Microsoft Endpoint Manager's July 2207 service release includes two key security and user improvements, including the return of several capabilities in Windows Autopilot and support for enhanced security options for Automated Device Enrollment (ADE). I hope you appreciate these enhancements, and the behind-the-scenes stories as deployment wraps up for the month. I look forward to your feedback. Please comment on this post or connect with me on LinkedIn.
Return of key functionality for Windows Autopilot sign-in and deployment experience
Last year, we made some changes to the Autopilot sign-in experience that impacted how you deploy Autopilot devices. With the historic reuse of hardware components, we had to remove existing functionality and re-engineer the experience to ensure the security of the Windows Autopilot platform. Now you can pre-populate the welcome username screen prior to device enrollment. Returning this “cool factor” has been a big priority and a practical component, particularly in school districts, ensuring the correct student has their assigned device before enrollment. We brought back the experience securely, knowing that hardware components are still frequently being reused. Starting with the 2207 service release, admins will be able to:
Pre-populate the Azure Active Directory (Azure AD) User Principal Name (UPN) under the pre-provisioning landing page and Azure AD sign in page. Note: This is limited based on the manufacturer. Please contact your OEM to confirm if this functionality is enabled.
Automatically re-enroll a device through Autopilot for instances where the profile is set to self-deployment or pre-provisioning modes without deleting the device record. Note: This is limited based on the manufacturer. Please contact your OEM to confirm if this functionality is enabled.
Automatically re-enroll devices where hardware components may have been replaced with Autopilot auto-remediation, if the OS has not been reset.
Securely and remotely access your corporate resources during Setup Assistant with modern authentication
Apple's Automated Device Enrollment (ADE) Setup Assistant with modern authentication for iOS/iPadOS is frequently used to let admins enroll large numbers of purpose-driven devices without the need to manually touch each one. Some customers that use ADE, such as those in the government and financial sectors, often require additional security during enrollment. Azure AD supports certificate-based authentication via sign in from another device. In 2207, Setup Assistant with modern authentication also supports certificate-based authentication.
With this new capability, users can choose to sign in from another device during a new flow embedded into Setup Assistant while enrolling. This allows user sign in on a trusted device, using derived credentials from a smart card for example, or another form of certificate authentication to confirm the identity of the user, such as enrollment and user access, Wi-Fi, VPN, email, native mail app authentication, and S/MIME signing and encryption. It grants users remote access to work resources while preventing unauthorized users from accessing sensitive information.
You can see more of this new sign-in from another device experience in the video:
Let us know what you think
Please share your comments, questions, and feedback, so we can continue to improve the endpoint user experience and simplify IT administration. Simply comment on this post or connect with me on LinkedIn.