Transcript below.
View Video
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Using Microsoft AutoPilot to easily deploy and re-deploy laptops saves money and time.
Did you know you can prepare your laptops for takeoff with AutoPilot? Imagine opening up your new laptop and it already knows what you do and how you do it.
If your nonprofit uses Microsoft Office 365, this can happen.
Using Microsoft AutoPilot, you can turn hours of configuring into minutes. You can even deploy the process to old laptops and reset laptops for new users. If you are responsible for new IT acquisitions, you’ll want to do this for your organization. If you are responsible for using your org’s funds wisely, you’ll want this done. Join us to learn how it works and how to ask for it.
As the nonprofit workforce becomes increasingly remote and dispersed, laptop management–purchasing and configuring new laptops for staff, transitioning laptops from departing staff, and providing computers to new hires–is becoming a logistical nightmare for IT and Operations teams.
For nonprofits using Microsoft 365 there is a better way! Microsoft Autopilot allows organizations to create customized, automated installation profiles linked to the hardware itself. These profiles can be selected when purchasing the laptop directly from the manufacturer. Equipment can be shipped directly to staff, ready to use. And if the computer is reset or reinstalled for new staff, it will always revert back to the organization’s installation profile.
Community IT has been using AutoPilot to configure laptops since summer 2020 and we estimate in this case study that AutoPilot saves 80% of the installation and configuration time up front, in addition to saving time when laptops are re-deployed. That’s time your IT tech can be spending addressing your other IT needs. You can learn more about the cost savings of AutoPilot in this case study of a 100% remote work implementation at a large faith-based client.
In this free video, Community IT CEO Johan Hammerstrom talks with Steve Longenecker, Director of IT, and Phil Oswald Christano, Senior Engineer, about how to save money and time with Microsoft AutoPilot.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. This conversation features a realistic look at the benefits of AutoPilot – but also discusses the options for your nonprofit if you don’t have the Microsoft Office 365 package. Webinars are never a sales pitch, always a way to share our knowledge with our community.
Presenters:
As Director of IT Consulting, Steve Longenecker divides his time at Community IT primarily between managing the company’s Projects Team and consulting with clients on IT planning. Steve’s appreciation for working at Community IT Innovators is rooted in respect for the company’s dream and vision, and for the excellent colleagues that that dream and vision attract.
Before coming to Community IT in September 2004, Steve was an 8th grade science teacher at Takoma Park Middle School, and – though that was a long time ago now – he still draws on lessons learned in that first career. Steve is MCSE certified. He has a B.A. in Biology from Earlham College in Richmond, IN and a Masters in the Art of Teaching from Tufts University in Massachusetts.
Steve is always excited to talk about technology, but especially when it saves nonprofit time and money. He’s looking forward to sharing ways you can prepare your laptops for takeoff using AutoPilot.
Originally from Indonesia, Phil Oswald Christano joined Community IT Innovators in January 2000. In addition to providing support to his assigned clients, as a senior engineer, he also provides escalation support for the network admins and engineers, performs project QAs, and network audits. With a passion in staff and human development, he holds the unofficial title of coach and mentor.
Prior to Community IT, Phil lived in Goshen, Indiana where he went to college and gained 4 years of Information Technology (IT) experience as an IT Consultant to small businesses, and later as a Systems Administrator in a manufacturing company. Phil holds a Bachelor of Arts degree in Computer Systems with concentration in Information Systems from Goshen College. He is a VMware Certified Professional (VCP5).
CEO Johan Hammerstrom has always been interested in using technology as a force for good that can improve our world. In college, he pursued this interest through science, first studying Chemistry, Physics and Biology at Stanford University, graduating with Honors with a BS in Chemistry. He then studied Biophysics at Johns Hopkins University and received a Masters Degree.
The time spent in Baltimore convinced Johan that there were more pressing and immediate problems that technology could and should be used to address. He pursued a career in Information Technology, with the express goal of improving our communities and our world. He started at Community IT in 1999 as a Network Administrator. Since that time, Johan has been a Network Engineer, a Team Lead, the Director of Services, Vice President of Services, Chief Operating Officer, and beginning July 2015 President and CEO. Working directly with over 200 nonprofit organizations, to help them plan around and use technology to accomplish their missions, has been one of the most positive and rewarding experiences of his life.
Transcript
Johan: Hello, and welcome to the July, 2021 Community IT Innovators webinar. Thank you for joining us today for our webinar on Preparing Your Laptops for Takeoff. And today we’re going to be discussing a set of tools that we’ve started using at Community IT to efficiently provision new laptops and re-provision existing laptops in a way that it’s really helped make the process more efficient.
I don’t think it’s an exaggeration to say that these new methods that we’ve started to use have saved our clients a lot of time and money and have made the provisioning process a lot easier and a lot smoother.
My name is Johan Hammerstrom. I’m the CEO of Community IT and the moderator for this webinar series. The slides and recording for today’s webinar will be available on our website and YouTube channel later this week. If you’re watching the recording on YouTube right now, please consider subscribing to our channel to continue to receive automatic updates when we post new webinar recordings.
You can use the chat feature provided by Zoom throughout the webinar today to ask questions and we’ll do our best to answer those questions as they come in.
