Hybrid Working - the new normal

If you are up with the latest modern workforce trends, it looks like remote (or hybrid) working is here to stay, with a sizeable percentage of workers electing to work from home and only coming to the office 1 or 2 days per week. The ability to quickly get your workforce up and running, and to support them at a sustainable cost, has never been more important. What makes it difficult for business, is that their employees are now working largely from home, which includes the IT team.

Zero Touch Deployment is an approach that allows your business to purchase new Windows devices, have them delivered directly to your employees (wherever they may be), and then after the employee logs into the device with their work credentials, the device is automatically configured over the air with work security/settings, apps, and access to data. It all takes about 30-45 minutes, and the IT team is not involved in the device setup. Users are truly empowered.

There are 2 components required to enable your business to enable Zero Touch Deployment – namely Windows Autopilot and Microsoft Intune.

• Windows Autopilot - is a cloud-based deployment technology which allows you to deploy and configure Windows 10/11 devices over the internet from any location, and with no IT specialist involvement required during the device setup process. Windows Autopilot is built on existing modern management technologies like Azure Active Directory (Azure AD) and Microsoft Intune to manage and configure devices by automatically enrolling in these solutions at their first bootup, right out of the box.

• Microsoft Intune - is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Intune integrates with Azure Active Directory (Azure AD) to control who has access and what they can access. It can be used with the Microsoft 365 suite of products. For example, you can deploy Microsoft Teams, OneNote, and other Microsoft 365 apps to devices. This feature enables people in your organisation to be productive on all their devices while keeping your organisation’s information protected with the policies you create which can be specific to each type of device (Windows, Mac, iOS, Android) or ownership type (Corporate or Personal).

Explore Digital offers Zero Touch Deployment setup services for each of the above services (Windows Autopilot and Microsoft Intune). Each are provided as independent offerings to provide flexibility in configuration, as some businesses may already have Intune deployed and wish to now support Windows Autopilot. Windows Autopilot setup does however require Intune to be in place. Licensing is also a requirement and can either be already in place (often bundled with your existing Office/Microsoft 365 E3 or Microsoft 356 Business Premium licenses), but again can be purchased separately as an additional part of the Zero Touch Deployment engagement.

Note

1. If you need help to establish an Azure tenant and procure the required licenses, or need to upgrade your existing licenses so that you have the required Intune licensing in place, we are an authorised Microsoft Cloud Solution Partner (CSP) and can help to confirm what you need up front and then provide a bespoke quotation for Azure tenant setup and/or the required licensing subscriptions. Please contact us if this is of interest.

2. If you already have an Azure tenant running up in the cloud, but perhaps your users have to use a different (cloud-only) userid and password to access these services as you haven’t yet linked your on-premises Active Directory Domain Services (AD DS) to Azure Active Directory (Azure AD) - referred to as a ‘hybrid-cloud deployment’ - then perhaps our ‘Azure AD Connect Initial Setup’ service may be of interest. This service helps you to provide a common user login to both on-premise and cloud services (such as Microsoft 365), and allows for the secure synchronisation of the user password up to the cloud as well (note - this capability previously required an extensive and expensive on-premise deployment of ADFS and is now built-into the Azure AD Connect Service which may be able to run on an existing on-premise Domain Controller instead). This hybrid-cloud deployment can start out as a simple pilot with a limited number of users to enable testing and build business confidence in the technology if that’s preferred, and we can expand the scope of the design over time. Please contact us if this is of interest.

See notes below regarding Microsoft’s licensing requirements for Intune and Autopilot.

Scope of Work (SOW) for this service:

The following items are included in the Scope of Work (SOW):

• Kick-off meeting (remote)

  • Identify goals and objectives for Microsoft Intune deployment

  • Identify use-cases and system requirements (Intune, Network, Devices, Cloud Services accounts etc)

  • Agree rollout and communication plan

• Create a project plan and schedule

• System architecture design (high-level)

• Provide advice to customer for preparing devices to be on the minimum required version of operating systems (Windows, iOS, Android)

• Confirm Intune requirements have been met for - in-scope devices, network connectivity, licensing

• Configure Intune domain, users, and groups

• License assignment (via groups)

• Configure automatic MDM (Intune) enrolment on existing Azure AD (if meets agreed design requirements)

