Skill 1.2: Plan and implement Windows 10 by using Windows Autopilot

Within a domain-based environment, deploying new devices to users has become increasingly complex. There are many “moving” parts and components, and each one needs to work precisely to ensure devices are compliant, secure, and usable. This is partly due to the granular nature of the tooling used to ensure that devices comply with strict organizational security requirements. Windows Autopilot is a solution that radically changes this approach while allowing IT administrators to deploy secure and compliant devices.

You must understand how to plan and implement Windows 10 within an organization using Windows Autopilot. This skill explores the planning, example scenarios, and installation requirements for the application of Windows Autopilot.

This skill covers how to:

• Choose method based on requirements
• Create, validate, and assign deployment profiles
• Extract device hardware information
• Import device hardware information to a cloud service
• Deploy Windows 10
• Troubleshoot deployment

Choose method based on requirements

Windows Autopilot offers a new method of provisioning Windows 10 within an enterprise. Of course, it is not the only deployment choice, and indeed, there will be scenarios in which using Autopilot would be folly.

You must explore each of the available deployment options. These options include technology such as MDT or Configuration Manager that may be currently used within your organization. Other methods, such as using Windows Autopilot or Microsoft Intune, may be worth employing to achieve your Windows 10 deployment goals.

Listed in Table 1-9 are many different methods that you can use to deploy and configure Windows 10. You need to understand when to use each deployment method.

TABLE 1-9 Methods for deploying and configuring Windows 10

Manage Windows Hello for Business with Intune

Windows Hello for Business can be deployed using a device configuration profile, which allows you to configure various settings on Windows 10.

With Intune device configuration profiles, you can permit or block the use of Windows Hello for Business, and you can configure the following settings:

• Minimum PIN Length
• Maximum PIN Length
• Lowercase Letters In PIN
• Uppercase Letters In PIN
• Special Characters In PIN
• PIN Expiration (Days)
• Remember PIN History
• Enable PIN Recovery
• Use A Trusted Platform Module
• Allow Biometric Authentication
• Use Enhanced Anti-Spoofing When Available
• Certificate For On-Premises Resources

You can also use Intune device enrollment policies to configure Windows Hello for Business settings during the initial device enrollment into management.

Configure PIN

To avoid sign in using passwords, Microsoft provides an authentication method that uses a PIN in association with Windows Hello. When you initially set up Windows Hello, you’re first asked to create a PIN. This PIN enables you to sign in using the PIN as an alternative—such as when you can’t use your preferred existing biometric method because of an injury, because the sensor is unavailable, or because the sensor is not working properly. The PIN provides the same level of protection as Windows Hello.

Windows Hello PIN provides secure authentication without sending a password to an authenticating authority, such as Azure AD or an AD DS domain controller. Windows Hello for Business provides enterprises compliance with the latest FIDO 2.0 (Fast Identity Online) framework for end-to-end multifactor authentication.

If the user does not use Windows Hello for Business, then the user cannot use an associated PIN. Within a domain environment, a user cannot use a PIN on its own. (This method of sign-in is known as a Convenience PIN.) You will see from the user interface displayed in Figure 1-20 that the PIN settings are within the Windows Hello section of the Sign-In Options. A user must first configure Windows Hello and be already signed in using a local account, a domain account, a Microsoft account, or an Azure AD account. The user is then able to set up PIN authentication, which is associated with the credential for the account.

Figure 1-20 Configuring Windows sign-in options

After a user has completed the registration process, Windows Hello for Business performs the following operations to secure the credentials:

1. Generates a new public-private key pair on the device known as a protector key.
2. If installed in the device, the TPM is used to generate and store this protector key.
3. If the device does not have a TPM, the Windows 10 operating system encrypts the protector key and stores it within the file system.
4. Windows Hello for Business also generates an administrative key that is used to reset credentials if necessary.

Note Pairing of Credentials and Devices

Windows Hello for Business pairs a specific device and a user credential. Consequently, the PIN the user chooses is associated only with the signed-in account and that specific device. A user is unable to sign in on another device unless he or she initiates the Windows Hello setup on the device.