Before we begin, I wanted to tell you a little bit more about our company, in case you’re not familiar with Community IT. We’re a 100% employee owned company and our team of almost 40 staff is dedicated to helping nonprofit organizations advance their missions through the effective use of technology. We’re technology experts. And we’ve been consistently named a top 501 managed services provider by Channel Futures. And I’m happy to report that we received that honor again, just found out, for 2021.
It’s my pleasure now to welcome my co presenters: Steve and Phil, if you could each introduce yourselves.
Steve: I’ll go first. I’m Steve Longenecker, I’m the director of IT consulting at Community IT. I’ve been at Community IT for… I started a month after my son was born and he is turning 17 in August, so almost 17 years. It has been a great joy to work at Community IT and to help nonprofits with their IT decisions and IT implementations.
Phil: And I am Phil Oswald-Christano. I’m a senior engineer at Community IT and mostly working with various projects and escalations from my colleagues. I have been with Community IT for quite a while. I joined the company in January, 2000. So that’s easy to remember; 21 years with the company and it’s been such a pleasure working with various nonprofit organizations in the DC metro area and throughout the US.
Johan: Great. Thank you both. It’s really a pleasure to have you here on the webinar today and I’m really looking forward to today’s webinar. It’s a topic that I think we’re all excited about which, we’re IT people, so we get excited about IT issues, but this is something that I think has been pretty transformational for the work that we do. And we’re excited to talk to you all about it today. And we’re going to dive right into it. We have a lot to cover, so we’re going to start right away.
Endpoint Reality
The problem that this new technology seeks to solve has to do with what we call the end point reality. And as much as information like email and files have moved into the cloud, at the end of the day, in order for nonprofit professionals to be effective, they still have an end point.
They still have a computer. Increasingly that computer is a laptop and that laptop needs to be set up. When you hire new staff, they need to get a laptop that’s ready for them to use. When you replace laptops you need to provision the new hardware for existing staff. When staff leave, their laptops need to be re-provisioned for their replacements.
So all of that creates a provisioning headache. And one of the big uses of time, one of the ways that we spend a lot of our time providing IT support, is in provisioning laptops.
And traditionally there’ve been three different ways of doing that.
- The first way is imaging. And with imaging, you basically get one laptop set up or desktop set up the way that you want it to be set up. And you take a snapshot of that laptop, and then you copy that snapshot onto other machines.
So that in theory, they’re set up exactly the same way as what’s called the image machine. So that’s imaging.
- The second approach is scripted deployment and that’s where you have a server that you’re pulling files and software from.
And you write a script to automate the process of setting up a new machine.
- And the third option is just manual install. You have a physical checklist, a printed out checklist, oftentimes of all the steps that you have to go through when setting up a new laptop, removing bloatware, tweaking the settings, installing the right software, getting it configured for the organization’s staff.
So that’s the third method. This is pretty much the three main methods that we’ve had over the years for provisioning hardware and each one of them has its shortcomings.
So I was wondering Phil, if you could talk a little bit about, what are some of the shortcomings? Let’s start with imaging Phil, and then Steve, if you could talk a little bit about why, the fact that there are three methods means none of them work very well or ideally.
So what are some of the challenges with imaging?
Phil: Yes. So with imaging, first of all, like what Johann was saying earlier, it’s based on a particular image. And of course in most organization, we are working with multiple models of laptops and desktops. So in the traditional imaging, you have to deal with drivers, for example. So each hardware model would often have different drivers required, whether that’s for the video card, for the network card or audio card.
And, if there is a mismatch, sometimes it can cause the Blue Screen of Death or the Purple Screen of Death, you name it. And so oftentimes you have to take that into consideration.
And if it’s possible, preload the different variations into a single image so that the computer will be smart enough to pick whatever is needed.
But on top of that, there’s the application itself. Microsoft Office will change the version and then you have to update the image again. Windows updates continuously. The new one will come up and then you have to do that. Otherwise, when you run the image and you provision the new computer, then you still have to run Windows updates on top of that.
So that’s a big hassle. So the biggest thing really is the updates. But then, of course, in order to deploy the image, you need physical access to the computer and often when it’s done through the network, if it’s not handled carefully, it can slow down the network. And then suddenly everybody complains about access to files and access to the internet. So that is a major issue aside from just the fact that you have to be physically there; physically available, be with the hardware itself.
Steve: This method works great when you’re deploying 100s and 100s of laptops at once. It’s really efficient at that scale. You create the image on the hardware. Presumably when you’re doing 100s of laptops at once, you’re there, all of the laptops are ordered at once. They’re all the same hardware profile. So you need one set of drivers. You get that image just right, and then you can blast it out really quickly.
I remember days we’d never do 100s and 100s. We didn’t have clients that big, but we could have a room with 30 laptops, all being imaged at once off of a switch and from a network. So this is not a bad way to go when you’re operating at that kind of scale. Rarely are our clients operating at that kind of scale.
And so if you’re buying three laptops at a time, you buy the three laptops, you might have an image for it. And then, the next time you buy laptops, six months later, three more, Dell has updated that hardware. It’s the same model number, but it turns out that it’s a different network card in there, or a different video or just the drivers have updated, and so on. So that’s kind of the trade-offs that we’re making with imaging.
