When deploying Windows 11 in your organization, it’s important to understand the different ways Windows can be deployed. You have seen the various methods to deploy and configure Windows based on the scenarios you face. You need to evaluate these scenarios, understand each deployment methodology’s capabilities and limitations, and decide the most appropriate for your organization.

The key benefit of using an image-based method is that the deployment is completed within one action. The Windows image and configuration settings, apps, and files can be deployed to the device. The device then performs the out-of-box experience (OOBE) process and can be seamlessly enrolled into management. The key downside of this macro image approach is that the image is only up to date when it is built. Subsequent deployments will require the image to be updated and validated, which can outweigh the speed benefits of using an image if several updates and patches are required.

Using provisioning packages to transform a device can apply tailored settings and configurations to a device, including:

• Transform the edition of Windows that is in use.
• Apply configuration and settings to the device, including:
• Security settings
• Device restrictions
• Policies
• WiFi and VPN profiles
• Certificates
• Install apps
• Language packs
• Windows updates
• Enroll the device in a management solution such as Intune

Once the device has been configured, it can then be managed via the management solution for further configuration and ongoing management.

Larger enterprises will choose to use more robust and scalable tools, including one or more of the following:

• Azure Active Directory join and automatic MDM enrollment
• Windows Autopilot
• Microsoft Deployment Toolkit (MDT)
• Microsoft Endpoint Configuration Manager

We will summarize each of these later in this and later chapters. We could devote an entire chapter to each solution, but you only need an overview of MDT and Configuration Manager for the MD-102 exam.

Azure AD Join with automatic MDM enrollment

You can dynamically provision Windows 11 devices using Azure AD and a Mobile Device Management (MDM) solution, such as Microsoft Intune. Once a device is enrolled into management, Microsoft Intune can deploy compliance and corporate security policies to the device in a similar way (but not the same) as Group Policy objects are used within a domain-based environment to configure computers.

MDM can be used to add or remove apps, restrict device features, and more. Through the application of MDM policies, Azure AD can block or allow access to corporate resources or applications based on the status of the device compliance.

To benefit from the cloud-based dynamic provisioning, you need the following requirements:

• Windows 11 Pro or Windows 11 Enterprise
• Azure AD for identity management
• A mobile device management solution, such as Microsoft Intune