During my engagements I have the chance to see many different environments and learn how customers transform to a modern workplace. In this series I will share the top 5 questions which arise. In this blog I will answer:
What is the best method to enroll Windows devices?
Modern projects always focus on Windows Autopilot. The general idea is to let the end-user enroll the device and save time within the IT department and provide flexibility. The problem is that most of the companies do not realize that not all users are capable and willing to do such an enrollment. Therefore management support and also good communication is crucial.
Autopilot provides high flexibility regarding hardware models can be used within an environment because driver engineering and staging is no longer required. This also means that the IT department can safe plenty of effort and costs. Additionally, devices can be reset and enrolled everywhere on the world with just a internet connection.
So, it seems clear we will try it. We all have enough to do… but soon after a rollout started, the following questions arise:
I saw that customers collected the end-users password to do the rollout or that the rollout technician is using his personal account to enroll devices. Both are definitely a NO GO. Sometimes I get also the question regarding white glove/pre-provisioned deployment.
Windows Autopilot for pre-provisioned deployment
The pre-provisioning is an option to install apps and settings before handing out a device to a end-user. But the end-user still needs to do the Autopilot enrollment by himself, but now a little bit faster (Depending on the count of Apps).
My personal opinion is in most cases to not leverage this option. But why?
We try to optimize a process with Autopilot and allow shipping of the device directly to the end-user to safe the time the IT has to invest. With pre-provisioning we lose all these benefits as the IT still has to touch each device and connect it to the network. In most cases I would assume that just doing PXE boot and execute a MEMCM task sequence could be faster, more reliable and allows to do more customizations. The only draw back is the driver engineering which needs to be done. But this is a one time task per model and the most time consuming IT tasks (unpacking, connect, ship to end-user) are still required.
Device Enrollment Manager (DEM)
In MEM it’s possible to define some users as Device Enrollment Manager which are then allowed to enroll more devices than a standard user and with the benefit that the user is not associated with the device. Enrolling a device without a user assigned has some drawbacks, but they are not as big as they were a few years ago. As you can see in Docs since Windows 1709 Conditional Access is also working with this enrollment type. So, this could be an option, but I recommend testing it well as some features are not working.
Autopilot Self-enrollment mode
The self-enrollment mode is great for kiosk or shared devices. But as with a DEM there are drawbacks regarding Bitlocker and Conditional Access. Interesting is that Microsoft is using “may” in the warning:note
As you can see there are multiple options but only one brings the expected benefits of modern management. Therefore it is crucial that you educate your users, work on the company culture and communicate well, especially the Windows Autopilot benefit which Thomas Marcussen explains well in his TOP 10 list.
An additional tip is to provide the users a nice designed setup manual with a step by step manual and some tips and tricks adjusted to the tools you use. When I was attending a rollout you couldn’t imagine how happy the users where as I could show them flags/to-do in Outlook or how they can use OneNote.
- Microsoft Purview Information protect predefined permission groups demystified - February 28, 2023
- Extending Microsoft Sentinel with important device data - January 30, 2023
- SOC Monitor wall – Develop your Video Wall Application (Part 2) - August 22, 2022