Phil: And also, I remember a time we avoided using the network for image deployment, by actually putting the image in USB drives. But those are its own hassle because every time we update the image, we have to update all the USB drives then there is a certain percentage of failure – plug in the USB drive and it’s not working. So then you have to find a different one and you still have to have somebody physically logging it in for each one of them.
Johan: Yeah. It ended up taking more time than it saved. And I don’t know what the magic number was in terms of how many computers you’d have to be buying in order to actually save time. But I do think it was in the dozens, if not closer to the 100s that Steve referenced.
Steve: Yeah. In my previous life, I was a teacher and I know that at school, like in Montgomery County, I worked for Montgomery county schools for a while, and they have 1000s of students across the county, but they have lots and lots of computers.
And it made sense that every summer they’d make a new image. This was back in the day when it was all Apple products, but they’d have set models of Macs. And that was something they did in the summer. They just sent staff from the IT department out to different schools with this image. And they would image all the computers and it was nice, it refreshed everything and you can use it to not just deploy new computers, but to just sort of make old computers all the same again. But again, it takes scale for this to be efficient.
Johan: Yes. Not a bad solution, but not always a great fit.
That led a lot of us into going with the scripted deployment method. But that method had its own shortcomings. Do you want to say a little bit more about those Steve?
Steve: Sure. So scripted deployment, the imaging is the idea that you have like an image that fits a particular hardware profile. A scripted deployment is basically not doing that. It’s more or less doing what you do manually.
When you manually turn on a computer, you turn it on, you run Windows updates, you might update some drivers, you might install some software. You do all these things manually. A scripted deployment basically gets all of the media that you need into either a server or onto a USB stick, like Phil was mentioning before. And then a script runs and the script tells you things in order and says, okay, first do this, then do that. Then do this, then do that.
And it’s very nice that you can plug in a USB key to a laptop and go through a sort of wizard, if you like, that says things like, “What do you want to name the computer?” And a couple other things, like “What kind of Office are we going to install? Is it going to be Office 2016; is it going to be Office 2019?” All those different options are in the scripted stuff. And the scripted resources that are on that USB.
And then, you can walk away and come back an hour and a half later. And it’s all just so, because it’s all been mapped out with the script. It still needs regular refreshing, refreshing the drivers that are on that USB stick. And you can do it again, you can use it on a server.
But, if you get a new model of computer from Lenovo or from Dell, and now you need new drivers added to your set of resources that your scripts are using.
Phil mentioned, Office releasing new software will need to be accounted for. And so, all of those things still apply.
It is a little bit more flexible than the imaging solution because you are basically leveraging the flexibility of software installation. Software is designed to run on lots of different models. Since you’re basically scripting an installation, instead of installing an image, of the software that has to only work with this hardware profile, you are scripting installation of software and that software installation recognizes what kind of hardware you’re dealing with. So it’s a lot more flexible, but it still needs regular refreshing.
And, we still need to plug the USB drive into the computer to run it, or the computer needs to be turned on in the office where the server that does this is located. It still requires physical access to the computer by the technician.
Phil: Yes, it is definitely a better solution compared to imaging, because it’s modular. But there are still the same limitations as far as physical access.
Steve: And these weren’t necessarily viewed as limitations until the pandemic really made those limitations evident. Yeah.
Johan: And then the old fashioned –
Steve: That’s right.
Manual Install
Johan: Yeah, manual. If all else fails, give the computer to your IT department and have them solve it.
Steve: Really, it’s not, “When all else fails,” it’s when you don’t have any kind of scale at all. So it’s the only option that we had when we’re dealing with clients that had one computer a year, three computers a year, where it wasn’t worth setting those things up.
We did sort of have a scripted deployment for an image that we would use at Community IT across our clients. But even when you did a scripted deployment, there were still all these manual processes at the end that made the computer custom to the client that the computer belonged to.
So we had a generic scripted deployment that we would run on a computer and then at the end, well, we know this client needs this and they need this software and they have this special thing. And so we have to do all of that. And yeah, we have “unreliable” down there because we’re human beings. And even with the checklist, people make mistakes. And that is the limitation of doing these manually.
I edited this slide. So it says, “requires physical access or screen sharing.” So we started doing this shortly after the pandemic began, before we really got into the Autopilot and Intune stuff that we’re going to talk about later.
We were doing this manual install approach when clients were saying, “Can we make this more efficient? Can we just ship this computer directly to so-and-so? They’re in Kansas ‘cause they’ve gone home. ‘Cause there was no one at the office and they’ve gone home to live with their family.”
And, so we would ship stuff to them, but then we’re on the phone with them talking them through the initial setup. And then we have the screen share with them as soon as we can, as soon as we have the ability to do that. And then we’re sort of doing it with them remotely. So we’re not necessarily physically on the computer, but we’re still in a sense needing to be mediating the experience through a screen sharing type thing.
Johan: Yeah. And it just adds inefficiencies and even with the friendliest, most efficient IT department, it still creates frustrations and challenges.
Steve: If there were no better way we would live with it.
Johan: In summary this whole question of provisioning is something that has been a perennial challenge for IT. As Steve referenced, it’s been made worse by the pandemic with nonprofit staff working both in a remote capacity, as well as dispersed, it’s not just that people are working remotely, but they’re working from a wide variety of locations.