The user now has a PIN gesture defined on the device and an associated protector key for that PIN gesture. The user can now securely sign in to their device using the PIN; also, the user can add support for a biometric gesture as an alternative for the PIN. The gesture can be facial recognition, iris scanning, or fingerprint recognition, depending on available hardware in the device. When a user adds a biometric gesture, it follows the same basic sequence as mentioned earlier. The user authenticates to the system by using the PIN and then registers the new biometric. Windows generates a unique key pair and only stores this on the device. There is no Windows Hello biometric data stored in the Microsoft Cloud.

You can create and implement policies for using Windows Hello for Business in your organization. For example, you can configure a policy that enables or disables the use of biometrics on devices affected by the policy. If allowed to use Windows Hello for Business, a user can then sign in using the PIN or a biometric gesture.

Need More Review? Windows Hello for Business

To review further details about Windows Hello for Business, refer to the Microsoft website at https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification.

You can use MDM policies or GPOs to configure settings for Windows Hello for Business.

Note Enhancing the Security of a Pin

When we think of a PIN, we generally think of ATM cash machines and four-digit PINs. When securing Windows 10 with Windows Hello for Business, you can significantly increase the level of security by imposing rules on PINs. For example, a PIN can require or block special characters, uppercase characters, lowercase characters, and digits. A PIN such as t496A? could be a complex Windows Hello PIN. The maximum length that can be set is 127 characters.

To configure PIN complexity with Windows 10 (with and without Windows Hello for Business), you can use the eight PIN Complexity Group Policy settings that allow you to control PIN creation and management.

These policy settings can be deployed to computers or to users. If you deploy Group Policy settings to both, then the user policy settings have precedence over computer policy settings, and GPO conflict resolution is based on the last applied policy. The policy settings included are as follows:

• Require Digits
• Require Lowercase Letters
• Maximum PIN Length
• Minimum PIN Length
• Expiration
• History
• Require Special Characters
• Require Uppercase Letters

In Windows 10, the PIN complexity Group Policy settings are located at Administrative Templates > System > PIN Complexity, under both the Computer and User Configuration nodes.

Configure Dynamic Lock

Users with smartphones can take advantage of a feature introduced with the Creators Update for Windows 10 Version 1703, which allows users to automatically lock their devices whenever they’re not using them. (At the time of this writing, iPhone devices do not support this feature.)

This feature relies on a Bluetooth link between your PC and paired smartphone.

To configure Windows 10 Dynamic Lock, use the following steps:

1. Open the Settings app and select Accounts.
2. Select Sign-in options and scroll to Dynamic lock.
3. Select the Allow Windows to lock your device automatically when you’re away check box.
4. Select the Bluetooth & other devices link.
5. Add your smartphone using Bluetooth and pair it.
6. Return to the Dynamic lock page, and you should see your connected phone.
7. Your device will be automatically locked whenever Windows detects that your connected smartphone has moved away from your desk for 30 seconds.

You can configure Dynamic Lock functionality for your devices using the Configure Dynamic Lock Factors GPO setting. You can locate the policy setting at Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business.

Configure VPN client

In Windows 10, you can create a VPN that enables data to be transferred through a virtual private network using a secured connection (known as a tunnel) over a public network, like the internet, as displayed in Figure 1-21.

Figure 1-21 Using a VPN to connect locations securely over the internet

VPN protocols

Windows 10 supports four commonly used VPN protocols. Each protocol offers different characteristics:

• Point-to-Point Tunneling Protocol (PPTP) The oldest and what is considered one of the least secure of all supported VPN protocols. However, it can be used successfully in low-security scenarios because it is very easy to set up and still offers more protection than using PPP over the internet. PPTP creates the tunnel and then can use several authentication methods, including the Microsoft Challenge Handshake Authentication Protocol versions 1 and 2 (MS-CHAP v1 and MS-CHAP v2), Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). If EAP is used, certificates can be used with PPTP; otherwise, they are not necessary.
• Layer 2 Tunneling Protocol (L2TP) This protocol uses the IP security extensions (IPsec) for encryption and encapsulation. L2TP encapsulates the messages with IPsec, and then encrypts the contents using the Data Encryption Standard (DES) or Triple DES (3DES) algorithm. The encryption keys are provided by IPsec using Internet Key Exchange (IKE). L2TP/IPsec can use pre-shared keys or certificates for authentication. Using a pre-shared key is useful during testing and evaluation, but should be replaced with a certificate in a production environment.
• Secure Socket Tunneling Protocol (SSTP) This protocol encapsulates PPP traffic using the Secure Sockets Layer (SSL) protocol, which is widely supported on the internet and passes through TCP port 443, which is the same as SSL. Using the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication protocol together with certificates makes SSTP a very versatile and widely used protocol.
• Internet Key Exchange, Version 2 (IKEv2) IKEv2 is most useful for mobile users and is the default protocol for Windows 10 when trying to connect to remote access servers. This protocol supports IPv6 traffic and the IKEv2 Mobility and Multi-homing (MOBIKE) protocol through the Windows VPN Reconnect feature, which allows automatic reconnection if a VPN connection is lost. Authentication is provided by using EAP, PEAP, EAP-MSCHAPv2, and smart cards. IKEv2 will not support older authentication methods, such as Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP), which offer low protection.

