My org is taking on the challenge of delivering a modern workspace to our user community .

It will be good-bye to legacy Active Directory joined windows devices and excessive Group Policy that makes the user experience simply put – awful. Windows 10 is a modern operating system for a modern era with Windows as a Service delivering new features on a six monthly cadence that our user community should benefit from.

Also, it’s not 1997 anymore, the combination of smart phone and tablet devices along with the injection of millennials into the work force means the user community is now far more competent with devices and they demand that consumer experience at work.

One of my challenges recently has been to come up with a strategy to move our existing windows devices to our new modern management platform. I wanted to take advantage of Windows Autopilot and the user driven on boarding experience. I am using SCCM to transition to modern management with Autopilot, but SCCM will not be involved in the future management of these devices. There will not be any co-management – this is a digital transformation project.

Configuring Windows Autopilot seems very straight forward. Obtain the hardware hashes of all of your devices, upload them to Azure, assign the devices to an Autopilot Assignment and you’re basically done. Well, as long as you are only doing this with devices running Windows 10 v1703 and higher.

As proud as I am that over the past three years I have moved 65% of my orgs fleet to Windows 10 organically (i.e. no project), there still remains around 3500 Windows 7 devices in my org that will need to be transition to Windows 10 – and with this project, it needs to be with Autopilot.

My problem: How do I obtain the hardware hashes for these devices without disrupting the user?

As I said earlier, hardware hashes can only be obtained from Windows 10 v1703 or greater, for my devices running earlier versions of Windows 10 and my Windows 7 devices, I will need to figure out a way to achieve this.

Do I get my engineers to quickly grab the hardware hash on the fly while the device is being transitioned to modern management and manually upload it to Azure? How long will that take? What happens if something goes wrong? What if the instructions are not followed? How much delay to the user if they’re expecting their device back in a reasonable timeframe?

Whatever way I looked at it, it was going to be disruptive to my user community and to my engineers.

Step in Michael Niehaus and the session Modern Deployment with Windows Autopilot and Microsoft 365 at Microsoft Ignite.  Michael also wrote a blog post with some extra details that I highly recommend reading.

And of course, the link to the official documentation.

This is an excellent bit of work from Microsoft. Being able to automate the transition from Windows 7 to a modern managed Windows 10 device is a huge benefit to the project I am currently working on.

The one small request for improvement – It would be great to have a process whereby during the Autopilot process, the device’s Hardware Hash could be automatically uploaded to Azure and assigned to the same Autopilot assignment in the JSON file.   If you use this method, remember to create a process to upload the hardware hash to Azure because if the device requires resetting in the future, Autopilot will not work due to the missing device Hardware Hash.

 

I thought I’d summarise my SCCM Task Sequence here also

• USMT to Capture User data. As part of our transformation, we will be moving users to OneDrive for Business, but known folder move may not capture that one really important file saved in C:\Temp. This is more a safety net option as any data loss is very bad.
• Update & Configure BIOS – This is a good time to ensure that you’re standardising on BIOS Versions and have correct configuration (Especially if you haven’t applied any of the recent Spectre/Meltdown updates).
• BIOS to UEFI – This is an absolute must do for Windows 10 – The Security and performance improvements alone make this a no brainer!  It’s also a good time if you upgraded Windows 7 devices to Windows 10 a few years ago when switching to UEFI wasn’t so easy.
• Install Windows 10 – This is the Microsoft ISO – No custom reference image is needed anymore.
• Remove the unattend.xml file from the panther folder – if you don’t do this, the OOBE (and Autopilot) will be skipped
• Apply Autopilot for existing device – this is essentially running the PowerShell script from Michael Niehaus’ Blog that tweaks the JSON file and then drops it into the Autopilot provisioning folder.

Once the task sequence has finished, the device is ready for user on boarding via Windows Autopilot. From here, you can configure your Azure to auto enrol to your MDM of choice – Just make sure you have Azure AD P1 or 2 licensing.

 

I thought it would be useful also to list some useful questions to ask your hardware vendor/s

1. What is your process for giving me the hardware hashes of all the devices I’m buying from you?
2. Are all the devices I’m buying on Windows 10 v1703 or higher (preferably higher)
3. Do you do signature images (the one without the bloatware)?

 

P.