I think a lot of organizations are starting to bring on staff from other parts of the country. And, the challenges of the traditional provisioning methods just exacerbates some of those challenges.
There is a new endpoint reality that we’re happy to share with you today and it’s being delivered by a new solution. And that new solution is cloud managed deployment.
Actually, one of the misconceptions or misnomers is that this is Microsoft Autopilot.
I was probably one of the last people at Community IT to really understand how all this worked. And I thought, oh, it’s all Autopilot. Just use Autopilot. And actually it’s a little more complicated than that. The logic of it makes sense once you understand it.
And that’s one of the things that we really want to explain today in this webinar.
Cloud-managed Deployment
Microsoft basically provides integration between these three different utilities or systems in Microsoft 365,
- Microsoft Autopilot,
- Microsoft Intune and
- Azure Active Directory.
And by using these three systems together in a very specific way, it allows IT departments to deploy laptops and provision them in a cloud managed way from a centralized cloud managed location.
So we’re going to go into more detail. Steve, do you mind walking us through this diagram?
Steve: First of all, this is dependent on the fact that the hegemony Microsoft wants to have over the world is impressive. Sometimes, I think people view it as scary and maybe appropriately. But it’s also super-duper convenient, particularly for non-profits with which Microsoft has been exceedingly generous over the years in terms of their pricing.
Everything here is provided by Microsoft and in IT we talk about the “Microsoft stack” and there are other stacks that other large vendors might provide. It’s important to think about these different layers, and the fact that Microsoft is providing all of them makes for them to have opportunities for integrations that just can’t be beat. And in fact, one of the things that’s not on this diagram, but it’s not trivial at all, is the fact that the Windows operating system is also a Microsoft product.
The Hardware Hash
It all depends on the fact that they’ve built these hooks into Windows 10. This is something that came out with Windows 10. So with Windows 10, Microsoft has made it possible for this program called Autopilot in which manufacturers, as part of sort of spec-ing and building the machine, they get what’s called a “hardware hash” from the particular laptop https://docs.microsoft.com/en-us/mem/autopilot/add-devices. And this can be done with desktops as well, but we really focus on laptops in this presentation because that’s the form factor that really makes the most sense. But it works fine with desktops.
A laptop has a hardware hash depending on a lot of different things. I think Phil, you’re the engineer here, but I believe that if you make a radical change to a laptop, replacing the motherboard certainly, but even some of the other hardware, that hash might change. The hash is unique to that machine.
Dell is the vendor we work with the most, but all the big players: Lenovo, HP, they would all be part of this program.
Let’s just use Dell as our example. You need to make Dell your partner and I’m sorry if I’m stealing from the next slide, but Dell basically says, “All right, this laptop is tied to this Azure Active Directory,” and they do that before they even ship the laptop as part of the shipping process.
That enrolls the hardware in your Azure Active Directory. Azure Active Directory then is where all the user accounts and computer accounts are kept track of as part of Azure Active Directory. Azure Active Directory is part of Microsoft 365.
So again, we’re part of that stack. Microsoft 365 has added to their Azure suite of services, or 365 suite of services, depending on which frame of reference you want to use, a device management platform.
This device management platform doesn’t have to only manage Windows devices. They want it to be able to manage iOS and Android devices as well, but it’s obviously very good at managing Windows devices.
And so
- Autopilot enrolls you in Azure Active Directory.
- Azure Active Directory then says, you are part of this group of policies and you should get this device.
- These policies should be applied to your device.
Phil: Just a quick addition.
Steve: Yep.
Phil: The policies really are managed by Intune.
Steve: Right. That’s the name of the platform that is the actual set of policies. Yeah. Thank you for that clarification.
There are no policies in a fresh 365 tenant. The policies are created. There’s a bunch of policies that are generic that you can add yourself. Microsoft has a bunch of templates, but there are none to start with. Someone has to add those policies. That would be the role of Community IT for our clients.
Johan: And we’ll get into that. We’re going to go into each one of these in a lot more detail. So we’ll talk in a few minutes about policies we recommend, what we recommend configuring, the kinds of things you can do with Intune policies.
Azure Active Directory
But I think the place to start is with Azure Active Directory, to clarify a little bit more because the centerpiece of this whole system is the Azure Active Directory. Having a better understanding of what that is and how it works is really important to understanding this whole provisioning method.
Azure Active Directory is the cloud-based version of Microsoft’s active directory, which is basically a system that runs on servers. For many years, most small, medium, large organizations had a server in their office. Those of you who are in IT would know it as a domain controller.
You may have heard that term, or DC, and that server hosts the Active Directory, which is basically a list of all the users, user accounts and all the computers. And it’s the thing that you authenticate against when you log into your laptop.
Back in the old days, you had a desktop. You’d come into the office, you put in your username and password, it would verify your username and password with the Active Directory. And if it matched, you’re able to log into your computer. At that point, you were logging on to what was known as the domain. And once you were logged into the domain, you could get to your mailbox. On a Microsoft Exchange server, you could get to files that you had access to on your file server. You could print things to printers that you had access to. So the on premises Active Directory was really that record of identity that gave you access to different resources.
