When Microsoft AutoPilot saves you time, that saves your nonprofit money.
The rates at which new technologies are adopted by our nonprofit clients vary significantly. Organizations have to consider the benefits of something new, the cost of changing, and the cost of staying with the status quo. Nonprofits have to take into account their business culture and the leadership bandwidth available to shepherd a new technology through from selection process to full adoption by staff. It’s not always an obvious choice, as we detail in this download Building the Foundation for IT Innovation.
Therefore, when a new technology is a smash success and we can deliver a new solution that everyone appreciates and that saves time and money, we sometimes will do a little happy dance. That’s what the Windows Autopilot/Endpoint Manager combination for configuring and deploying laptops has been like at Community IT over the last year. Microsoft AutoPilot saves time, saves in-person contact, and saves hassles.
A majority of our nonprofit clients already are Microsoft Office 365 users. For these clients, Autopilot is a welcome addition to our toolbox for deploying laptops remotely and efficiently.
Windows Autopilot, coupled with Endpoint Manager, is the way we have been deploying new computers at many of our clients. This method enrolls and configures Windows computers into Endpoint Manager directly from the manufacturer. Endpoint Manager is the Device Management System included by Microsoft in many Office 365 bundles.
Laptop configuration before Autopilot
There were various ways we deployed computers previously. We used imaging solutions (like Ghost). More recently, Microsoft Deployment Toolkit (MDT) offered a method to do scripted deployments. The fallback was, and is, performing a plain, vanilla manual setup (with checklists to reduce human error and generate some consistency). All of it works, but manual setup doesn’t scale well. The first two options require a lot of setup work on the front end, and follow-up work with every software and hardware update. This takes IT time from a Community IT technician. Importantly, all of these methods are efficient only when we have physical access to the computer before handing it off to the end user.
Laptop configuration after Autopilot
Autopilot leverages tools provided by Microsoft through Windows and its Microsoft 365 cloud of services to make deployment of Windows computers relatively easy. Bottom line, Microsoft AutoPilot saves time, as shown in this case study on remote configuration at a charter school. If you are interested and an IT geek, here are the basic steps.
- Computers are enrolled in Autopilot, associated with the specific Microsoft 365 tenant, by the computer manufacturer (whether Dell, Lenovo, HP etc) before they even ship. This association is based on the computer’s “hardware hash” that is unique to each Windows device.
- The computer is shipped directly to the end user.
- The end user unboxes the new computer, plugs it in, turns it on, connects it to the Internet, and is prompted to enter their email address and Microsoft 365 password. This process is called the out-of-box experience (and like so much in IT gets an acronym: OOBE).
OOBE happens for any Windows computer and is familiar to anyone who has setup a Windows 10 machine, but the Autopilot enrollment adjusts the process. Certain steps can be modified (for example the end user agreement can be skipped) and the computer will only accept an email address associated with the organization’s Microsoft 365 tenant. - The computer is joined to the organization Microsoft 365 tenant and the organization’s Intune policies begin applying, generally completing within 4-8 hours. Our baseline configuration includes:
- Rename the computer with a client-specific short prefix and then computer service tag.
- Enable Bitlocker full hard drive encryption, and store the encryption key in Azure Active Directory
- Disable Windows Hello.
- Install Community IT’s remote monitoring and management (RMM) agent.
- Sync end user’s OneDrive, if OneDrive is in use. Possibly sync an “all staff” SharePoint Library.
- Activate the end user’s subscription license for the Office Desktop Suite. In general, the trialware of the software is preinstalled by the manufacturer – only activation is required.
- Install third-party applications Chrome and Firefox, 7-zip, Acrobat Reader, Zoom, etc.
Endpoint Manager policy application requires each end user to have an Intune license assigned to them (it is included with the “Microsoft 365 Business Premium” subscription bundle that costs only $5/month at nonprofit pricing). The computer manufacturer needs to be added as a “partner” in the Microsoft 365 tenant – this only has to be done once and it only takes a minute. The computer purchased needs to include the Autopilot specification, for which the manufacturer needs to be told the “tenant ID” and domain name they are associating with the computer. There are plenty of steps, but it’s not a big lift in terms of labor or complexity.
Such a baseline of policies takes us roughly 3-4 hours to set up per organization, then takes approximately 15-20 minutes per laptop in set up time. Laptop set up previously could take up to 1-2 hours per laptop.
So now, the set up per laptop has been reduced by 80-90% right off the top. This saves precious IT technician time – time that can be re-allocated to addressing pressing IT projects and regular maintenance.
Autopilot helps when workers are remote.
You can see why this remote solution has been so popular, especially during the Covid-19 pandemic. Microsoft AutoPilot really saves time. Without it, in a worst-case scenario, a new laptop was delivered to the home of a client staff member who lived relatively near the client’s (empty) office and who was willing to manage these logistics. They would bring the computer to their empty office, meeting one of our technicians who would do the basic laptop setup/configuration. The computer would then be boxed up again and re-shipped to the end user. This approach was necessary when we were joining computers to an on-premises domains and allowing domain Group Policy to map office printers and file shares.
Of course, office printers are not useful if you are not working in the office. Indeed, having a computer be domain-joined if it’s being used away from domain controllers can actually create difficulties. Password resets in particular can create a lot of hassles. Given these circumstances, a shift away from joining computers to on-premise domains made a lot of sense over the past year.
Investing in Autopilot and Endpoint Manager for remote or hybrid workers is a game-changer.
Autopilot works when remote staff return to the office.
For clients with a relatively large on-premises server infrastructure (and with directory synchronization between their network domain and Microsoft 365), AzureAD-joined computers do okay when they are in the office or when connected to the office via a VPN. Most importantly, AzureAD credentials are passed through and accepted for access to network file shares.
The biggest concern we have about staff returning to their offices with AzureAD-joined/Autopilot/Intune laptops is that they won’t see the aforementioned domain-mapped printers. We address printer issues using a third-party service called PrinterLogic, which can be installed by Endpoint Manager. With that concern addressed, we’re confident these computers will do well in domain environments after pandemic restrictions are lifted. And for clients who are entirely serverless already, (or getting there soon), the addition of Microsoft 365 device management is a welcome addition to the array of cloud services that support their information technology.
Microsoft wants to provide an entire “technology stack” to its customers. They can provide the computers’ Operating System (Windows), its primary software “getting things done” (Microsoft Office), a cloud service for email (Exchange Online) and files (OneDrive and SharePoint), an improving collaboration platform (Teams) and a widely utilized single sign-on identity platform (AzureAD). They wrap it all up with deep integration between the different pieces and add an overlay of robust security tools.
For most of our clients, having everything in one place with the integrations built-in, and with significant pricing discounts for nonprofits, is a very attractive approach. Autopilot and Endpoint Manager are yet another layer of this stack and our clients are benefitting. It’s a solution that’s been our most popular implementation offering these last 12-18 months and it’s easy to see why, when Microsoft AutoPilot saves nonprofits and IT managers so much time.
Ready to explore Autopilot in your Office 365 environment?
At Community IT, our process is based on 25 years of exclusively serving nonprofits. Our technicians have certifications across all major platforms, and we constantly research and evaluate new solutions to ensure that you get cutting-edge solutions that are tailored to the needs of your organization.
We regularly present webinars at Community IT about nonprofit technology issues, and we work hard to keep our nonprofit technology community informed and engaged in best practices, including our IT support for nonprofits guide.
If your organization needs an assessment of whether Autopilot and Endpoint Manager are right for your laptop deployment needs or could be better utilized at your organization, implementation support to help move to Autopilot and remote deployment, or have other Office365 needs or questions, let’s talk.