Audio transcript:
Your Top Microsoft Autopilot Questions Answered
Published September 25, 2020
JOE
Hello and thank you for joining us for another Insight TechTalk. My name is Joe Flynn, director of technological and Connected Workforce Insight. I'm welcomed here by Mike Niehaus, principal program manager from Microsoft. Michael, thank you for coming out today for this conversation.
MICHAEL
Sure, thanks for having me.
JOE
Today's conversation is going to be geared around Autopilot and when we talk to the customers about Autopilot, we usually at least carry the conversation on going from Legacy to modern. Where Legacy is imaging, modern is the provisioning method of what Autopilot provides. And when we talk to customers, we try to make them understand that Legacy is complex. It usually costs more because you're supporting images, you're supporting drivers. You have to maintain that going forward and the infrastructure behind it. And now, in today's world with many people being remote legacy's imaging is just not very user friendly when we talk about a remote worker.
So, and understanding where people are today, many people being home, still haven't really ventured back into the office and you find many customers, many people may not go back into the office. Where do you see the conversations with optimum autopilot going with customers today?
MICHAEL
I think a lot of customers have realized as part of this where they don't have people coming into the office all the time, that maybe the things that they thought were years away are now quite reasonable things to do by looking at things like Azure AD join and considering making a break from the way they've done things for the last 20 plus years. Moving to just a more modern way of thinking about it that doesn't have those tethers back to the corporate network.
JOE
No, I agree. And just authentic insight. Remember we're only one partner we've seen probably a three or 400% increase in customers asking for Autopilot and being able to help them right with Autopilot, at least get it set up, getting devices running on autopilot. I think it's a big push. I think many customers will want it to go to Autopilot. They didn't feel the need today. And I think with the past few months being forced from home, I think they're feeling the need and being pushed on to that direction.
MICHAEL
Yeah, makes sense.
JOE
Awesome. So, in recent Autopilot conversations that you have with customers, how do you drive the conversation? Right? Of moving from image provisioning? And then what do you find is the major roadblocks? And my customers just can't go, or shall I say customers are slow to go?
MICHAEL
Usually we get started on the conversation between Azure AD join and hybrid Azure AD join. Are you willing to make the break from the type of management that you've done in those devices for many years and move more to a kind of a cloud centric view of the device? Can you get away from group policy and use Intune? Can you shift away from configuration manager and move to Intune, or do you need to look at more hybrid scenarios where you're using active directory combined with Intune and config manager together to manage the devices? So, a lot of the initial work is really just understanding those options and understanding the pros and cons.
If you go down the hybrid routes, you still have infrastructure requirements, you still have connectivity requirements back to the corporate network, which you may or may not be able to easily support in your environment. So, that can slow down the conversations as customers are really figuring out exactly what they need to do to get to that point. It's not something Autopilot really isn't something that you say, well, I want to be ready to do it in production 48 hours from now. For a lot of customers that prep work that they put into it to get ready for that can take a while. So, weeks, months wasn't unusual in the past. And now suddenly they're trying to compress that down into the shortest amount of time possible to solve the current business problem and that can be a little challenging for them because they're learning very quickly, exactly what it means to do autopilot. What it means to start off with Intune at least, how to bootstrap into config manager, how to do the hybrid Azure AD join device registration, how to do the active directory join over the internet.
JOE
Now that's so good. Cause I think you've led into my next question. But that was great information. When we talk about hybrid, there's two hybrid conversations we talk about with customers. One is like you might have the SCCM co-management piece. The other is obviously the hybrid active directory join. I want to break these up into two questions for you, when you are talking about the SCCM co-management piece around Autopilot and managing your device. What is your, everyone has a preference, and I know it's always based on what the need is from an organization, but is your conversation is look, let's get you to the cloud and leverage the hybrids SCCM in a limited fashion where need be, or are you more drive more towards a hybrid model and shift as you need be?
MICHAEL
Generally, we try to be a little more practical about it. If you could shift entirely to the cloud, there's no good reason not to do that. But, the real challenge is that a lot of companies have used config manager for many years and have, essentially thousands of applications and task sequences and other things in there that represents a significant body of work. And picking that up and moving it into the cloud is not a small feat. So, rather than trying to lift and shift that entire pile, you might start off by saying, well, I can manage certain workloads from Intune and do the rest through config manager. So, you may look at it and say, well, software distribution? Yeah, config manager is pretty good at that. Maybe I'll keep using, but that means management. I want to move away from GPO. I want to use Intune. Windows updates, maybe I don't really need config manager to manage those. Maybe I can let Intune and Windows update manage those since, I really want to be able to pull that content from the cloud, anyway. It's kind of silly for a device being patched to have to connect back to your config manager infrastructure on your network to download updates that came from the internet in the first place. Why can't you just have your devices pull those up updates from the internet directly?
