Blog Post

Microsoft Intune Blog
7 MIN READ

Helping IT send and provision business PCs at home to work securely during COVID-19

Mayunk_Jain's avatar
Mayunk_Jain
Icon for Microsoft rankMicrosoft
Mar 30, 2020

With so many organizations shifting to remote work, our teams are helping customers daily to understand how to provision new and existing PCs at home. The previous article in this series discussed some ideas to enable personal PCs and shared devices to help businesses implement remote work. In this article, we want to help you ship new business PCs to employees and provision them out-of-the-box without manual set up or your technical support.

 

If, like many businesses we’re helping right now, you have never done this before, there are a few pre-requisites you may need to set up. For instance, these recommendations require a secure identity control-plane such as Azure Active Directory and device management tools such as Microsoft Endpoint Manager, a unified platform that includes Microsoft Intune and Configuration Manager. These tools are already available to you if you own Microsoft 365 E3 or EMS E3 and above licenses.  

 

We realize that many of you are heads-down helping your users successfully work from home while maintaining your own health and that of your loved ones. Before we begin, we want you to know that you are not alone. Whether you have prior experience with enabling remote work or are stepping up to a new challenge, you can count on several Microsoft resources to help you succeed, including access to Microsoft FastTrack experts and 24/7 technical support at no additional cost with most Microsoft 365 and EMS licenses.

 

Send computers directly to staff and remotely provision them with Windows Autopilot

 

Many organizations are procuring devices for end users who may not have a business-ready device at home. Using Windows Autopilot, you can procure a new device from an OEM or reseller and have that device shipped directly to the user’s home, then automatically provision the right settings, apps, and resource access upon power-on and login.

 

 

 

The process uses the Microsoft Endpoint Manager admin center to set up Windows Autopilot and ordering the PCs with instructions to send them right to employees’ homes. Windows Autopilot saves organizations the effort of having to maintain custom images and drivers for every model of device being used, transforming your existing Windows 10 installation to a “business-ready” state, applying settings and policies, installing apps and managing the devices from the cloud. The optimal guidance for businesses getting started with this is to use the user-driven Autopilot mode with automatic Intune enrollment after Azure AD join. If you have a different architecture, please visit product documentation or contact our specialists for guidance on supported capabilities and scenarios.

 

If you have the resources for your IT department to pre-provision the devices, you can use a feature known as Windows Autopilot for white glove deployment where the time-consuming portions are performed by IT, partners, or OEMs. The end user enters their credentials and within a few moments they can begin using their device. It's worth noting that white glove service may be an option to prepare Hybrid Azure AD joined devices, which currently requires physical access to the corporate network.  As long as you deploy the needed VPN client and settings (e.g. a machine certificate and VPN profile) during the white glove process, the end user will be able to establish a VPN connection to the corporate network when they get the machine at home, and can then sign in to the device.

This Windows Autopilot deployment process poster may help visualize the process.

 

Additional use cases for modern provisioning of Windows devices

 

Before we move on, I’d like to quickly call out a couple of other scenarios in which Windows Autopilot may help you. These may not apply to all organizations, but are valuable time-savers if you need them.

If you are looking to quickly provision kiosks or digital signs, such as if you are setting up pop-up locations to help with the pandemic response, the self-deploying mode in Windows Autopilot enables a device with an Internet connection to be deployed with little to no user interaction. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. If you need additional licenses for these devices, you can save costs by assigning the device-only subscription since these devices are not associated with any user identity.

 

Another scenario is if you have existing Windows 7 and 8.1 machines currently managed by Configuration Manager, then you may be able to use Windows Autopilot to deploy the latest version of Windows 10 to your existing devices, and manage them from the cloud. The initial deployment may require access to the corporate network and actions by IT staff, which may be a good option to get all devices on deck during the crisis and then manage them remotely. Once deployed, the apps end users need for work can be automatically installed and their work profile is synchronized so they can resume working right away. Check out this video for a quick overview of this process.

 

Automated zero-touch enrollment for Apple and Android devices

 

Businesses and schools are scrambling to use every available device to empower remote workers, given the impact on global supply chain. In addition to Windows Autopilot, you can use Microsoft Endpoint Manager to pre-provision, deploy, and manage large number of Apple and Android devices without physically accessing them.

 

For instance, on iOS, iPadOS and macoS you can use Automated Device Enrollment with both Apple Business Manager and Apple School Manager.  When the end user receives the device and turns it on, Setup Assistant, which includes the typical out-of-box-experience for Apple products, runs with preconfigured settings and the device enrolls into management. Similarly, Intune supports large scale Android enrollment methods in Android Enterprise such as NFC, tokens, QR code, zero-touch, and so on. Using Intune with Samsung devices and Knox Mobile Enrollment, you can enroll large numbers of company-owned Android devices using Bluetooth or NFC when using the Knox Deployment App.

 

Protecting data when staff are working outside of their normal office environment

 

In the first part of this article, we looked at application-level compliance, which does not require devices to be enrolled and can be deployed relatively quickly. Many organizations may require more granular device controls to meet their security policies using device enrollment, also known as mobile device management (MDM). Several national cybersecurity agencies (for example, NCSC in UK, CISA in US, and ASD in Australia) have recommended MDM tools to set up devices with a standard configuration, and also to remotely lock devices, erase data, or retrieve a backup. Depending on your needs, you may support both enrolled and non-enrolled devices in your organization.

