I recently had an opportunity to complete a semi-production deployment using Factory Provisioning to drop-ship Windows 10 devices directly to a few early registered Custom Advisory Board members. Going through this process was eye-opening, and I felt like I was able to relate more to admins and what they go through when using our product. I gained a new perspective and additional insights on configuring Workspace ONE UEM, Workspace ONE Access, Workspace ONE Hub Services, Azure Active Directory for authentication as my source of truth, and for the Out-of-Box-Experience (OOBE) enrollment integration along with using Windows Autopilot. In this blog, I will provide an overview of this project, along with some lessons learned.
Are you interested in seeing the unboxing experience from an end user’s perspective? Be sure to check out Drop-Shipping Windows Devices for VMware’s Virtual Customer Advisory Board: The User Experience!
Project Overview & Requirements
The purpose of this project was to provide a drop-ship provisioning unboxing experience to a few customers who registered early for the Customer Advisory Board, which happened virtually this year. We initially wanted to have the OEM provision the devices. However, due to tight timelines and the prolonged shipping times due to the current pandemic, we opted to do the provisioning in-house, which ended up being my favorite part of this project! If you are also on a tight timeline or prefer to do provisioning in-house, this blog will show you how. I also did not want to have to manage any server infrastructure over the year. Thus, I implemented everything with a zero-server footprint for this project. This decision did bring up some caveats; however, for this use-case, the pros outweighed the cons.
My goal through this blog is to show how a modern deployment set up, such as what I used, can make a seemingly daunting task low touch and save significant time in provisioning devices. Below are the tasks I configured for myself in JIRA.
- Request new tenants for Workspace ONE UEM and Workspace ONE Access
- Request Azure AD Tenant (Microsoft 365 E3)
- Azure AD Premium, Windows 10 Enterprise (removing consumer apps), and Office 365 were provisioned for this use-case.
- Procure Devices from Dell (Shipped to me)
- Dell Latitude 9510 with 10th Generation Intel® Core™ i5-10310U (4 core, 6M cache, base 1.7 GHz, up to 4.4 GHz, vPro Capable), 16 GB RAM, and 256 GB PCIe NVMe Class 35 Solid State Drive, were procured for this use-case. The devices came with Windows 10 Pro 64-bit, but Windows 10 Enterprise 64-bit was applied by providing the Product Key (KMS Client Setup Key) in the Provisioning Configuration Package in the Workspace ONE UEM console.
- Prepping Workspace ONE
- Integrate Workspace ONE UEM with Access using Wizards
- Create Profiles (BitLocker, Updates, Personalization, AV, Default Apps, Office 365 Install, Chrome ADMX Settings, Native Mail, Restrictions, SSO SCEP Certificate)
- Enable Privacy Settings (Disable Collecting Personal Info/Apps Data, No GPS Data, etc.)
- Add Windows Apps to Workspace ONE UEM
- Add SaaS Apps to Workspace ONE Access
- Steps for Drop-Ship Provisioning
- Hands-on with the Devices
- Provision Devices using the VMware Provisioning Tool for Windows and Obtain Autopilot Info
- Ship the Devices to End Users
- Day 2 Operations
Steps for Drop-Ship Provisioning
Factory Provisioning for Workspace ONE allows Windows Device OEMs and VMware administrators to provide a virtually zero IT touch and virtually zero user downtime experience. Configurations, settings, and applications are preloaded at the factory or before handing off to the end-user. Now, instead of waiting for apps and settings to download and apply, you can have a ready-to-work experience on the first boot of the device.
Configuration for Factory Provisioning for Workspace ONE is straightforward: leverage a wizard to export applications from Workspace ONE UEM as a provisioning package (.ppkg) and to generate a configuration file (unattend.xml).
Factory Provisioning does not require the Azure Active Directory (AAD) Premium license, but since we already had this license, we also decided to configure devices to use Windows Autopilot. Windows Autopilot is a capability from Microsoft that allows pre-configuration for Windows 10 devices in conjunction with the Out-Of-Box-Enrollment (OOBE) experience. Factory Provisioning and Windows Autopilot can be used independently or together. One of the most significant capabilities with Factory Provisioning is that you can directly ship an end-user a pre-configured Windows 10 device, and as soon as it is powered on, it shows the user a customized login screen during OOBE requesting the user to enter their credentials. After successful authentication, the device is joined to Azure AD, automatically enrolled into Workspace ONE, and all the user’s apps and configurations are automatically installed.
In our case, we decided to use Factory Provisioning to have the apps preloaded, and Windows Autopilot to further simplify the OOBE process by skipping Cortana, OneDrive, and OEM registration setup pages. Both Autopilot and Factory Provisioning allow for skipping EULA and privacy settings screens during OOBE.
One of the requirements to use Autopilot is that you have to request your OEM to pre-register devices with Microsoft. You also have the option of manually registering new devices or devices that are already deployed to end-users, which will allow future resets to undergo the Autopilot process. Since I had the devices shipped directly to me, we will explore all of the manual steps of provisioning devices with Factory Provisioning and registering these devices for Windows Autopilot.
Hands-on with the Devices
Below are the steps I followed to provision the devices with Factory Provisioning for Workspace ONE and Windows Autopilot. The actual hands-on provisioning was rather quick and only took a few minutes. I learned quickly that most of the time was spent physically unboxing and repackaging the devices.
- Prepare the USB drive.
- Download your Provisioning Files: PPKG and Unattend XML from the Workspace ONE UEM console.
- Download the latest VMware Workspace ONE Provisioning Tool for Windows.
- Download the Get-WindowsAutoPilotInfo.ps1 file. There are many ways to use can this fantastic script authored by Michael Niehaus, but for this use-case, I opted to do everything without connecting the device online.
