Windows AutoPilot Scenarios: Hybrid Approach (Part 2)
In part 1 of the Windows AutoPilot scenarios series, we covered the AutoPilot basis and what service it can do in its native form. We also looked at some exciting new features coming down the pipeline which will certainly flesh these services out even more. In the meantime, however, there are still quite a few missing pieces in AutoPilot which can inhibit you from using it for certain types of deployments.
In this blog, we’ll discuss some ways to extend the influence of AutoPilot by incorporating additional toolsets.
Augment AutoPilot with a Hybrid Approach
To overcome some of the limitations of Native AutoPilot, we can supplement it with a few tools to augment its capabilities, and thereby provide an even better end-user experience. We shall dub this approach as “Hybrid AutoPilot.” Here are some ideas on how to hybridize.
The Windows Image Configuration Designer (WICD) standalone can be downloaded free from the Microsoft Store here. It is also available as part of the Assessment and Deployment Toolkit (ADK), which is downloadable there.
This tool is used to generate Provisioning Packages (PPKGs). In just a few quick steps, one can define basic computer naming, Wi-Fi connectivity, manage the local administrator account, install a few simple applications, and import any required certificates.
This results in a much-improved starting position, but we’ll still need another tool to facilitate post-deployment management. More on that in a bit.
Once the PPKG is generated, there are several ways to invoke it. A simple double-click will do the job. Or, when you’re in OOBE, put it on a USB stick and press the Windows logo key five times. A more comprehensive approach involves baking the PPKG into the OS image and using PowerShell to call it once setup has completed.
By pre-staging the content into the image, the resulting PPKG can be much smaller, which means less network traffic, and results in faster installation for the end-user.
WICD can be a good way to fill some of the AutoPilot gaps and get extra software or settings onto the device from the get-go so that by the time the user hits their desktop for the first time, they are truly ready to get to work with productivity apps. Hopefully, we’ll see Microsoft provide more integration between WICD and AutoPilot in the future. If AutoPilot could download and launch the PPKG for you, that would be awesome!
One of the best features of Intune to be released in the past year is PowerShell script deployment capability. Though its release was long overdue, we can finally push scripts to Windows 10 endpoints using the MDM agent. If you can automate your workload this way, then you can take advantage of Intune and supplement AutoPilot to a significant degree. And now that PowerShell Core 6.0 is available on both Mac and Linux, there could be some very extensive cross-platform management opportunities on the horizon if Intune starts to support MDM on these types of desktops, as well as iOS and Android.
But Intune still can’t do everything. A limitation with Intune has been the lack of ability to push Win32 EXEs via the modern Intune MDM agent. Yes, the “legacy Intune agent” had this to a degree, but that model is well into being phased out and retired alongside the “Classic Intune” portal. As such, it’s not recommended to use that installation package any longer.
The Project Centennial Desktop Bridge is Microsoft’s longer-term aim to enable classic Win32 EXEs to be repackaged and delivered via Microsoft Store. But there have been some challenges with enabling it and getting big-name software companies on board. This leaves another gap in our application deployment strategy. We want to use the cloud as much as possible, yet how do you get out those LOB apps which can’t live in the cloud just yet?
This challenge has been mitigated beginning with SCCM v1710 plus the Fall Creator’s Update, which allows the SCCM client agent to install alongside Intune’s MDM for a best-of-both-worlds experience. This new approach is termed Co-Management. The latest release of SCCM 1802 coupled with the April 2018 Update continues down this track to extend Co-Management capabilities, and brings us to…
Another key advantage of deploying SCCM is having complete manageability over your corporate OS images. In contrast, Native AutoPilot is completely dependent on OEMs to provide clean OS images (something they haven’t been historically great at). Thus, if you want the most robust ability to Build-Your-Own-Image (BYOI), and manage the device post-deployment, then SCCM is your toolset. Add in an MDT Task Sequence (Microsoft Deployment Toolkit), and you’ve effectively become your own OEM.
Since a license for SCCM is already included in an Intune subscription, many organizations should already have the ability to incorporate its proven toolset. But if you only have Intune Standalone, the SQL Server license for SCCM isn’t included – for that you need to either purchase the full System Center Suite or procure an extra SQL Standard Edition license. And if you’re going down this road, you may want to take a look at Microsoft 365, to bundle both EMS and OMS with your OSD.
Benefits of Hybrid AutoPilot
The tradeoff for a hybrid approach is additional server setup and administrative overhead. But if the use case warrants it, the benefits can be quite numerous. For instance, the aforementioned Windows AutoPilot Device Information report can be used to collect device information that’s needed to create a Windows AutoPilot deployment profile in bulk on all your machines at once. So that the next time you have a remote user with a crashed machine, you can mail out a replacement and have AutoPilot use your approved corporate image.
But if you have any Windows 7 or 8 still lingering around, forget it – hybrid is the path forward for you in the near-term. Use SCCM to get those systems upgraded with a Task Sequence. And use the built-in Servicing Plans to get earlier builds of Windows 10 up-to-date with 1803. Even if you’ve started to move to a Windows 10 OS platform, you still may not be ready or willing to cut the cord entirely on the traditional ways of managing things. For example, Intune can deploy UWP apps just fine, but a large percentage of organizations still rely on regular EXEs for Line-of-Business apps. Having the good-old SCCM agent around keeps that management and maintenance avenue open and accessible. You can leverage SCCM’s specialized abilities as needed while transitioning to Intune’s MDM/MAM for things like Endpoint Security, Compliance and Software Updates as able.
Hybrid AutoPilot Considerations
In summary, native AutoPilot works great and provides a seamless, easy experience for the end-user when unwrapping a new BYOD/CYOD computer. But at present, it only fits a limited set of scenarios by itself – and only for Windows 10. Provisioning Packages can be used to augment AutoPilot out-of-the-gate, but for true ongoing management capability, you really need an Intune subscription to keep tabs on the device and ensure it stays compliant with company security policies, post-deployment. If you are ready to embrace modern IT management paradigms, this can meet your needs.
Yet when it comes to advanced or complex use-cases, such as employing Win32 EXE applications or building your own images, Windows desktops still might need to be supported by the tried-and-true mechanisms of SCCM in Hybrid Mode. Co-Management enables a “best of both worlds” type of approach that facilitates the transition to the cloud while still providing the features to maintain devices on-premises. As such, when it comes to managing Windows desktops, SCCM Hybrid will remain a key component of Intune for some time yet to come.
If you need help with automating your OS deployments and transitioning to Windows 10, contact SWC to learn more about our service offerings and engage with our subject matter experts who have extensive experience with all of the tools and technologies mentioned herein.