Authenticating remote users

Windows users authenticate using Kerberos when accessing the local network, but for remote authentication, this is not suitable; a separate protocol, which protects against network intrusion, must be used. During the initial negotiation sequence (using PPP), when a client connects to the remote computer, each party must agree on a shared authentication protocol to use. By default, Windows 10 will use the strongest protocol that both parties have in common.

In the Add A VPN Connection Wizard, Windows 10 offers three sign-in options when configuring a VPN, such as:

• Username and password
• Smart card
• One-time password

In addition to these options, you can also configure Windows 10 to use the common authentication protocols:

• EAP-MS-CHAPv2 This is a protocol that uses Extensible Authentication Protocol (EAP), which offers the default and most flexible authentication option for Windows 10 clients. It offers the strongest password-based mechanism for the client side, with certificates being used on the server side. Authentication can be negotiated based on certificates or smart cards, and EAP-MS-CHAPv2 is likely to be further extended and developed as technology advances. Windows 10 aims to use this method for authentication connections where possible. IKEv2 connections must use EAP-MS-CHAPv2 or a certificate.
• MS-CHAP v2 Stronger than the CHAP protocol, with significantly improved security when partnered with EAP to enable encryption of the password.
• CHAP Used for down-level client compatibility and has been surpassed by MS-CHAP v2. This protocol uses a pre-shared key between the client and server to enable encryption to take place.
• PAP This is the least secure protocol as it uses plaintext passwords. It is not considered secure and should only be used whenever other authentication methods cannot be negotiated.

Creating a VPN connection in Network and Sharing Center

To create a VPN in Windows 10, from the Network and Sharing Center, under Change your network settings, select Set up a new connection or network and then select Connect to a workplace.

To configure your VPN connection, in the Connect to a Workplace wizard, provide the following information:

• How do you want to connect? You can connect by using an existing internet connection or by dialing directly to your workplace.
• Internet address This is the name or IP address of the computer that you connect to at your workplace, as shown in Figure 1-22. Typically, this is an FQDN, such as remote.adatum.com.

Figure 1-22 The Connect to a Workplace wizard

• Destination name This is the name of this VPN connection.

After you have created the VPN connection, from the Network And Sharing Center, select Change adapter settings, right-click your VPN connection, and select Properties. As shown in Figure 1-23, you can then configure additional options as required by your organization’s network infrastructure.

Figure 1-23 The Security tab of a VPN connection

These settings must match the remote access device that your device connects to, and includes the following options:

• Type of VPN Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol with IPsec (L2TP/IPsec), Secure Socket Tunneling Protocol (SSTP), or Internet Key Exchange version 2 (IKEv2).
• Data encryption None, Optional, Required, or Maximum Strength.

