At Microsoft, we want to ensure that we are providing our customers with features that help to increase productivity and securely protect organizations. To improve the baseline security for Windows Autopilot, we recently made a few changes that affect new Windows Autopilot deployments:
- Users enter their credentials at initial sign-in during enrollment. We no longer allow pre-population of the Azure Active Directory (Azure AD) User Principal Name (UPN).
- For deployments where the profile is set to self-deploying mode (Public Preview) or pre-provisioning mode (formerly known as white glove, also in Public Preview), you cannot automatically re-enroll a device through Autopilot after an initial deployment in either of these modes. Instead, delete the device record in Microsoft Intune All Devices blade before re-deploying a device.
The intent of this post is to provide more context on why we made the changes and to provide links to documentation to help you be successful with your Autopilot experience.
Why did the Windows Autopilot team make these changes?
This was the biggest question we’ve received so far from customers. You liked, for example, giving a teacher a set of computers and using the welcome screen so the teacher could know which student to assign each device to. It’s a cool user experience when you assign a device, ship the device, and then the user opens that PC, and it welcomes them.
We loved the experience too! However, we made the changes because the reuse of hardware components, such as motherboards, or the refurbishment of devices without deregistration could potentially cause an issue if the device identifier can still be linked to a previous company. Hardware is being reused at record levels, partly due to the pandemic’s effect on global supply chains. While this reuse helps meet corporate sustainability goals, we had to remove the could and ensure no issues were caused. To date, we have found no evidence that anyone has used this to their advantage.
What’s next?
We are in the early design stages of an experience that customizes Autopilot enrollment. Using best practices from other enrollment workflows, we're looking at alternative solutions to reinstate this feature securely. Our goal is to improve your productivity and delight your users with what we bring back to the enrollment experience.
Additional Information:
- Getting Started with Autopilot deployments
- Troubleshooting Autopilot deployments, including guidance how to resolve error code 0x80180014.
- MC288489 and MC289488 both address these changes. See this post for more information on staying up to date on Intune new features, service changes, and service health notices.
- The change to device re-enrollment only impacts users with reset or reused devices, and only for devices using self-deploying mode or pre-provisioned deployment. This change will not impact users with devices in user-driven mode. There is also no impact to current users whose devices were provisioned for the first time in self-deploying mode or pre-provisioning mode (no existing device record in these modes). We don’t anticipate additional changes to user-driven mode. This experience is different between user-driven mode and self-deploying mode or pre-provisioned deployment because of the enrollment mode used.
- To redeploy a previously provisioned device through Windows Autopilot (in self-deploying mode or pre-provisioning mode), first delete the device record from the All Devices blade in Microsoft Endpoint Manager. Be sure to not delete it from the Autopilot devices blade as that deregisters the device.
- For more on motherboard replacements, see Windows Autopilot motherboard replacement | Microsoft Docs.
If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.
Posted at https://sl.advdat.com/30uR7HJ