Azure Active Directory is the version of that that lives in the cloud. So for those of you who have Office 365 for your email, you’re logging into Outlook either on the web or you’re connecting to Office 365 from your desktop Outlook. The username and password that you type in to connect to those resources is stored in the Azure Active Directory. So it’s a cloud hosted directory used for Office 365. And one of the things that has been added recently, I don’t know, maybe it’s not recent, but we’ve been using more and more is, adding device identities as well as user account identities.
Phil: Yeah. In the same manner that Azure Active Directory is paired with Intune to handle policies, the local Active Directory actually has policies also that often are used, whether that’s the net drives or printers, default software and set different restrictions, and the local active directory is past those kinds of policy capability also.
Steve: And, it’s a little more mature. We’d have to admit, it’s been around forever. It’s been around since the 90s certainly. Microsoft can basically take all of their knowledge about Active Directory, the local version, and quickly reverse engineer it into Azure Active Directory.
So the level of maturity that Azure Active Directory is at now, considering its relative age, it’s far, far farther along than Active Directory was at a similar age because Microsoft has so much knowledge from the on premises experience. And basically you can just port whole post swaths of control points right over into the cloud version. They’re not the same. We have plenty of clients that have Active Directory in their on premises domain and they have Azure Active Directory because they’re Microsoft 365 customers. Azure Active Directory is where you have credentials for logging into your Microsoft 365 email or your Microsoft 365 SharePoint, all that’s hosted.
Microsoft once again has integrations between their different parts of their stack that can be very easily synched.They can actually be more than synched, but in all of the cases of our clients and probably anybody on this webinar to have them be synched is reasonable.
To have them actually be the same database, takes a level of scale. You need at least 10s of 1000s of seats. At that point, you need to have a lot of fail-over, too. You risk downtime if any server fails, but directory synchronization happens. Be aware those are actually different directories. They’re just being synched.
So I have a username and password and I have a matching username and password. I have one in an active directory. I have another one in Azure Active Directory. They’re the same username, they’re the same password, but they’re actually different accounts in different databases. And it is just that those databases talk to each other because Microsoft has built that integration for us.
Johan: So if you’re listening today and your email is in Office 365, you have an account in Azure Active Directory with what’s known as your tenant, that’s your organization’s tenant.
Is it fair to say that Azure Active Directory is really the way of the future for Microsoft and they’re building all these things around Azure Active Directory?
Steve: I’d say so. Yeah, I think it’s going to take a long time for the really big players to completely move away from active directory entirely, because they have such huge on premises infrastructures, but I think that’s the future.
Yes. I just think it’s happening. It’s just Microsoft’s getting better and better at making it easy.
I have on my list to write a blog post about the serverless office. We used to say go serverless if you had five or fewer seats. And now, we’re advising some of our clients that have 100 seats. So yeah, you should still go serverless. You can’t just turn off the servers, you have to work your way to that point. Microsoft really has impressive points of integration between all of these local devices and the cloud. It makes it possible.
Johan: If there’s one key takeaway at all from this webinar today, it’s that not only do your staff have an identity in Azure Active Directory through their user account, but now your hardware has an identity, as well.
You have a record of all of your user accounts as an organization in Azure Active Directory, and you can add all of your Windows devices. That’s an important note.
There’s a question about Macs that we’ll come back to at the end of the webinar in the Q and A section. All your Windows devices can be added to Azure Active Directory as well.
Autopilot
That leads us into Microsoft Autopilot. We talked a little bit about it earlier. Let’s go into some more depth. Phil, could you tell us a little bit more about what Microsoft Autopilot is?
Phil: Sure. Steve was saying previously with Autopilot, Microsoft gives the capability for hardware vendors to essentially marry the hardware and the tenant. As Johan mentioned earlier, you have Azure Active Directory and the Microsoft Tenant which is identified by the organization for the organization identity.
With this binding between the hardware and Microsoft tenant, what it does is for one thing,
- it creates a layer of security because at this point, if the hardware is purchased with Autopilot enabled and the vendor is Dell, Lenovo, HP already has the hardware hash into Autopilot, in order for a person to use that computer that person will have to actually use the organization credential: username and password that belong to the organization. So for example, if an organization does this whole setup and I somehow get hold of the laptop and log in using Community IT credential or my personal credential it will not let me do that.
So that’s one thing about Autopilot. But also, once you set up Autopilot correctly, the first time the user opens the laptop, and this doesn’t have to be an IT person, they could be just anyone in the organization. After connecting it to the internet, it’s just part of the usual, out of the box experience. Once you connect it to the internet and you log in using the organizational credentials, it will automatically join the hardware into Azure Active Directory.
Now, this is analogous to what Steve was saying earlier, Johan, how a computer in your organization traditionally on premises is joined to the domain of the organization on premises. In the same way, these computers would be joined to the Azure Active Directory. And with that also again, if it’s configured correctly, that device will automatically enroll into Intune.
So again, the on prem active directory, Azure Active Directory, group policy, on prem Intune.
They all go hand in hand.
Of course there are requirements like licenses that need to be met and making sure that all of the assignments, linking up security groups will be done properly before this can happen. But again, going back to the flow of things, once somebody logs in, the computer is joined to Azure Active Directory, enrolled into Intune and from there, it’s all about InTune doing the rest of the work applying policy or software, whatever we want to set up.
[Cloud vs. Local File Storage? Which is more Secure?]
