Recently, our friends at VMware announced the new features in Workspace ONE UEM 2102. One of the many ones that jumped out at me is Autopilot Integration. This is a new way to enhance Workspace ONE Dropship Provisioning for our remote workforce that I am calling “Dropship to Home Provisioning” which will let you connect your PC to your company from the privacy of your own home. We know that’s hitting the forefront of our priorities in the UEM space. Today, we’re going to cover the first two pre-requisites (Configuring Autopilot and Building the Delegate Account)

Windows Autopilot

First, let’s quickly cover what Autopilot is. Windows Autopilot is a broad name for a collection of technologies that are used to setup and pre-configure, reset, repurpose, and recover new devices. The power of Autopilot is the minimal infrastructure needed.

I have often referenced Dropship Provisioning as the next evolution of Autopilot which is not far from the truth. Autopilot can apply settings and policies, install apps, and upgrade the Windows 10 version. Autopilot enables several services for your devices like Intune, Windows Update for Business, and Microsoft Endpoint Configuration Manager to name a few.

A few of the features that Autopilot gives you are:

• Automatic Azure Active Directory (AD) Join or Hybrid Azure AD Join via AD.
• Automatic Enrollment into MDM with Azure AD Premium Licensing
• Restricting Admin Account Creation
• Creating and automatic device assignment to configuration groups based on the device profile
• Org-Specific Out of Box Experience Customization

Now, let’s discuss the steps for setting up autopilot!

Creating Device Groups

Before we create groups, let’s discuss some of the options for creating your device groups.

You can build a device group with one of these options:

• Capture ALL Autopilot devices
• Match OrderIds
• Device Groups that match a PurchaseOrderId
• Potentially other options exist, which I will be doing some testing on

You will click “New Group”

You create a basic group as seen below and click “Add Dynamic Query”:

This rule below, would put all of your Dell machines into the Device Group:

The code specifically is:

(device.devicePhysicalIDs -any _ -eq "[HWID]:h:6896142646470038")

It’s a very simplistic example, but we can tie into anything that the device has as a property. I suggest using the Graph Explorer and running the device API: https://graph.microsoft.com/v1.0/devices so you can take a good luck at one of your devices to figure out how you want to build your groups.

You can see all of the physical IDs of this device as an example there:

Building and Assigning Windows Autopilot Deployment Profiles

Now that you have your groups in place, you can create and assign the deployment profiles to pull devices into Windows Autopilot. You can do that here.

First, you set the basics: (You can see that I set it to convert all targeted devices to Autopilot)

Next, we configure the OOBE Settings:

I typically skip scope tags, which matter more in production. Now I add my new group to the assignments section as you can see:

Once done, you click create. The main thing to be aware of is that it can take up to 48 hours for devices to be converted to autopilot, but otherwise you are good to go!

Developing a Strategy for Autopilot Registration

We have a few different ways of registering devices for Autopilot.

For existing devices, you can create a profile and deploy it, which we will covered previously, which converts those devices to Autopilot. Un-enrolled devices have two different options: manual registration or OEM registration, which is our next topic!

Manual Device Registration

Manual device registration can be a bit challenging, but you can use Workspace ONE UEM in creative ways to make it happen. I turned the code for the hardware ID into a sensor for Workspace ONE so you can dump them out of WS1 Intelligence and CSV Import. This is in the testing phase,but I am currently pushing down the module install separately with this code:

Install-Script -Name Get-WindowsAutoPilotInfo   

The sensor itself I am working on is:

$hardwarehash = Get-WindowsAutoPilotInfo.ps1 | Select-Object @{N= 'hardwareid'; E={$_."Hardware Hash"}}
echo $hardwarehash.hardwareid

Once you have your collection of Hardware Hashes, you build a CSV with this header and line format: Device Serial Number,Windows Product ID,Hardware Hash,Group Tag,Assigned User
<serialNumber>,<ProductID>,<hardwareHash>,<optionalGroupTag>,<optionalAssignedUser

You can then import them using the import button on this page.

OEM Device Registration

The preferred way of doing things will be via OEM device registration. You can find the partners that support it below:

Creating your Delegate Account for the Cloud Connector

The last thing we will cover is setting up your delegate account. We will walk through the entire setup in this video below, which will show you how to set things up for when you upgrade to 2102.

Final Thoughts

Let’s remember that to use Autopilot, we will still need Intune licenses, but otherwise it’s a nice advancement on Dropship Provisioning. In our new onboarding from home, we have to adapt and shift quickly. The new functionality in WS1 UEM 2102 will enable this, which we will discuss very soon. After following the steps I outlined, you will be 100% ready when it releases shortly. Dropship Provisioning extended a horrendous imaging process to the modern world and now we extend that to people’s homes!