works on any network even captive networks you could have signed in with if you're at Starbucks or somewhere else it all works that's right as of the creators update that's the 1703 release of Windows 10 we support captive portals in the our box set of experience very cool so what about organizations that don't want their employees to be admins because normally when you go through out a box experience or ubi the first account is a local admin account that's right now most organizations don't want their users to have admin privileges on corporate owned machines so using Windows AutoPilot you can actually configure that profile so that the user doesn't have admin privileges so you look at this device Anna is not an admin otherwise it would say admin right over there and if you look at the Iranian role meant you'll see that text and read which clearly says that she's not an administrator although she was the first person to have ever set up this machine this is the only way you can go through the setup experience which is our box with Windows 10 and end up with a user who's not an administrator on the device so we've been live with the service now for a couple of months which hardware vendors and organizations are on board with using this process so we've been working with most of the OEM customers and the OEM partners across the ecosystem and we're really happy to announce that ignite that Lenovo HP Panasonic Toshiba as well as Fujitsu in addition to Microsoft Surface have announced the plans for integrating into Windows autopilot and they expect to bring this alive in early 2018 very cool so anybody using any of these hardware vendors all right not bad so this will make it really easy then in terms of getting this up and running and making sure they can actually register those devices for ownership of the organizations that are purchasing in bulk for example that's right and what we're seeing really is that Windows autopilot has become the catalyst which is not only triggering the hardware refresh into Windows 10 but it's also becoming the trigger for Ock for organizations deploying and upgrading to Windows 10 as well as modernizing their management and moving to the cloud for cloud-based management right so this stuff's all starting early next year but what if I want to get my hands on it now and start kind of configuring devices that I already owned so that they can recognize the Windows autopilot deployment service and we can start testing the service and the MDM auto-enrollment and everything else yeah we make this really easy so if you have a device that's running Windows 10 creators update so 1703 or higher we have a partial script that you can run on this machine and it'll extract that Hardware hash or what we refer to as the device ID you can take those device IDs go to the Microsoft Store for Business portal that hosts the auto pilot experience and upload these device IDs that you extract using the partial and claimed ownership of those devices and from there onwards you can start configuring your AutoPilot profile and actually all you need to do is just reset the machine and you will get the autopilot experience from there onwards this also works in virtual machines so it's very easy to try out we have hundreds of customers already piloting it in one tip that I found while I was testing all of this out is if you run the command you compute your hardware hash you can do that by a PowerShell but it's going to return something that's four thousand plus characters cuz you want to make sure it's a unique hardware ID and hardware hash for that device so if you do a copy-paste out of the PowerShell and try to insert that into a CSV it doesn't work so use the CSV output switch effectively as part of that PowerShell script which is all documented here in the site that says got on the screen and then that way you make sure that it's gonna work it's a very very long string that we're calculating is that hash that's right there's a couple of options for running the script and extracting your hardware hashes you can run the script remotely cuz we have a WMI API that spits out the hardware hash of the device this is built inside Windows and you can stitch together a CSV file that contains the hardware hashes of all of your devices and then use the Store for business portal to upload those devices and claim ownership of those devices very cool and you can start building deployment profiles and those types of things in the in the Windows or sorry the store for business as well right that's right so can organizations then use traditional Active Directory when they're using AutoPilot does that work when you're not nazzer ad yeah that's a question that's very very frequently asked AutoPilot was really built and meant for modernizing the management of Windows 10 devices using the cloud so with that in view we built autopilot to start with for supporting Azure AD joint devices but we understand many organizations cannot move to Azure ad joint devices immediately because they have existing infrastructure in investments in local Active Directory domain joined devices so we're gonna make it possible we're working on this right now we will make it possible very soon to take a brand new computer out of the shrink-wrap and actually use autopilot to get it deployed in a state where it is local Active Directory domain join managed by a SCCM as well as co-managed by Intune all of it together in the history of Windows this is the first time that you can use the art of box experience to automatically get the device local Active Directory domain join very cool let me show you what that's gonna look like so this is a world first kind of prototype demo this is I'm just gonna enter my as your ad credentials they could be your Active Directory credentials that have been federated and connected to add your ad now if you've configured your device for doing what we call as hybrid azure ad join which is local Active Directory domain join connected to Azure AD you know what's gonna happen right now is an offline domain join blob was already pre generated for this machine it's gonna land on the box right now through autopilot we're gonna apply that offline domain join blob the second thing is going to happen is the device is already enrolled in in tune so Intune is gonna install a device VPN on the client so that it can connect to your coordinate and connect to your domain controller which means you can be anywhere in the world as long as you're connected to the Internet you can get your device domain join to your local Active Directory now that's cool too and then so that we can get the offline domain join blob apply the device is gonna reboot as soon as it finishes rebooting and it comes back we're gonna connect to your corporate network and access your domain controller using the VPN that was installed bye bye in tune prior to the reboot as soon as that happens the domain join action is complete and the rest of the flow is just familiar you can login now with your domain credentials with your local domain credentials the other thing we're doing is a lot of customers have given us feedback that they want to define a min set of policies and settings that they want to make sure land of the machine before the user can access the desktop right like your policy login scripts kind of equivalent yep except these will not be as slow or they will not impact a performance because they're coming from the cloud and use Intune and the MDM platform so will give you the ability to define your minimum set of policy settings and app configuration and until all of those land