• Configure company branding for use with Intune and related portals/apps (client to provide images of required dimensions, file size and format)

• Integration with Google Play Store (if required)

• Integration with Apple Business Manager (if required)

• Configure a selection of device configuration profiles with basic settings (allowing for maximum of 2 per operating system type)

• Configure a selection of Microsoft 365 Apps as per existing licensing (sample apps to validate app deployment works to a sample of devices - 2 per operating system type)

• Configuration of Conditional Access with Microsoft Intune compliance policies - basic policies only

• Within Endpoint Manager - Configure Update Rings, Feature updates and Quality updates for Windows 10 and later (Preview) - for a small pilot only, not production deployment

• Within Endpoint Manager - Configure up to 3 Windows 10/11 compliance policies (non-complex) - for a small pilot only, not production deployment

• Configure eSIM cellular profiles in Intune (public preview) - maximum of 3 (for proof of concept)

• Provide user reference material on self-setup of devices

• Post-implementation break-fix support for one (1) month - limited to devices and items scoped within this SOW)

• Project closure and acceptance

The following configuration is explicitly excluded from this engagement:

• Configuration of Azure AD Connect and identity synchronisation between Active Directory Domain Services (AD DS) and Azure Active Directory (Azure AD)

• Initial setup and/or configuration of Windows Autopilot (please refer to our separate, related service offering)

• Setup and.or configuration of Configuration Manager and/or co-management

• Configuration of Samsung Knox

• Deployment of certificates to devices using Intune and/or Certificate Connector for Microsoft Intune

• Configuration of Windows Store for Business (as this is scheduled for retirement)

• Kiosk setup within Intune

• Group Policy ADMX settings and related deployment and/or migration of any existing Group Policies

• Remote control of devices (e.g., Teamviewer, Splashtop etc)

• Configuration of Desktop Analytics

• Applications deployment through Microsoft Intune (other than the sample apps in the above scope)

• User training

• Device data protection configuration

• Thread protection configuration

• Device management after-service implementation

• All work will be delivered remotely - no onsite attendance

Client Responsibilities

• Coordinate Client resources and staff schedules

• Provide a single point of contact who is responsible for working with the Explore Digital team

• Coordinate any outside vendor resources and schedules

• Participate in the project discussion and provide all the information necessary to implement the solution

• Configure all network equipment, such as load balancers, routers, firewalls, and switches

• Assist users who must self-enroll their corporate mobile devices

• Setup of Google Play Store

• Setup of Apple Business Manager and/or Apple Device Enrollment Program (DEP)

• Users can self-enroll their own Windows PCs and mobile devices (BYO - as appropriate to your company policies)

• Review and approve engagement deliverables in a timely manner

Licensing requirements

Windows Autopilot depends on specific capabilities available in Windows client and Azure Active Directory (Azure AD). It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs. To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and Intune MDM functionality, one of the following subscriptions is required:

• Microsoft 365 Business Premium subscription (** NOTE - This is the most common license we see with our SME clients and provides all you need for Windows Autopilot and Intune **)

• Microsoft 365 F1 or F3 subscription

• Microsoft 365 Academic A1, A3, or A5 subscription

• Microsoft 365 Enterprise E3 or E5 subscription - which include all Windows client, Microsoft 365, and EMS features (Azure AD and Intune).

• Enterprise Mobility + Security E3 or E5 subscription - which include all needed Azure AD and Intune features.

• Intune for Education subscription - which include all needed Azure AD and Intune features.

• Azure Active Directory Premium P1 or P2 and Microsoft Intune subscription.

The end user device must be running a supported version of Windows 10 or Windows 11 running the either of the following editions: Pro, Pro Education, Pro for Workstations, Enterprise, and Education.

NOTE

• Windows 10/11 Home is insufficient for use with Intune, Windows Autopilot, plus a bunch of other services typically required for business use.

• Always consider the benefits of buying the ‘Surface for Business’ line of products and not consumer-grade products from the big-box retailers - there’s a big difference!

• Explore Digital is an Microsoft-authorised business-only reseller - so please take a look on our ‘Explore Surface’ online store for your next business-related device purchase.

• For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at Windows Autopilot

• All products, services, or combination of products and services supplied by Explore Digital Pty Ltd are covered by our warranties - detailed here.