Johan: So another scenario that comes to mind is oftentimes organizations will donate or even sell old computers to staff to use as their own personal laptop. And if any organizations are doing that, they need to explicitly go in and remove the Autopilot association, because basically once a laptop is enrolled in Autopilot, you can do the Windows reset.
The very first screens you come to, once you connect to the internet, require you to log in with an organization user account. And then you’re off to the races with the laptop, basically being joined to the organization’s Active Directory. Once it’s enrolled in Autopilot, you simply cannot set the laptop up to any other organization or to a personal account. Is that right? Is that accurate?
Steve: Just I’m thinking out loud, that bit about the hardware hash, maybe if you swapped out some fundamental piece of hardware, you would mess up that membership. So I’m not saying that it’s impossible to work your way around it, but that laptop, as it is configured from the manufacturer, is associated with your tenant.
The out of the box experience, you can Google it -OBE, the out of the box experience that the user goes through. Anybody that’s set up a new laptop, it looks like it’s the same, basically. It’s like, “Is English the language you want, is this a US keyboard? Do you want to connect to the internet? Choose your wireless network.”
And at that point, instead of saying, “log in with a Microsoft ID or your work school account,” very generic, it says, “log in with your Community IT account,” cause it’s Autopilot bound to Community IT using Community IT as the organization.
It’s great. And it’s great that you can basically ship it directly to someone’s house, tell them to turn it on and walk through. We have a little guide that we provide as a link in our documentation, but you really almost don’t need that. It just, it just runs. Yep.
Phil: I do want to add one thing with Autopilot, also. One nice feature is, if a person in the organization using a laptop that has been configured for Autopilot leaves the organization, and we want to reassign this laptop to another user, there is a nice feature with Autopilot called Autopilot Reset.
You can just do that from Azure Active Directory console or InTune console. When the computer is connected to the internet somewhere, it will reset on its own and the next person can use it, fresh. That’s out of the box experience again, without you having to do much work, really.
When we reassign a laptop to the user, either we have to re-image or at least clean up the current Windows profile before reassigning it. If we don’t, even though it’s working, we run a risk of running out of hardware space because there’s all of these files just filling up the hardware.
Johan: Yeah. Thank you for that. That’s a great point.
Steve: I should clarify too, that if you want to give this five-year-old laptop to a staff person to take home for their personal use, it’s not like unenrolling it from Autopilot is difficult. All of this is done through the admin portal, which is a web-based portal. It’s basically the Microsoft 365 admin portal. And it’s very fast to reset. Autopilot reset, a couple of clicks. It takes the laptop longer to do that, but it doesn’t take that long. And similarly, removing it from Autopilot so that someone can take it home and not have to be bound to your tenant is also just a couple of clicks.
Johan: Yeah. And you can enroll existing hardware. Obviously one of the great things is: you buy five new laptops from Dell, let’s say, and one’s going to Kansas and one’s going to California and one’s going to North Carolina. If they’re enrolled in Autopilot, they basically show up ready to be logged into the organization’s domain.
If you have a staff person who’s leaving, you can, on their last day, have them connect to the internet and run the Autopilot reset. They can ship the laptop directly to somebody else in the organization, or they can ship it back to the main office.
So there’s a lot of flexibility to doing all of this remotely and really automatically.
InTune
So that all sounds great. But of course, once you log in with the laptop account and you have your fresh installation of Windows, there’s a piece missing and that’s configuring the laptop with all of the settings and the software and everything.
That’s all done through Microsoft Intune. So let’s talk a little bit about Microsoft Intune what it is and how it works. Phil, do you want to — or Steve do you want to go first?
Phil: Yeah. So one thing I do want to add with Autopilot that’s on the previous slide. One thing we can do as part of the Autopilot enrollment is, set it up so that when that user logs in, we can set up the computer name, the host name. That way, it’s all uniform.
Typically, we do an abbreviation of the organization name, dash, the tag number, the serial number. That way, it’s not a completely random name that Microsoft assigns. And the other thing is you can set it up so that the user will either have a local administrator privilege or just a standard user without local admin privilege.
Now jumping into Intune here, as I mentioned earlier, Intune is almost analogous to the group policy for the on premises. So with that you can create various policies. For example, as a standard deployment, we set up this encryption standard and then have it install various standard applications. And we can run various PowerShell scripts. And again, what’s really nice about this is you manage it in the cloud. And as far as there’s internet connectivity, those changes will be applied automatically.
In terms of experience for the user, once they’re logged in and go through this enrollment, Intune will just take over and start installing applications and applying policies without any user interaction. Yeah. So, that really, really minimizes the work from IT staff and it minimizes work on the users end, also.
[Here is a description of how Intune could work for education nonprofits and charter schools]
Johan: And in your experience, Phil, it’s possible to pretty much do everything you need to do from a configuration standpoint. And we’ll have some examples in, I think, two slides from now.
I think one of the other great things about Intune is that it’s being applied to all of the Azure AD joined hardware. So, let’s say, you’re rolling out a new desktop software that everyone in the organization needs. You would add that into the Intune policy for the entire organization. It would get rolled out in real time, but you don’t have to remember to add it to a checklist or to your scripted deployment, because if Autopilot is pulling from Intune, it’s pulling the latest configuration as it’s constantly being updated for the work.
