With every new release of Windows 10, there are also new features in the area of Microsoft Autopilot. If you don’t know what Autopilot is, I recommend the article “What is Microsoft Autopilot“. Today we’re talking about new features that are possible with Windows 10 1903. As always with autopilot, this also requires an up-to-date Intune instance.
News about the Hybrid-AD Join
First of all, which unfortunately hasn’t gotten any better yet, the Hybrid-AD Join. Many had hoped for 1903 that it would get better. Unfortunately, a direct connection to the On-Prem Active Directory is still needed. In many projects, this has already led to the fact that no autopilot could be used. In principle, some things can be solved by ADFS or Windows Hello 4 Business, but most companies are not ready yet. The alternative is a deployment with a VPN box, a hardware solution that is transparent to the client.
White-Glove – or pre-installation by OEM, Partner or IT
One function that has been planned for some time to solve some flaws is “White Glove”. White-Glove” is an allusion to the cotton gloves of the service personnel in earlier times.
This function adds another step to the existing process.
So far the OEM has installed the image and the drivers. This image could also be one of their own, but in reality, it was usually not practicable enough for various reasons. The installation of the applications was then done when the user logged in. Depending on the Internet connection and the size of the applications, this could take a few hours.
It is precisely this software installation and the application of the device-specific settings and guidelines that should now be taken over by the OEM, a partner or IT.
Whether this makes sense through IT, the experts argue. Theoretically, I can install the system in a classical way. Even without pressing buttons in between. It should, therefore, be rather the exception. It makes more sense if the OEM can do it directly. But this requires processes at the OEM in the factory or a logistics hub. This should pose problems for some smaller OEMs.
Both Azure-AD joining and Hybrid-AD Join are supported. The last with the usual limitations.
Requirements for White-Glove
There are a few prerequisites for the whole thing to work. These are:
- Working autopilot (incl. Intune subscription)
- Windows 10 1903 Pro / Enterprise
- A physical device with TPM 2.0 (VMs are not supported!)
- Hardware support for Auto-Deployment with Autopilot (TPM 2.0 Attestation)
- Physical network connection, WLAN not supported
Preparing for White Glove.
The first step is to create a new autopilot profile in Intune.
Der Name solle eindeutig sein.
In the next step, the OOBE (Windows welcome page) can be adapted. Important is the option “Allow White Glove OOBE”. This is where White Glove hides.
Scope tags and group-based assignments will follow if you want to use them.
Summary at the end of profile creation.
This makes White Glove possible in principle. Now the profile and a user must be assigned.
The OEM starts the system as usual.
The first OOBE screen, however, does not click on “Next”, but on the Windows key 5 times. Now a new dialogue appears.
The provision can be started here.
The profile can be seen and the barcode encodes the information about the system.
After that a normal autopilot process starts.
If no user is assigned, an error message is displayed. Unfortunately, the error message is not very meaningful. That this error is due to the missing user can only be recognized by the “Not assigned”. In general, I would like to have more information about the error diagnosis. The error also remains visible in the provisioning page for about 2-3 seconds, unfortunately only a video camera can help here.
But if everything went well, then the screen is green. (Screenshot follows as soon as I have found the error in my lab).
Update to the error (04.09.2019)
The error was the missing Device Attestation in the test device. You can check the support of this function with the Power Shell command:
Get-TpmSupportedFeatures -FeatureList "Key Attestation"
Without this TPM function no WhiteGlove. Under certain circumstances, a Bios update can help here. Please contact your hardware manufacturer.
After the White Glove at the end-user
Now the user starts the device. The steps are the same as for a normal autopilot. However, it is faster because some of the software is pre-installed.
The Azure-AD Hybrit Join is also available in the user part of Autopilot with White Glove. Otherwise, a VPN connection to the OEM or service provider could be a simple solution.
Further changes in 1903 and autopilot
Unfortunately, there is nothing new to report here, as White Glove was the only innovation on autopilot with 1903.
Note on transparency
Only my test device was made available to me by my employer, independent of this article.
This article first appeared on Infrastrukturhelden.de in German.