In the Authentication section, you choose either Use Extensible Authentication Protocol (EAP) or Allow These Protocols. If you choose to use EAP, you then configure one of the following:

• Microsoft: EAP-AKA (Encryption Enabled)
• Microsoft: EAP-SIM (Encryption Enabled)
• Microsoft: EAP-TTLS (Encryption Enabled)
• Microsoft: Protected EAP (PEAP) (Encryption Enabled)
• Microsoft: Secured Password (EAP-MSCHAP v2) (Encryption Enabled)
• Microsoft: Smart Card Or Other Certificate (Encryption Enabled)

If you choose Allow These Protocols, you then configure the following options:

• Unencrypted Password (PAP)
• Challenge Handshake Authentication Protocol (CHAP)
• Microsoft CHAP Version 2 (MS-CHAP v2)
• Automatically Use My Windows Log-on Name And Password (And Domain, If Any)

Enable VPN Reconnect

VPN Reconnect uses the IKEv2 protocol with the MOBIKE extension to automatically re-establish a lost VPN connection without user intervention. For mobile users, the prevalence of dropped WiFi or LTE connections can be frequent because of volatile signal strength. It is best to use and configure VPN Reconnect for your mobile users because this will reduce the frustration of having to reconnect manually, and it will also increase productivity.

The network outage time can be configured from five minutes up to an interruption of eight hours. To enable VPN Reconnect, follow these steps:

1. On the taskbar, in the search box, enter VPN.
2. Select VPN settings from the returned list.
3. In the Settings app, select Change adapter options.
4. Select the appropriate VPN adapter, and then select Change settings of this connection, as shown in Figure 1-24.

Figure 1-24 Configuring the Network Outage Time for VPN Reconnect

5. Select the Security tab in the VPN Properties dialog box, and select Advanced Settings.
6. In the Advanced Properties dialog box, check the Mobility option on the IKEv2 tab.
7. Modify the Network outage time as necessary.
8. Select OK twice.

Create, validate, and assign deployment profiles

You use Deployment Profiles to customize the OOBE for a device or group of devices when using Windows Autopilot. You can create a single default deployment profile of settings for your whole organization, or you can create additional deployment profiles and assign them to device groups.

New functionality has been added to Windows Autopilot with each release of Windows, and this is likely to continue. In Table 1-11, you can review how each version of Windows 10 since Version 1803 has introduced changes to how the Autopilot profile is downloaded.

TABLE 1-11 Windows Autopilot profile download

Note Force Autopilot Profile to Be Downloaded

If a device has not downloaded an Autopilot profile, you should reboot the device during OOBE to allow the device to retrieve the profile. You can press Shift-F10 to open a command prompt at the start of the OOBE and then enter shutdown /r /t 0 to restart the device immediately, or enter shutdown /s /t 0 to shut down immediately.

At the time of this writing, the available profile settings that you can configure within a Windows Autopilot deployment profile are shown in Table 1-12.

TABLE 1-12 Windows Autopilot deployment profile settings

Note Company Branding is Required for Autopilot

You will notice that Autopilot profiles allow you to choose whether a user is presented with the company branding during OOBE. This setting is optional in each profile you create. Regardless of how you configure deployment profiles, you must configure Azure Active Directory Company Branding.

Use the following procedure to create a deployment profile using Microsoft Intune for a user-driven device that is to be joined to Azure AD:

1. Open the Microsoft Endpoint Manager admin center and sign in as a global admin.
2. Select Devices, select Enroll devices, and then select the Automatic Enrollment tile.
3. Ensure the MDM user scope is not set to None.
4. Go back to Enroll devices and select Deployment Profiles.
5. Select Create profile and choose Windows PC.
6. On the Create profile page, on the Basics tab, enter a profile name and optional description.
7. Select Next, and then, on the Out-of-box experience (OOBE) tab, displayed in Figure 1-9, configure the values described in Table 1-12 and then select Next.

Figure 1-9 Creating an Autopilot profile

8. On the Assignments page, choose the device groups you want to include or exclude, or choose Add all devices. Then select Next.
9. On the Review + create tab, select Create.

After you’ve assigned the profile, devices are allocated to the profile during the Windows Autopilot process.

Deploy Windows 10

When you have imported all your devices, you are ready to deploy Windows 10 using Autopilot. Remember, though, that really you’re provisioning the devices rather than deploying Windows to them. Your users will start the process when you send them their new computers.

When a user turns on their new computer, it starts the OOBE. The user is prompted to connect the device to a wireless network if the device is not connected automatically.

If you chose to assign a specific device to a particular user, as displayed in Figure 1-10, the next prompt the user receives is to enter their password. If you didn’t assign the device to a particular user, the user is prompted for their username and their password.

Figure 1-10 The Account tab in the OOBE process for an Autopilot device

After they’ve entered the required credentials, the device is Azure AD joined and enrolled in MDM. Intune then applies the necessary device configuration profiles, compliance and conditional access policies, and any other configured settings.

