![]() Now, let’s talk about the different Windows Autopilot scenarios. (To keep the customer out of the imaging business, one of the main Windows Autopilot goals, it would be best to just provide the “tweaks” to the OEM and let them make those tweaks in the image.) The OEM can load a custom image that has the needed device configuration pre-loaded in the image. Technicians can set up devices on a separate network (OEM, partner, or customer network) to get device configuration in place before the device is given to the user. ![]() Generally this would require a helpdesk call. That could be the normal Wi-Fi network, or a separate restricted network. The user can be given a mechanism to connect to the corporate network without certificates for a period of times (hours). (If the VPN connection needs a cert, then certificate enrollment may still apply.) If the device can’t directly access the corporate network, but can access the internet or a separate guest network, it may be able to then make a VPN connection. an Active Directory Certificate Services NDES server) to issue needed certs. Intune uses SCEP to talk to a certificate enrollment service (e.g. Deploying from a different network (guest or directly on the internet) may be able to get those certificates enrolled so that the device can later access the corporate network. ![]() using 802.1x), theĭevice or user may need a cert. allowing only internet access, perhaps with a captive portal to authenticate users). ![]() Devices can connect to a limited network (e.g. With a proxy, to allow access through the proxy server for a list of internet addresses (IP or DNS names), without any user or device authentication.registering their MAC addresses in advance). With a firewall, to allow certain machines to connect to a list of internet addresses through a pre-authorization process (e.g.With a firewall, to allow access through the firewall for a list of internet addresses (IP or DNS names).This is a mechanism that is used in multiple situations: Also, proxy servers that perform SSL inspection are evil and will likely break Windows Autopilot and other services that validate the SSL server certs.) (Note that many network teams don’t like WPAD because it is considered a security risk – devices in public spaces could be directed to a proxy server that monitors network traffic without the user’s knowledge. This is a mechanism that allows a device to discover what proxy server script (PAC) that should be used to communicate to the internet. It’s useful to talk about those before getting into the scenarios that benefit the most from those. There are some general solutions that can be applied to the challenges above. But it doesn’t really talk about the items I mentioned above. what internet-based services does the device need to talk to in order to complete the Windows Autopilot provisioning process. Our general guidance for Windows Autopilot networking focuses on outbound connections, i.e. When shifting to Windows Autopilot, those mechanisms may no longer work (depending on the specifics). In the past, when customers used traditional image-based deployment mechanisms, they built mechanisms to work around these, often solving the issues before the device was ever delivered to the end user. Generally, these can all be considered “bootstrapping” problems. Challenges for devices that need connectivity from the internet, which may require access via VPN, typically needed for Active Directory-based scenarios (e.g.how does the client discover that it needs to use a proxy server). This can be especially problematic in cases where user authentication is needed (whether using AD/AAD credentials, certs, or other mechanisms), but there are also discovery issues (i.e. Challenges for devices that need connectivity to the internet, which may require access through a proxy server or a firewall.Sometimes these mechanisms only apply to Wi-Fi networks (meaning wired connections are fine), but it could also apply to wired network connections as well. Challenges for devices that need to make an initial connection to the corporate network, due to network security mechanisms such as 802.1x, which often leverages either computer or user certificates to grant access.This can be broken down into a few high-level categories: One of the biggest challenges that we run into with customers who want to adopt Windows Autopilot for deploying new devices is the variety of network setups.
0 Comments
Leave a Reply. |