This post will be a bit different because I will show you the end result first. 🙂
What we want to achieve in the out of box enrollment experience. In real world this means you can ship the laptop directly to the employee or your employee can buy any device in the local store and after unpacking it will be automatically configured and he is able to work.
What we actually saw in that video?
- The device booted up and started the Windows standard setup procedure.
- The employee needs to answer a set of annoying questions (like keyboard, privacy, etc.).
- The employee is prompted to enter an email address (for a user that is in Azure AD) and his AD password.
- Windows Hello setup kicked in (SMS token + PIN entry).
- Workspace ONE manages the device.
- The employee is ready to go. Policies and apps and popping in.
In general, we have a lot of options how to enroll a Windows 10 devices into Workspace ONE, but I like to break them down into 5 main categories depending on if it’s an existing device or brand new (out of the box) and if we want to use Microsoft toolset or if it’s a Dell computer.
In this blog post, we will cover the third option – Microsoft toolbox – OOBE. Please do mind that in order for this to work (same applies to the Autopilot option) you will need an Azure Active Directory Premium P1 (or higher).
The general concept of OOBE is that the machines registers to AAD and then the registration is via integration transferred to Workspace ONE, which will then do the heavy lifting and push configuration and apps.
At this point, I am assuming that we have the local Active Directory integrated with Workspace ONE UEM (we cannot read users directly from AAD, yet) and also that your local Active Directory is synchronized with AAD Premium P1.
Since we are in the AAD grab a few things we will need later in the Workspace ONE console. The first one is the Tenant ID:
And the second one is the tenant name (domain).
Let’s switch to the Workspace ONE console and go to Groups and Settings > All Setting > System > Enterprise Integration > Directory Services. Enable the switch “Azure AD Integration”, paste the data collected in AAD. Also while you are here copy the MDM URLs on this page.
Switch back to the AAD console. Go to section “Mobility (MDM and MAM)” and add two new apps called “AirWatch by VMware” and “On-premises MDM application”.
Now we will need to configure both of them. Click on the “AirWatch by VMware” and fill in the details you got from the Workspace ONE UEM console. I scope everything to All users, but of course, you can limit that to a test group. Save it.
Move to the second app – “On-premises MDM application”. Do the same stuff here, but when you are done click on the link “On-premises MDM application settings”.
Go to the section “Expose an API” and change the Application ID URI to match your Device services server:
Save everything and you are done. You can now go and test your OOBE setup with your Windows 10 machine.
If you don’t have a brand new machine and you want to test this you can always Sysprep an exiting machine with a /oobe switch to get to that flow.
C:\Windows\System32\Sysprep\sysprep.exe /oobe /restart
I will cover the Autopilot option configuration in the next post.