on the machine the device is going to be in this state where it's showing the progress that Intune is making configuring your machine but the user will not be able to get to the desktop unless all of those policies and settings have applied yeah where as in group policy login you might just have this login in screen and the circle of hope going a long long long time and then finally it logs in but this gives you some indication what's happening that's exactly right and it also guarantees that by the time your users get to the desktop they have everything they need available and they can get productive right away so in this case what you're gonna notice is all of my Office applications are is as well as my line of business applications are installed before the user actually has access to the desktop so we just saw I mean this that's what you just saw you just saw offline domain join how cool is that come on so I know you've got some more secret kind of new stuff to show us so what else you work on yeah so the one thing I want to cover is this concept of cool management that we've introduced and launched and announced at at ignite effectively what it means is this is kind of two islands we have as far as management goes there's devices to the right side which are traditionally managed using SCCM whereas you may have devices which are managed using Intune are using cloud management with autopilot what you can do is you can get a device which can be automatically over-the-air from anywhere in the world be deployed in the traditional state but it will be Co-managed and so it's managed by both a CCM as well as in tune and if that works for you that's available but if you want to go straight to the cloud you can have your device just do as your Active Directory domain join and in tune management but additionally what will also enable for such devices is with the upcoming release of System Center Configuration Manager you can have these as your ad join devices which are cloud managed also be configured managed and that way you have the flexibility to move your workloads from your on-prem config manager infrastructure into the cloud at your speed and at your pace as and when you feel you're ready for it very cool we just have a show on co-management with Brad Anderson we published to the mechanics site that I was just showing just this week so if you want to get more information on Co management check that out so I know that you're doing even more stuff so why don't you show us what else you're cooking up yeah we there's a lot of there's a lot of innovation coming in to autopilot over the next year or so I'm going to talk about three big ones that we really child about the first one is uh some of the highest amount of feedback we've received is to have the ability to use autopilot to set a device name schema so that the devices have a predefined naming convention so we're going to bring that capability to AutoPilot over the next year or so the second thing that we're really excited about is this thing called we call it Windows AutoPilot plug and forget so imagine you're a retail store who wants to deploy a kiosk for your customers want to access this kiosk and you know scan barcodes or whatever okay deploying such devices can be a pretty big headache because some IT expert has got to go to that retail store and get it all set up right we try to simplify this process using AutoPilot by implementing what we call as plug-in forget and it's really simple all you got to do is plug in an Ethernet cable or connect your device to a network and power on the machine that's it like there's nothing else required so let me show you what that's gonna look like so I power on the machine just assume for now the Ethernet cables plugged in autopilot is gonna recognize the fact that oh this device is configured for plug in forget so it's kind of prompt you're saying hey cantos is gonna configure this machine all I have to do is click Next as soon as I do that the device is gonna go register Azure AD it's gonna get enrolled into in tune Intune is gonna push all the policies all the security policies as well as applications and the device gonna just launch itself as a kiosk there is no need for any technical body to come to the retail store into their credentials like the device did not ask for I didn't have to go and hit F12 and PXE boot it and get an image on you just were actually booting into the OS and it detected there was something that needed to do and this can be done by anybody in the store like that person doesn't even need any azure ad credentials it doesn't have to be on the corporate payroll doesn't have to have a corporate account and what this means is our devices have now become what we call a self configuring machines they just configure themselves right so you've done some some more work because now that you've got that capability and you can actually imprint kind of in brand that device with your hash that belongs to your organization maybe contoso you can do other things with right now imagine this kiosk has been set up and maybe it's a tablet device maybe it's a portable device one of the challenges we've had is especially with devices that are shared or communal is those devices can very easily disappear so the next feature we're really excited about is what we call as tenant lockdown wherein once this device has been deployed by your organization you can opt it into tenant lockdown once that's done if this device disappears either accidentally or intentionally and someone's gonna try and reset the machine or install Windows all over again when Windows comes back after you do a fresh installation or you reset it's gonna require that you connect to a network let's assume the device is connected to a network as soon as that happens it recognizes it's locked to a particular tenant and the device is just gonna self enroll itself into that tenant into its management and just come back as a kiosk so it's not easily possible for a user to take this machine if its tenant locked and use it for any kind of personal users you can't set up a personal account you can't do anything else this machine is bound to your organization it's gonna do exactly what the organization wants it to do until the organization explicitly deprovisions it so you can release it if you do want to recycle it or if you want to give it to some other organization that's going to maybe use it further or whatever that's exactly right right so very very cool so it's great to see a tour of all the different windows auto-pilot deployment options the whole program for IT and even some stuff that's coming in the future but where can people go to learn more it's very easy you can go to aka.ms/autopilot we're and all the innovation we're doing with Windows AutoPilot very cool great to see of course check out that link to learn more information that's all the time we have for this episode of Microsoft Mechanics we'll be keeping track of all the updates for Windows AutoPilot deployment and more and we'll see you next time [Music]

Info

Channel: Microsoft Mechanics

Views: 96,324

Rating: undefined out of 5

Keywords: windows autopilot, windows 10, Cloud-based deployment, deployment, cloud, pc configuration, Microsoft, Microsoft Mechanics, demo, demos, demonstration, latest microsoft technology, latest microsoft tech, product review Microsoft Ignite, Microsoft Ignite 2017, Microsoft Ignite Orlando, AutoPilot, Windows 10, Co-management, OOBE, microsoft autopilot, niehaus, sidd mantri

Id: F6q2aYhbeu8

Channel Id: undefined

Length: 20min 19sec (1219 seconds)

Published: Tue Oct 03 2017