Most IT deployments are strictly controlled and managed centrally by the IT department. Deploying, managing, and maintaining remote devices can be challenging for organizations. With the new modern provisioning called Windows Autopilot, users can receive a new device directly from an OEM retailer (or central IT) and have the device configured automatically and ready for use.

Central IT will configure device profiles which will then be deployed to the pre-registered devices once the user signs onto the device for the first time. Once authenticated, Windows Autopilot sets up the device, adds it to Azure AD, and enrolls it with Microsoft Intune.

The user is responsible for initiating the Windows Autopilot process. The device will be fully configured and ready for use, typically within an hour. This is especially beneficial for remote salesforce devices where users seldom visit the office. Other use cases include replacement devices shipped directly to the user following loss or damage.

Windows Autopilot deployment overview

We will cover Windows Autopilot in more detail later in this chapter, but it is useful to provide an overview of this new deployment solution here.

Devices deployed by Windows Autopilot can be traditional Windows computers or kiosk devices. Kiosk devices are regular devices dedicated to a specific task, such as a multi-app kiosk device like Surface Go, which displays a messaging app, or the Microsoft Edge browser in a corporate office lobby.

In addition to deploying devices, Autopilot allows you to remotely reset and repurpose devices. Therefore, IT departments can be further optimized and no longer need to process devices themselves—they can ship devices direct to the end user and allow the user to start the deployment configuration remotely. Because Autopilot runs as a cloud service, there’s no infrastructure to manage. Administrators can manage and configure devices remotely from the Microsoft Endpoint Manager portal.

Windows Autopilot allows administrators to customize the out-of-the-box experience and reduce the time IT spends deploying and managing devices. Because devices are shipped directly to the end user, rather than via IT, and then transformed “while you wait,” there is minimal delay in the deployment, and the user can be productive quickly.

All devices that are to be configured by Autopilot must first be known to the Windows Autopilot service. A hardware hash, or ID, is collected from each device – this can be done within your organization for devices your organization already owns, or your hardware vendor can upload these hardware hashes on your behalf. Windows Autopilot requires Azure AD to provide the cloud identity for the user, and the hardware hash is associated with the cloud device identity. The overview of the Windows Autopilot device provisioning process can be seen in Figure 1-3. The flow diagram shows Windows Autopilot used to configure AAD-joined devices supplied by the hardware vendor directly to the user.

FIGURE 1-3 Windows Autopilot overview