 

 

 

With Microsoft Endpoint Manager, you can drive user adoption by directing users to enroll devices in MDM with a friendly message when they access email or other data from non-enrolled devices. Once they complete the process, you will have the ability to make sure devices encrypt data at rest and to protect data on the device if it is lost or stolen. Check out MDM enrollment options for different device types and device ownership scenarios.

 

Next steps: technical resources and communications planning

In our experience, successful adoption isn't just about distributing new, functional technology throughout your workforce. It is important to help employees understand the need for device management and enterprise mobility, and how in these difficult times it provides the necessary security benefits for both users and the organization. Without an explanation from you, some users might feel that you're infringing on their privacy. User concern for privacy increases when you deploy MDM tools for personal PCs and mobile devices.

 

Microsoft provides several tools and templates to assist you in educating end users.

  • The Intune Adoption Kit includes email templates, an Intune Enrollment guide, and instructional videos to aid end users in easily enrolling their devices in Intune.
  • If you are new to MDM and MAM roll-out, check out the tips and learning from previous experience in the end user education resources.
  • The planning guide walks you through the process of developing a deployment plan, creating a design, onboarding Intune, and conducting a production rollout.

 

Many customers take their first steps with Microsoft FastTrack, a unique service designed with one goal in mind: helping you get the most value out of your Microsoft 365 investment. Use your FastTrack Center Benefits with eligible subscriptions to work with Microsoft specialists to assess, remediate, enable, and drive user satisfaction with your Intune roll-out. You can get help through the Microsoft 365 admin center or the FastTrack site.

 

These are unprecedented times and we are here to help and share guidance so you can keep your employees connected. We continue to update our Microsoft COVID-19 Response resources with guidance and learnings, please check frequently for more ideas and information: https://news.microsoft.com/covid-19-response

 

Some other guidance in this series to help you rapidly enable secure remote work:

 

Helping businesses rapidly set up to work securely from personal PCs and mobile

Helping IT send and provision new business PCs to home users

Using Configuration Manager? Enable support for remote workers with co-management

Managing 'Patch Tuesday' with Configuration Manager when users are all remote

 

As always, we would love to hear your experiences with remote productivity while maintaining a healthy social distance. Join the conversation in our Remote Work Tech Community to share, engage and learn from experts.

 

Follow @MSIntune on Twitter

Updated Mar 31, 2020
Version 2.0
  • Mayunk_Jain yes Great write up, To add to Jeffrey Allen 's comment on Autopilot, it would also be great if you could Hybrid-Join the devices into the Corp on premise AD Domain so devices that would be connecting into the Office via VPN would be able to access resources.

     

    Currently, Hybrid-Join does not work via a VPN, the process requires direct line of sight to the the DC, so unless I am missing something, if you ship the device to the end user at home it will not be able to access any internal resources via VPN.

  • N30nV's avatar
    N30nV
    Copper Contributor

    can we get some more information in regards to provisioning Hybrid Azure AD Join devices using Whiteglove or Autopilot over VPN? If I remember correctly from real world experience, the device require to communicate with On-premise DC twice. Once during technician flow and secondly during user flow. If that is the case then at what time VPN Information could be interjected and how? Secondly if I understand this correctly you are talking about Windows based VPN profile managed by Intune. Not any 3rd party VPN solution?

     

    Please elaborate and confirm

  • The technician phase of white glove does not require connectivity to the on-prem domain controller.  This is only needed for the user phase, so that the user can sign in (as their credentials need to be validated by a DC).  That could be done via a VPN connection today, as long as that VPN client and configuration (and device cert, if needed) is deployed to the device during the technician phase (e.g. as a Win32 app).

     

    In a non-white glove scenario, we're working on removing connectivity checks during the process so you can achieve the same result: join over the internet (already supported today), push the VPN client and configuration, make a VPN connection, then sign in.

  • Hi Michael Niehaus,

     

    With regards to the Technician phase of a "White Glove" deployment, in a Hybrid Deployment scenario, wouldn't the technician be adding the device into the om premise domain as part of the technician white glove process? 

     

    My understanding and experience with WG is that you setup the machine as required with all application and connections and then reseal the machine for deployment to the end users. The re-sealing of the machine effectively puts the machine into a semi OOB state for the next startup and logon, however the previous WG install and setup settings are retained. Would this not include the domain join as well has the hybrid join.

     

    Also, with regards to the VPN Configuration policy with intune, as tech that supports many SME's that us Cisco Meraki devices for VPN connectivity, there does not appear to be an option in the intune VPN profiles for a L2Tp/IPsec with preshared keys.

     

    Are you able to advise on how this can be done in intune, I have reviewed several CSP documents for URI paths and keys but have not been able to locate any information on this type of VPN connection profile.

  • The technician phase will add the device to AD, but that entire process happens over the internet - the Intune connector creates the object in AD, sends that to the client device, the client installs that and reboots.  After that, it's 100% joined to AD.

     

    You will need to use a Win32 "fat" VPN client to do the configuration, where the VPN profile is embedded into the VPN client installer.  The Intune profiles are for the UWP-based VPN "plug-ins" that can't install until the user is signed in (which would be a problem if the user needs to make a VPN connection before they sign in).