Phil: Correct. And I just saw a question flashing earlier whether Microsoft software are the only ones that can be deployed for Intune. The answer is we can deploy most software. Some are not as friendly as InTune.
To pick on Adobe, for example, when you have AdobePro these days, when you run the install, you actually have to log in, ask the user to grab the license. You obviously can’t automate logging and ask the user for that credential. So for that type of software, we can’t automate that. We have found some workarounds, which will involve the user doing more work.
Johan: My sense is that it’s early days with Intune and that Microsoft is going to continue to develop the platform. And some of those issues that we’ve run into will hopefully get resolved over time.
One of the questions put it really well: This is Microsoft, so what is all this going to cost?
Thank you to the person who asked that question. And because it’s Microsoft, it’s not a simple answer. Anyone who’s dealt with a Microsoft 365 licensing knows that it’s kind of an endless journey.
Licensing Requirements
But Steve, I was hoping you could walk us through this table. So basically using Intune and all the automated installation features that Phil was talking about does require you to have an Intune license and that can be purchased in a variety of different ways.
Steve: Correct. Thank you for that accurate introduction. Yeah. So what you’re looking for is Intune, Autopilot, essentially just there. It doesn’t really have any policy ability. So you can do Autopilot with no license, but then you don’t really, except for them being Azure AD joined. You could get the naming convention set up, but to get the actual policy configurations that really drives it forward as a real benefit, you need to have an Intune license.
And that’s what you’re looking for. So that can be purchased by itself for a dollar 50 per user per month. There is something called Intune for Device, which all we have to say about that right now is that it’s really for kiosk computers. It’s not really appropriate for computers that are assigned to a particular person.
So for most situations Intune for device is not appropriate, but you can buy Microsoft Intune as a separate SKU. If you look in the subscription list.
All these prices are quoting non-profit pricing. So we’re assuming that you’re a qualified 501C3 for these prices.
All of these things can be purchased at commercial rates, but then of course, it’s generally on the order of three to four times more expensive. The license bundle that we recommend to the average client that doesn’t have a lot of special needs, is the Microsoft 365 business premium license. It includes a subscription to the Office desktop suite: Word, Excel, PowerPoint, and so forth. And of course, email and SharePoint and OneDrive, the cloud services. And it includes Intune.
It’s not like if you look at a chart that has every single thing that is in Intune, every line has a check mark. But all the lines that matter to us and to our clients are checked.
So buy the business premium one, you get everything and there are 10 free to all qualified non-profits. So, particularly small nonprofits that are 25 people, you get 10 free, and then you’re spending five times 15 for the remaining to get to your 25 head count, and that includes Intune.
Office 365 E3 which is 450 a month, does not include the Intune license. Microsoft 365 E3 is a different SKU that almost none of our clients use, but it includes a Windows license. That’s a lot more expensive.
A lot of our clients that have been with us for a long time have 50 enterprise, mobility and security, E3 licenses. That’s because up until about three years ago, Microsoft was making 50 free to nonprofits. You could just sign up for 50 and you got 50. And that was that. And so clients that were with us at that time, a lot of them anyway have it.
And then one day suddenly Microsoft turned that tap off and it was no longer available. But if you were one of those people that was lucky enough to sign up for those 50 free licenses, you signed up for a max of 50. You were grandfathered in and those continue to be available to you.
I have a client that I work with a lot who has 50 enterprise, mobility, security bundles and they don’t have to pay anything for those. If you buy them now they’re 220 a month. Those include Intune and some other features as well.
So the way we would do it for our general client: buy the business premium license, you get the Office desktop suite, you get the email, SharePoint, One drive, all the cloud services, you get your Intune license, and that pretty much covers most of the things that you need.
You get the conditional access for multifactor authentication. You get pretty much what we think a typical nonprofit would need.
If you’re already tied into E3 licensing and you really want to stick with that, there are some things in E3 that aren’t included in business premium. Then you could add the enterprise, mobility and security suite for 220 a month, and you get a nice bundle of things including Intune.
We have a question I just came across here. Does Intune come with Microsoft business standard or just premium? I think it’s just premium. Yeah. You need the premium license to get Intune. I’m pretty sure of that.
It’s a great deal because of nonprofit pricing, this stuff is great. So we shouldn’t, we shouldn’t give Microsoft to hard time about this.
Johan: And they eventually get to the right answer on most things. So we are running low on time. We have about five minutes left in the webinar.
We do want to talk briefly about some of the things that you can do with Intune. I think we’ve talked about this at length, so we don’t need to go through this procurement slide.
But what are some of our standard recommendations, Phil? What do we recommend configuring Intune to do out of the box when a new laptop is being set up?
Phil: Yeah. This goes hand in hand with planning. Planning is always important.
There was a question: How much time will all this take?
With the proper planning, essentially with the standard applications and similar configurations such as what you see on the screen right now, you can get this up and running in two to three hours including testing, if you have the hardware ready to go for testing.
And so yes, their recommendation:
- Bitlocker is a standard recommendation. As security is becoming more and more important and
- naming convention for computers. Absolutely.
If you work with Community IT typically install our
- management agent or some large nonprofit organizations you might your own management agent,
- install any browser- Chrome, Firefox.
