Microsoft's Window AutoPilot?

MEM stands for Microsoft Endpoint Manager. Microsoft Intune was its previous name. 

MEM is a SaaS-based device management solution for mobiles, tablets, desktops, and laptops. You will be able to deploy Applications, Policies, Certificates, Scripts, and other forms of Device settings using MEM. MEM includes the Windows Autopilot Program, which allows us to assign deployment profiles and deliver devices directly to users from most OEM manufacturers. 

What are the benefits of using Windows Autopilot?

Pre-Provision Mode Deployment, for example, allows the local IT staff to pre-provision a device for the user.

MECM stands for Microsoft Endpoint Configuration Manager. System Center Configuration Manager was its previous name. MECM is an on-premises solution for managing laptops, desktops, and servers. Typically used to distribute applications, patches, operating systems, and other software.

A laptop or desktop that is managed by MEM and MECM is referred to as a Co-managed Windows device.

In Scope

·       Device installed with operating system Windows 10 x64 version 20H2 and above

·       Windows devices with TPM chip version 2.0 and above.

·       Application installation during Device Enrollment from MEM.

·       Policies and Certificates deployment during Device Enrollment from MEM.

·       On-prem Group Policies applied on WinMD Build

·       Ability to build a WinMD Build over the internet.

·       User login for the first time over the internet

·       Install all Core Applications over the internet

Out Scope

·       User Applications and Patches targeted from MECM

·       WinMD Image deployed via MECM

·       Functionality and behavioral issues within the installed applications

·       Low Network bandwidth scenarios

·       Device Ordering and Shipment procedures

·       OS and Office 365 language packs.

·       Everything apart from the above mentioned In Scope

Pre-requisites for the Device Enrollment

·       Device OS minimum requirement: Windows 10 x64 version 20H2

·       Users should be assigned with EMS License

·       Users Phone number to be correctly uploaded in the Active Directory

·       Device ID file to be uploaded in MEM

·       Users should have an active user account with e-mail address.

·       ‘Office’ field for user to be updated in AD with correct Site Code.

·       Device should have < 40 mbps with unlimited internet bandwidth.

A Deep Dive into Windows AutoPilot Functions and Configurations

In this part, we'll go over the configurations available in MEM and the Windows Autopilot Program for managing Windows Autopilot Devices in detail. 

It also explains the two ways of enrollment used by users and the EUS team, as well as the OEM Vendors' instructions for performing the Windows Device Enrollment through Autopilot Program.

Windows Enrollment

Windows Enrollment is the section where we discuss in detail about the configurations done for the following modules. Apart from the applications, policies, certificates we deploy from the MEM, this section is more important as the configurations done in “Windows Enrollment” is the crux of the output of what we get as Windows Autopilot Device. We will specifically be dealing with below 5 modules within the Windows Enrollment

1.     Automatic Enrollment

2.     Enrollment Status Page

3.     Deployment Profiles

4.     Devices

5.     Intune Connector for Active Directory

Login to MEM Console

●   To get to the Windows Enrollment Module in MEM. Login to MEM Console, After you login, navigate to Devices -> Windows -> Window Enrollment you will see the below screen.

MEM Enrollment Page

1. Automatic Enrollment

When Windows devices join Azure Active Directory, we'll setup them to enroll. Hybrid Azure AD join devices are the devices enrolled via Windows Autopilot. The setup is already pre-configured; however, the MDM User scope must be set to "All" in order for all users to be able to complete the Windows Autopilot Enrollment when they receive new devices for enrollment or are intending to reset their PC, etc. 

2. Enrollment Status Page

During Device Setup, the Enrollment Status Page is customized to show the users' Apps, Certificates, and Policies installation status. For each Entity, three ESP profiles are built, each of which is targeted at the AAD group for which the Deployment Profiles are created and assigned. The ESP Profiles established for each entity are shown in the screenshot below.

The ESP profiles contain the settings for what users can view in the ESP page throughout the enrollment process. It also indicates which applications must be installed during the ESP page. 

Applications, Policies, Certifications, and other items allocated to the Devices AAD group are installed during Device Setup. They are installed during the User Setup if they are allocated to the Users AAD group. The setting for the {Organization}-{domain}-ESP page is shown in the screenshot below.

The ESP page that the user sees when completing the enrolling process will look like this. The ESP Page is the screen shown below.

3. Deployment Profiles

Deployment Profiles are the foundation of the Autopilot Enrollment; they allow us to specify how the Autopilot Enrollment should take place when the user or the EUS team is executing the enrollment. These profiles are set up based on the three entities once more.

     The deployment is set up to be user-driven, with White Glove (also known as Pre-Provision mode) turned on. At this time, we're displaying the License Agreement and privacy settings for users to accept. We mentioned in the previous sections that we are enrolling our devices with "Hybrid Azure AD joined," which allows our Autopilot devices to access both on-prem and cloud resources. 

     

   Because we don't want users to be administrators of their devices, the user account type will be "Standard."

Hold on tight, we are working on it...