With so many organizations shifting to remote work, our teams are helping customers daily to understand how to provision new and existing PCs at home. The previous article in this series discussed some ideas to enable personal PCs and shared devices to help businesses implement remote work. In this article, we want to help you ship new business PCs to employees and provision them out-of-the-box without manual set up or your technical support.
If, like many businesses we’re helping right now, you have never done this before, there are a few pre-requisites you may need to set up. For instance, these recommendations require a secure identity control-plane such as Azure Active Directory and device management tools such as Microsoft Endpoint Manager, a unified platform that includes Microsoft Intune and Configuration Manager. These tools are already available to you if you own Microsoft 365 E3 or EMS E3 and above licenses.
We realize that many of you are heads-down helping your users successfully work from home while maintaining your own health and that of your loved ones. Before we begin, we want you to know that you are not alone. Whether you have prior experience with enabling remote work or are stepping up to a new challenge, you can count on several Microsoft resources to help you succeed, including access to Microsoft FastTrack experts and 24/7 technical support at no additional cost with most Microsoft 365 and EMS licenses.
Send computers directly to staff and remotely provision them with Windows Autopilot
Many organizations are procuring devices for end users who may not have a business-ready device at home. Using Windows Autopilot, you can procure a new device from an OEM or reseller and have that device shipped directly to the user’s home, then automatically provision the right settings, apps, and resource access upon power-on and login.
The process uses the Microsoft Endpoint Manager admin center to set up Windows Autopilot and ordering the PCs with instructions to send them right to employees’ homes. Windows Autopilot saves organizations the effort of having to maintain custom images and drivers for every model of device being used, transforming your existing Windows 10 installation to a “business-ready” state, applying settings and policies, installing apps and managing the devices from the cloud. The optimal guidance for businesses getting started with this is to use the user-driven Autopilot mode with automatic Intune enrollment after Azure AD join. If you have a different architecture, please visit product documentation or contact our specialists for guidance on supported capabilities and scenarios.
If you have the resources for your IT department to pre-provision the devices, you can use a feature known as Windows Autopilot for white glove deployment where the time-consuming portions are performed by IT, partners, or OEMs. The end user enters their credentials and within a few moments they can begin using their device. It's worth noting that white glove service may be an option to prepare Hybrid Azure AD joined devices, which currently requires physical access to the corporate network. As long as you deploy the needed VPN client and settings (e.g. a machine certificate and VPN profile) during the white glove process, the end user will be able to establish a VPN connection to the corporate network when they get the machine at home, and can then sign in to the device.
This Windows Autopilot deployment process poster may help visualize the process.
Additional use cases for modern provisioning of Windows devices
Before we move on, I’d like to quickly call out a couple of other scenarios in which Windows Autopilot may help you. These may not apply to all organizations, but are valuable time-savers if you need them.
If you are looking to quickly provision kiosks or digital signs, such as if you are setting up pop-up locations to help with the pandemic response, the self-deploying mode in Windows Autopilot enables a device with an Internet connection to be deployed with little to no user interaction. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. If you need additional licenses for these devices, you can save costs by assigning the device-only subscription since these devices are not associated with any user identity.
Another scenario is if you have existing Windows 7 and 8.1 machines currently managed by Configuration Manager, then you may be able to use Windows Autopilot to deploy the latest version of Windows 10 to your existing devices, and manage them from the cloud. The initial deployment may require access to the corporate network and actions by IT staff, which may be a good option to get all devices on deck during the crisis and then manage them remotely. Once deployed, the apps end users need for work can be automatically installed and their work profile is synchronized so they can resume working right away. Check out this video for a quick overview of this process.
Automated zero-touch enrollment for Apple and Android devices
Businesses and schools are scrambling to use every available device to empower remote workers, given the impact on global supply chain. In addition to Windows Autopilot, you can use Microsoft Endpoint Manager to pre-provision, deploy, and manage large number of Apple and Android devices without physically accessing them.
For instance, on iOS, iPadOS and macoS you can use Automated Device Enrollment with both Apple Business Manager and Apple School Manager. When the end user receives the device and turns it on, Setup Assistant, which includes the typical out-of-box-experience for Apple products, runs with preconfigured settings and the device enrolls into management. Similarly, Intune supports large scale Android enrollment methods in Android Enterprise such as NFC, tokens, QR code, zero-touch, and so on. Using Intune with Samsung devices and Knox Mobile Enrollment, you can enroll large numbers of company-owned Android devices using Bluetooth or NFC when using the Knox Deployment App.
Protecting data when staff are working outside of their normal office environment
In the first part of this article, we looked at application-level compliance, which does not require devices to be enrolled and can be deployed relatively quickly. Many organizations may require more granular device controls to meet their security policies using device enrollment, also known as mobile device management (MDM). Several national cybersecurity agencies (for example, NCSC in UK, CISA in US, and ASD in Australia) have recommended MDM tools to set up devices with a standard configuration, and also to remotely lock devices, erase data, or retrieve a backup. Depending on your needs, you may support both enrolled and non-enrolled devices in your organization.
With Microsoft Endpoint Manager, you can drive user adoption by directing users to enroll devices in MDM with a friendly message when they access email or other data from non-enrolled devices. Once they complete the process, you will have the ability to make sure devices encrypt data at rest and to protect data on the device if it is lost or stolen. Check out MDM enrollment options for different device types and device ownership scenarios.
Next steps: technical resources and communications planning
In our experience, successful adoption isn't just about distributing new, functional technology throughout your workforce. It is important to help employees understand the need for device management and enterprise mobility, and how in these difficult times it provides the necessary security benefits for both users and the organization. Without an explanation from you, some users might feel that you're infringing on their privacy. User concern for privacy increases when you deploy MDM tools for personal PCs and mobile devices.
Microsoft provides several tools and templates to assist you in educating end users.
- The Intune Adoption Kit includes email templates, an Intune Enrollment guide, and instructional videos to aid end users in easily enrolling their devices in Intune.
- If you are new to MDM and MAM roll-out, check out the tips and learning from previous experience in the end user education resources.
- The planning guide walks you through the process of developing a deployment plan, creating a design, onboarding Intune, and conducting a production rollout.
Many customers take their first steps with Microsoft FastTrack, a unique service designed with one goal in mind: helping you get the most value out of your Microsoft 365 investment. Use your FastTrack Center Benefits with eligible subscriptions to work with Microsoft specialists to assess, remediate, enable, and drive user satisfaction with your Intune roll-out. You can get help through the Microsoft 365 admin center or the FastTrack site.
These are unprecedented times and we are here to help and share guidance so you can keep your employees connected. We continue to update our Microsoft COVID-19 Response resources with guidance and learnings, please check frequently for more ideas and information: https://news.microsoft.com/covid-19-response
Some other guidance in this series to help you rapidly enable secure remote work:
Helping businesses rapidly set up to work securely from personal PCs and mobile
Helping IT send and provision new business PCs to home users
Using Configuration Manager? Enable support for remote workers with co-management
Managing 'Patch Tuesday' with Configuration Manager when users are all remote
As always, we would love to hear your experiences with remote productivity while maintaining a healthy social distance. Join the conversation in our Remote Work Tech Community to share, engage and learn from experts.
Follow @MSIntune on Twitter