- OneDrive sync. We usually set it up so that it will automatically log in and sync the desktop, documents and things like that.
And we typically set it up to
- install the Office Desktop apps with shared licensing.
Now Windows Hello is sort of the organizational preference.
- Some people like using Windows Hello some don’t, so we can actually enable or disable Windows Hello.
Those are the most basic, but then we often also add basic utility software based on organizational preference.
Steve: There was a question about how much time, and I answered it in the chat. Three to four hours for this basic here. These standard recommendations would probably take Phil three to four hours to set up and maybe an hour to test and confirm everything, but it’s very reasonable.
We have had Autopilot Intune set up. Many projects take more on the lines of 25 to 30, to even 50 hours where there’s a lot of very particular specific needs and requirements that need to be met. And that’s fine. And that’s worked really well for those clients. And that’s great. I think it gives Phil a lot of interesting work. There’s no complaint about that.
My advice in general would be to keep it simple and not to make it overly involved. This is solving a big problem, which is that whole deployment thing, but there’s not really anything wrong.
I just answered another question to this effect, not really anything wrong with having your generic general set of policies for all the computers in the organization, that you have 20 seats and everybody gets the same generic 20 things. But if you only want to install finance software on the finance department people and that’s only two computers, it makes more sense to just handle those two people manually. Afterwards, they get the computer, they turn it on, they log in, Intune policies apply, everything’s perfect there. They have a generic computer and then they call our help desk. And we help them set up the finance software.
So that’s a strategic way that I look at things. Again, we want a very secure VPN and we want this applied in a certain way and we need this and we need that. When you open up your browser, we want it to go to the internet first. The more that you add these things, the more it drives up the baseline costs. But if that’s something that’s spread out over enough computers, you get a good return on investment. But if it’s 10 computers because you only have 10 seats at some point, you need to pump the brakes on that.
Phil: I do want to address one question, which is: Can you deploy it to only certain groups? The answer is yes, because you can have the generic configuration across all Autopilot devices. But then you can have, for example, the executive team gets this. It’s all similar to group policy. It’s all driven by groups. So you can specify different user groups.
Steve: So there’s tremendous granular control. I guess what I was cautioning is strategically how much control you want to exercise and how much complexity you want to build into this depends on your scale. It’s probably not worth the extra effort, if you’re talking about an exception that only applies to one or two computers. But that’s a decision that you can make for individual clients.
Johan: So we’re at time. We have one more slide that we can go through quickly.
Lessons Learned
And these are some of the lessons learned:
You want to plan this out carefully. It’s not something that you can just kind of whip up quickly. It requires careful planning.
You want to take an organized, methodical approach to getting it set up.
As we had mentioned earlier, there are certain things that Intune does really well. And it’s important to focus on those. There’s certain things that Intune like Adobe has a difficulty handling, and it’s probably best to find work arounds in those situations.
It can take time for policies to deploy. So it’s not going to be instantaneous. It can take up to a few hours or up to a day for Intune policies to roll out.
And again, going back to the Adobe example, there is third party support for software. It’s kind of uneven at the moment. And so that’s something that requires careful planning.
Phil: There is a question about uninstalling an application. The answer is yes. The way you uninstall an application, you typically define the uninstall command. So again, using policy assignment, you can actually say I’m installing for this person or this group of people. So yes, there is. There’s a way to do that.
Johan: Great. All right, well, I’m sorry to kind of abruptly end this. Oh boy. Well, we don’t have time to go through this, unfortunately. That’ll have to be for a future webinar. I think we might need a part two of this webinar.
All of these slides will be available after the webinar. If you have questions, if you want to set up a call with us to go into a deeper dive on Intune, how you could potentially use it at your organization, you can send an email to connect [at] communityit.com or you can click on this link which I will send out in the chat to schedule some time with us. We’d love to talk more about your specific situation.
And next month, this will be somewhat of a part two of this topic. Our webinar next month is going to be about Beyond the Office.
So I know a lot of organizations are planning a return to the office, but a lot of organizations are also considering a new way forward that involves less reliance on a central office and that has big implications for IT. And in some ways this whole webinar on Autopilot is just the tip of the iceberg. And there’s a lot more to discuss.
Steve alluded to some of that earlier with the serverless office and there’s some specific issues related to Autopilot in the Q&A today that we might work into next month’s webinar. So we encourage you to sign up for next month’s webinar. I think it’ll be a good companion to what we’ve been discussing today. And we look forward to seeing you there.
Thank you so much for joining us today. We love doing these webinars. Thank you for the great questions and to anyone whose question we didn’t get a chance to answer today, we’ll do our best to follow up with you after the webinar.
Steve, Phil, any, any closing thoughts?
Steve: It’s been really fun talking about this. I wish we had more time because I love talking about this stuff. And it’s really interesting. Yeah.
Phil: Yeah. It has really worked well for many of our clients that utilize Autopilot and Intune even internationally, those clients having devices sent to Europe or other parts of the world and it’s working well.
Johan: Right. If you’d like a part two or a deeper dive on some specific subtopics that came up for you today, go ahead and send that email to connect [at] communityit.com. And we’d be happy to put together an Autopilot part two for a webinar later this year. All right. Well, thank you very much. I hope you all have a great afternoon and thank you for joining us today.