(Previously known as Zero-Touch Laptop Provisioning)
Note: This is a recording of a live event.
There were some great questions asked during the live presentation. Below we've summarized the Q&A portion of the webinar.
Still have a question? No worries! You can always reach out with your questions here: Ask Team Ascend
Does Zero-Touch also encrypt drives? Where are the BitLocker keys stored?
Traditionally, there can be a lot of struggle around getting encryption to work and getting those recovery keys to upload to a source that people can access reliably & consistently. However, with our Zero-Touch Laptop Provisioning solution, the BitLocker encryption is enforced using our Intune configuration profiles. The devices automatically store all their keys or encryption information in Azure. So, if someone needs to help, they can simply log into the Azure portal, look up the device, and see the recovery key right there.
What happens to a device if the motherboard must be replaced or if the TPM chip is replaced? Will this device still communicate with Azure and retain reporting functionality?
The Azure connection is part of windows, so as long as the operating system is still intact and working, you're going to have your connectivity. But, again, referring to the BiLocker recovery we just talked about, you may have to go through that if your TPM is adjusted in any way.
Suppose something even more catastrophic happens and a laptop is unusable or requires significant repairs. In that case, we have other solutions that we additionally recommend, such as desktop folder backups, where you can simply initiate another autopilot deployment to the end-user. They can receive their laptop the same or the next day, log in, and all their data seamlessly copies to their profile as if nothing ever happened.
What are the savings relative to the cost, and what does that come to on an annual basis?
In our personal experience, we have saved 75% by adopting this new method of laptop provisioning internally for all our users, which are remote enabled. Of course, quantifying the cost savings will vary between organizations, but that is something our team would figure out with a consultation.
Does the hardware vendor have to prep the machine with Intune before shipping?
Typically, when you go through a hardware vendor, for example, we use CDW for our hardware orders and order the device. There is a standard order and an autopilot option. So, all we have to do is select the autopilot option when making our purchase. Then, when we (Ascend) work with the vendor, we permit them to enroll devices in our Azure tenant. It's a function that comes with Azure that takes a couple of minutes to set up. Then, they can auto-populate that device information into your tenant. So, when it comes online, and the user logs in, it is automatically enrolled and knows right where to go and what to do.
Do you need an enterprise license for Windows?
You'll need a license assigned to the user, including Azure and Intune. That is required for the device to allow it to be enrolled and managed by Intune.
Here is a breakdown of the different services included with each license:
https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-plan-options
Does this solution work on desktops? Or is it laptops only?
This works on any Windows device. So for people who will be receiving a new device, for a refresh, or when they're a new hire, they will get a new laptop sent right to them, and the process is the same. There's an extra step for hardware issues or device re-provisioning where we're taking an existing computer and redeploying it out to somebody else, but it's still relatively simple.
This service can be utilized as long as they're running a modern version of Windows 10. First, we need to export the hardware information off of the computer and import it into their Azure tenant so that it knows about that device. Then we initiate a device reset that will remove all the software and settings from that device and reach out to Azure to enroll. So, the enrollment is pretty straightforward, following almost the same process as if it were a new device.
What is the estimated setup time when a user power up the device for the first time?
It varies depending on what is being put on the device, but it generally takes 15-20 minutes. When a user powers up a device for the first time, they are prompted to log in, it creates their profile, and then installs a handful of applications. We've prioritized what we call 'Hands-on Keyboard' to get the user booted up and working as quickly as possible. Hence, a lot of the installation process happens in the background. While that is happening, the user can be productive in other ways, such as setting up their email client or getting right to work.
How do you ensure that software changes as a user's role changes?
Controlling who can see what apps and how that shifts with changes role is done through groups and active directory. So, for example, if a person is hired as an HR manager, they'll be added to an HR group or an HR distribution list in Azure. If that person changes their role to the marketing team, they would be removed from the HR group and added to the marketing group. So, we can deploy applications based on those same groups to update their account. So, they transition from one role to the next; what they see in that store and that company portal reflects their position.
Can Intune be used to monitor the software installed on a device?
Yes, you can see an inventory of all the installed applications for every device. That also means there are ways for enforcing software. Suppose your goal is not necessarily to audit what's installed but to enforce certain things to be installed. In that case, there are methods to query the system at regular intervals proactively. If it finds something missing on a device, it installs it. Or, if it finds something that should be installed on a device, it can uninstall it.
Are local admin credentials required?
They are not required for users to have. Using a company app store personalized to your organization, users can install applications without entering in admin credentials or seeking out someone with admin credentials. This uses elevated permission through the app store.
Why did you (Ascend) have to change your E5 licensing?
The licensing we had previously was Office 365 E5, which does not come with device management. We transitioned to using a combination of Microsoft 365 E3 and E5 licenses for our users. You could also add Intune as an a la carte option if you are not interested in changing your licensing, but we can help you evaluate your options with a consultation.
See the difference between Office 365 E5 and Microsoft 365 E5 here:
https://www.microsoft.com/en-us/microsoft-365/enterprise/compare-microsoft-365-and-office-365
Is our IT team still able to remote in and install one-off pieces of software with individual licenses?
Yes, so with our service desk service, we deploy an agent to help monitor and manage devices. Our team can access the device and interact with the user session, including installing applications and utilizing elevated permissions. Generally, when trying to install software with an individual license, we will find a way to automate that and make it part of the company app store experience.
Is this service worthwhile for environments where users don't need a lot of apps?
Regardless of the application load, imaging a device and deploying it to the users manually takes a lot of time. Your IT team would need to receive the device, unbox it, power it up, install the necessary systems and applications, configure and then validate the device. It's a very manual process that has to be repeated with every single device. With our Zero-Touch approach, a lot of that is no longer part of the process or automated. It also ensures a consistent and secure result with each device.
How are hardware redeployments handled?
With hardware redeployments, we generally have to reset the device. So the device would be handed off and then patched, and Windows would be reset, which can take around 45 minutes. Once finished, the user would be prompted to log in and go through the same process as if it was a new device.