JOE
Yeah, that was perfectly --
MICHAEL
It helps a lot of workload conversations.
JOE
No, I like your conversation. Your comment about the updates, right? Cause they're already on the internet or if they are on the internet pulling down directly from the internet and correct. Why go back to an on-prem infrastructure? I think that's a very good statement in the conversations to a customer.
MICHAEL
Yeah, we've also run into a, a number of config manager customers who've said great I understand. I want to do co-management; I want to do hybrid Azure AD join. What do I need to do next? Well, do you have a cloud management gateway? No. Do you have a VPN solution? No. Well, there's the next steps. We need a VPN solution for these hybrids and videos and in order to be able to connect back to the corporate network. We need the cloud management gateway for all the times the VPN is not in place. So that it's easy to manage those devices, regardless of whether they're sitting on the corporate network or in the cloud.
JOE
No, absolutely. Now, and then the second half of that question, if we talk about a hybrid active directory join. My conversation with customers is remove the dependency of on-prem active directory if you can. Though that's what I always try to push because many customers sometimes just don't understand what's capable of a device when it is joined to the hybrid active directory. So, what do you have when your conversation with customers around that? How do you tend to drive them? But then more importantly, what are the common issues you see customers still having to do the hybrid AD join and have their machines joined to active directory?
MICHAEL
Yeah, usually the first thing is just educational. They need to understand that hybrid Azure AD join is just active directory join plus an additional registration in Azure AD. So that the user when they sign into the device, not only gets a Kerberos ticket from active directory. But they also get a Azure AD user token that can be used to authenticate to Azure AD based services like One Drive and Teams and Outlook and Intune and all these other services out there. So even if you weren't going down this path hybrid Azure AD join is a good thing. Even if you're not looking at Autopilot or looking at Intune. You want that hybrid Azure AD join, so that you can get single sign on into all of those cloud-based services. Users don't like having to put in their ID and password all the time. So, this gives them that integrated sign-on into those services.
And it's really a minor change overall on the device. I think a lot of people are paralyzed with fear when they think about, Oh, Hey. I'm now connecting all of my devices to the cloud, but, really all hybrid Azure AD join does is cause the device in the background to register itself with Azure active directory. So that, the user, when they sign in can get a user token and participate in the rest of this world.
The next step beyond that, a lot of people will lump in thinking that it's really the same thing, and that's code management. Do I want to after I've done the hybrid Azure AD join automatically enroll in Intune, so that my device is now managed by both config manager and Intune? That's easy to do, you just flip the switch and it happens but it's not a required step as part of that. Really, the first necessary step is getting the device hybrid Azure AD join. Getting it registered into Azure AD so that the user can get those credentials.
JOE
Okay. From an Autopilot perspective, let me steer the question more towards the Hybrid AD join from an automotive perspective. Is what are the reasons you see customer going through autopilot instead of simply just joining Azure AD, right? Keeping the device, the identity Azure ID centric. What do you see the reasoning for them wanting to do hybrid AD joining through autopilot?
MICHAEL
Yeah, usually it's the conversation starts off with. Well we should do Azure AD join unless. So, the question then becomes, well, what are those unless?
JOE
Exactly.
MICHAEL
Generally, group policy is the first obstacle. Am I able to easily translate all of the existing active directory GPS into Intune equivalents or config manager, desired configuration items? If the answer's no, because, well, I don't know about all of these settings. They've been configured. They're not really documented. They've been there for years. The people that set them up are no longer around. That process in itself can be substantial. So, group policy generally is the first obstacle and we've been working on more tools into and to try to make that simpler. Like, let's import your GPS into Intune and analyze them to be able to tell you, these settings are easily represented in Intune. These other settings you're going to need to do some additional work. So that becomes the first step.
The other normal concern is authentication to on-prem services. So, you've got your internal websites and file shares and apps that are used to authenticating with active directory. So, the fear then is that if you move to Azure AD that those apps won't be usable anymore. But generally, that's not the case because when an Azure AD join device connects to the corporate network it sees the domain controller. It knows to reach out to it and get a Kerberos ticket. So that, even though it's acting as an AD join, it can still authenticate to all of these active directory-based resources. So, authentication, generally we can handle that objection. We can explain how that process works and make sure you understand that it will be able to authenticate 99% of the time. But, the policy work generally is a bigger deal. We need to be able to figure all of that out and see, do we still need that link back to all of those GPS?
JOE
Great. No, I mean, great conversation. And I want to thank you for your insights today. I mean, I'm sure we could talk about this all day, but obviously we do have a limited time. But thank you Michael for joining us today. And if you want to learn more about Autopilot and how it can benefit your IT organization. Please visit insight.com/Microsoft. Thank you.
[Music]