Depending on settings, the user might be prompted for additional authentication for device verification. This might take the form of a text message with a one-time code, or else verifying the Azure AD join activity by using the Microsoft Authenticator app.

When the device has been provisioned, as displayed in Figure 1-11, the user desktop displays.

Figure 1-11 An Autopilot device is enrolled in Intune and provisioned

Note Enrollment Status Page

You can configure the enrollment status page for specific groups. During enrollment, while devices are provisioned, you can control what the user sees, and whether users can bypass the provisioning and gain early access to their desktop. Provisioning then continues while the user is signed in.

Troubleshoot deployment

Before you can resolve an issue with Windows Autopilot, you need to identify in which part of the overall process the problem is occurring. The Windows Autopilot process can be broken down into logical stages:

• Network connectivity Establish an internet connection and connect to the Windows Autopilot service.
• Deployment profile and OOBE A deployment profile will be delivered to the device to manage the OOBE. The OOBE will complete using the settings within the deployment profile.
• Azure AD Has Azure AD been configured correctly? For user-driven deployments, users need to enter their Azure AD credentials to join the device to Azure AD.
• MDM enrollment issues After being auto-enrolled into the MDM service, any policies, settings, and apps will be delivered to the device.

The whole process should result in the device being set up, configured, and ready for the user to be productive.

For a summary of possible troubleshooting areas within these stages, review Table 1-13.

TABLE 1-13 Windows Autopilot process flow

Note Time

If you have ensured that the configuration is correct, then wait. Maybe go grab a coffee. Nearly all issues that I have experienced, such as the new device not being recognized by the Autopilot service, can be resolved by waiting 15 minutes and rebooting the device. Remember that Autopilot uses the cloud, and Azure AD group membership propagation or device ID synchronization can sometimes take a little longer to update.

Skill 1.3: Plan and implement Windows 10 using MDT

MDT is a deployment tool used by many organizations to provide for LTI deployments in on-premises infrastructures. When combined with Endpoint Configuration Manager, you can implement ZTI deployments. In this skill, you’ll learn what you need to know about when and how to use MDT to deploy Windows 10 in your organization.

This skill covers how to:

• Choose configuration options based on requirements
• Create and manage images
• Manage application and driver deployment
• Create and use task sequences
• Deploy images
• Monitor and troubleshoot deploymen

Choose configuration options based on requirements

Most enterprise organizations have used image-based deployment for many years. Both MDT and Configuration Manager rely on images. When working with images, you must determine whether you want to use a default image, or a custom image to deploy the Windows operating system:

• Default image A default image is the result of performing a standard installation of Windows 10 on a computer using default values. A default image, install.wim, is provided in the Sources folder on the Windows 10 product DVD. When using default images, remember that:
  • You don’t need to create the image.
  • You must apply settings and apps separately after deployment of the image.
  • Updates to applications don’t affect the image.
  • The same image can be used throughout the organization.
  • End-to-end deployment time is longer than with custom images because you must perform deployment tasks after image application.
• Custom image A custom image is one that contains additional components, such as drivers and apps, and specific settings and customizations relevant for the organization. When using custom images, remember that:
  • You’ll need to create and maintain the image.
  • You can include all required apps and settings in the image.
  • You might need to maintain multiple images to manage the needs of your different departments.
  • Updates to applications require you to update the image.
  • End-to-end deployment time can be faster.

Note Thin Versus Thick

Images that contain only an operating system are often referred to as thin images, while those that contain many apps are called thick images. Most organizations use thin images because they require less ongoing maintenance.

MDT supports two types of images. These are:

• Boot images These are used to start the deployment process. It’s fairly typical for computers targeted for deployment with MDT to have no installed operating system. This is known as bare-metal deployment. The boot image can be accessed from a USB thumb drive, a DVD or ISO file, or by using a Pre-Boot Execution Environment (PXE) server (such as Windows Deployment Services). When you deploy MDT, you’ll also install Windows ADK. This includes standard boot images for both x86 and x64 architectures.
• Operating system images You’ll use the deployment workbench to create and manage your operating system images. As mentioned, you can use either a default or custom image, depending on your requirements.