Runtime Provisioning and AutoPilot - Bridging the Gaps

If you’ve done anything with Windows client deployments recently, you’ve probably heard about Microsoft’s AutoPilot solution. Introduced in 2017, AutoPilot gives you a way to leverage the existing already-installed OS to cut down on user interruption and streamline a corporate image. It’s a huge boon for the all-too-common nightmare scenario where a laptop gets lost or stolen while remote, and IT has to decide whether to send the user a new machine or have them pick something up at the local big-box retail outlet. For corporate environments, the latter option rarely works, though the reasons vary with company politics.

That means pulling a spare machine off the shelf, imaging it, and shipping it, by which time the user is just as likely to be done and back from the trip. I don’t know about you, but when my users are remote, I usually can’t just tell them they’ll be out of work for a few days, even if it’s self-inflicted. And honestly, going that route has a hint of “the way we’ve always done things” to it. There’s no doubt a better way. Some companies pay their computer providers big money to ship pre-imaged machines directly to the user. That can be a little quicker than doing it yourself, but one of the great things about the cloud is its ability to empower users.

With AutoPilot, the user goes to their preferred retailer, buys a new computer, provides some credentials, and (generally speaking) is off to the races. Job done! Relax and pat yourself on the back for being such a forward-thinking admin, and hey: you’ve taught the user a new trick!

Consider what it can do:

  • Automatically join the device to Azure AD

  • Auto-enroll in MDM

  • Restrict admin-account creation

  • Customize the out-of-box-experience

With one of those MDM options being Intune, once AutoPilot is done, Intune can do the rest of the device configuration. You can send a user from in-store to fully configured and ready for business without ever touching a VPN connection or needing any support from IT. For truth: it works.

Except... sometimes AutoPilot isn’t quite the right answer. Specifically, support for Hybrid Azure Active Directory Join does not yet exist, and that means the whole concept falls apart if you have an existing on-premises Active Directory. And realistically, most companies fit into that major exception. Microsoft knows it’s a significant limitation, and documentation as recent as June of this year says support will likely be coming “in a future Windows 10 release.”

We were approached last year by an international organization that wanted to go cloud-only. Most of their systems were already running in native cloud solutions, but they still had a legacy Active Directory and a few systems that authenticated against it. They also had an aging deployment solution that had let them down on more than a few occasions.

Our first thought was this would be a fantastic opportunity to employ the nascent AutoPilot capabilities. In addition to the stuff listed above, it could be used to auto-enroll kiosk devices and all sorts of other cool things the client explicitly wanted. But there was that big Active Directory challenge, and at the time, that challenge wasn’t particularly well documented.

We went down the path of initial configurations, found some great success in a lab environment, and then hit a wall with production. An insurmountable one, in fact.

But that insurmountable wall led us to look at Runtime Provisioning, and while it’s nowhere near as sexy a solution as AutoPilot, it filled a critical gap that turned the project from a looming fiasco to an international success.

Runtime Provisioning is a little bit like AutoPilot Lite, but without the Hybrid AD issues. And you either have to do a little more work up front OR have physical access to the device. In our client’s case, physical access was typically not a problem.

This client also had an actual inventory of spare equipment, so they weren’t terribly interested in having their LAR image & ship new devices, and with an evolving set of local applications to install, the idea of constantly shipping new images did not hold much appeal—particularly as they had multiple languages to support.

And there was another problem: PEAP Wi-Fi. This guy has caused a headache in more than a few environments, but the challenge is always the same: you can’t pass startup GPO’s to a system that relies on cached credentials to access the network, and you cannot install software with any other type of GPO. Also, until you’ve actually joined the domain and cached your Windows credentials, you can’t pass them to an authenticated Wi-Fi configuration to get on the network in the first place. It’s a great security option, but a nightmare for device configuration, and typically the only way around it is to provide the user a physically wired network drop. I don’t know about your systems, but my new-for-2018 laptop doesn’t have a network port. Nightmare, 0 stars: do not recommend.

So what did they gain from Runtime Provisioning? The ability to grab a machine off the shelf, boot it with a USB stick, have a base package load, and then localize to language and facility with secondary RTP package files. And because they were running all of these packages off a USB stick in the NOC, they were able to solve the PEAP Wi-Fi first-use challenge. Runtime Provisioning joined the device to the domain and enabled the Help Desk to provide that critical first logon.

Runtime Provisioning also handled creation of a local admin account, installation of a universal set of applications, renaming the device to include the Service Tag, moving it to the proper OU, created a default Start layout, and deployed Office Pro Plus in the specified language from the stick to avoid big product downloads.

Could another tool have done it? Sure, but at a cost, and at a change to the customer’s established methodology. RTP allowed them to preserve their processes and focus their expenditures on solutions to enable the business. Maybe one day in the not-too-distant future Windows 10 will support AutoPilot for Hybrid Azure AD, but until then, RTP is here to bridge that sizable gap.