- Create a PowerShell script or text file with the below commands. I wanted to have the Autopilot info save with the devices’ serial number as the filename, but this is not required. All that is needed is to set the execution policy and call the Get-WindowsAutoPilotInfo.ps1 script. I named this file Provision.ps1 on my USB drive.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
$SN = Get-WMIObject Win32_bios -ComputerName $env:computername -ea SilentlyContinue
$SN = $SN.SerialNumber
D:\Get-WindowsAutoPilotInfo.ps1 -OutputFile D:\Autopilot\$SN.csv
- Unbox the devices, be sure to wear protective gear when handling the devices (gloves and mask). Be sure to charge the devices while you have them powered to ensure they do not ship with a dead battery to your users.
- Power the devices on, and once the device enters OOBE, get the system into Audit Mode by pressing Ctrl+Shift+Fn+F3 (or Ctrl+Shift+F3 on some machines). Don’t worry, you can take your time, once the device enters OOBE it’s waiting for user input, so you won’t need to time entering Audit Mode. This isn’t like the race to enter into your BIOS setup or boot options. You know that you have successfully entered Audit Mode when you see System Preparation Tool (Sysprep) running on the desktop.
- Open PowerShell with the Run as Administrator option selected. Open or copy the commands from your Provision.ps1 file. Press Enter to run the commands. Confirm the warning messages.
- Validate that you see a file with the device’s serial number under the Autopilot folder. This was the main reason I wanted the filename to be the device’s serial number. I could quickly and easily look on the side of the box or under the device to match this value with the one I saw in the folder.
- Right-click VMwareWS1ProvisioningTool.exe and select Run as Administrator.
- Select both your PPKG and Configuration File (XML) which are located on your USB drive.
- Switch the After Applying Sysprep option to Shutdown, then click Apply Full Process. You will see status updates on the right-hand side. The device will automatically apply Sysprep and shutdown.
- That’s all! Add in any additional documentation, then repackage the device, apply the shipping labels, and ship them out to your end-users. In this case, we had a tri-fold that provided high-level steps to follow along with how to contact support.
- Lastly, you will want to take the Autopilot files and upload them into the Microsoft Store for Business portal. Navigate to Manage > Devices > Add Devices. You can then assign an AutoPilot Deployment profile to the devices as well.
If you want to test a few devices before shipping them out like I did, you can follow the how to re-provision a Factory Provisioning for Workspace ONE device steps. As a reminder, these are the steps that OEMs would have taken when ordering the device via the Factory Provisioning service. Given the tight deadlines, we chose to replicate these exact steps at home.
Are you interested in seeing how I provisioned these devices at home? Check out the video below that I recorded to show my wife what I would be doing while she took our daughter to the water park for the day.
Day 2 Operations
Let’s not forget that we have to support our users after the unboxing experience. I added a few details to help our users during day-2 operations, after they have powered on and set up their device.
- The Workspace ONE Hub Services Virtual Assistant, named Hub Assistant, is a digital chatbot you can deploy to offer employee self-service tools. The Hub Assistant chatbot provides employees with an engaging, conversational experience to complete common workflows and to get answers to frequently asked company questions. When Hub Assistant is enabled in the Hub Services console, users can access the virtual assistant from the Intelligent Hub app and from a web browser. In our case, users are able to submit tickets, view tickets, and even follow a workflow to order new devices. This required integration with ServiceNow. For details on how to complete this integration watch the VMware Hub Assistant: ServiceNow Integration - Feature Walk-through.
- Allowed users to perform actions such as syncing devices, install apps, profiles, and wiping devices all from a self-service portal. Users can also quickly, yet securely access their BitLocker recovery key when prompted by the OS during boot on special occasions. By default, all users have access to performing these self-service actions; however, you can disable this access for some or all users depending on your use-case.
- VMware Workspace ONE Assist enables you to access remotely and troubleshoot devices in real-time. Workspace ONE Assist is privacy-friendly. End users can accept, pause, and end a remote session at any time for privacy reasons.
After working on this project with the perspective of an admin, I have a few key lessons learned.
- When provisioning the devices, your bottleneck will be the number of USB drives that you have on hand. I noticed that the provisioning process was rapid! I started with just one USB drive, but after the first device, I created a second USB drive. The provisioning process for me took on average 6 minutes per device, and I provisioned devices two at a time. It ended up taking just over 50 minutes to provision 11 devices, where most of that time was spent unboxing and repackaging the devices.
- Testing on a Virtual Machine (VM) is a great start, but to truly experience what the end-user sees, you must test on a physical machine. For example, security policies (biometrics) may not apply to your VM, and the OOBE experience takes much longer on a VM. When using a VM, be sure to take a snapshot before provisioning and after provisioning. This way, you can save time and by quickly making console-side configuration changes and immediately seeing how it changes the end-user experience.
- Think about your end-to-end architecture, mainly your directory type and if you will be using Workspace ONE UEM or Access as your primary authentication source. Trying to implement this use-case with zero connectors or any on-premises components proved to be challenging and not recommended for production environments, so please follow our best practices using the VMware Workspace ONE and VMware Horizon Reference Architecture tutorial.
Lastly, be sure to register for my upcoming VMworld session on Exploring Windows 10 Onboarding: Drop-Ship Provisioning!
- Factory Provisioning: VMware Workspace ONE Operational Tutorial
- Enrolling Windows 10 Devices Using Azure AD: VMware Workspace ONE UEM Operational Tutorial
- Understanding Windows 10 Management
- Planning Your Windows 10 Deployment: VMware Workspace ONE Operational Tutorial
- VMware Workspace ONE and VMware Horizon Reference Architecture
- Business Continuity with VMware Workspace ONE