This article is contributed. See the original author and article here.

Few months back we have announced Windows Autopilot for HoloLens 2 devices in a private preview with Windows Holographic ver. 2004 (Build 19041.1103 or later). Windows Autopilot for HoloLens 2 with Microsoft Endpoint Manager (MEM) delivers efficiency, simplifies deployment, and streamlines device security and endpoint management, which drives significant cost and time savings for your organization.

 

To ensure Windows Autopilot and Microsoft Endpoint Manager provide that streamlined device endpoint management capability, we are announcing two new Autopilot features which are currently available through Windows Holographic Insider preview:

  1. Windows Autopilot Tenant lock for HoloLens 2 device. This feature is currently available with Windows Holographic Insider Preview (Build 19041.1366 and above)
  2. Autopilot deployment using Wi-Fi connection. This feature is currently available with Windows Holographic Insider Preview (Build 19041.1364 and above)

Windows Autopilot Tenant lock for HoloLens 2 

Windows Autopilot Tenant lock capability would allow your organization to enforce the device to be always bound to your Tenant and managed by your organization after initial enrollment. This feature will ensure that your device is always deployed by Windows Autopilot and managed by Microsoft Endpoint Manager in case of OS updates, accidental or intentional resets or wipes.
When your organization deploys HoloLens 2 devices with Windows Autopilot, you can setup a specific policy which will be deployed post enrollment to enforce:

  1. Mandatory network connection during device setup process and consecutive device reset
  2. Always enforces Autopilot deployment and requires deployment profile from Autopilot service
  3. Prevents local user creation during device setup
  4. Prevents all other escape hatches during device setup process that could result in a non-managed state
  5. Prevent any device ownership during device setup process other than your organization Tenant it is registered to with Windows Autopilot

image.png

Setup Tenant lock custom policy using Microsoft Endpoint Manager

Windows Autopilot Tenant lockdown features uses TenantLockdown CSP behind the scene to enforce this feature along with some OS level changes. Your organization can setup this policy through Microsoft Endpoint Manager device configuration by setting up RequireNetworkInOOBE to True.  Setting up this custom policy would look like this:

  1. Sign in to the Microsoft Endpoint Manager admin center
  2. From navigation pane, select Devices > Configuration profiles > Create profile
  3. Enter following properties and select Create
    • Platform: Windows 10 and later
    • Profile: Custom
  4. Enter rest of the information
  5. In Configuration settings, enter following
    • Name: pick a name of your custom settings
    • Description: provide description of your custom settings
    • OMA-URI: ./Vendor/MSFT/TenantLockdown/RequireNetworkInOOBE
    • Data type: Boolean
    • Value: True
  6. Complete rest of the setup steps for this custom OMA URI
  7. Assign this device configuration profile to HoloLens 2 device group that are getting deployed with Autopilot

Learn more on custom configuration settings through MEM

image.png

image.png

Make sure your HoloLens 2 devices are member of this group and verify that device configuration has been successfully applied. Once this device configuration is successfully applied on the HoloLens 2 devices during Autopilot deployment, TenantLockdown will be active and enforced on future device reset, wipes or reimage.

 

Unset Tenant lock custom policy using Microsoft Endpoint Manager

To remove Tenant lock enforcement, remove the device from the device group to which the device configuration is created and assigned or create a similar custom OMA-URI settings with RequireNetworkInOOBE to False and assign to the device group you do not want this to be enforced.  

 

One important thing to remember is when you retire, recycle or device is sent back for repair, you must un-enroll the device from original tenant and unset the custom TenantLockdown policy.

 

HoloLens 2 device setup/OOBE experience

After this policy is enforce the device, tenant lock will be active and enforced on future device reset or wipes. During next device setup/OOBE experience, device would force the user to get connected to the internet and look for Autopilot profile. Without any connectivity end user would not be able to proceed through OOBE. When connected device would get Autopilot self-deployment profile and automatically complete device provisioning to organization Tenant with close to zero touch.

image.png

 

Using Autopilot with Wi-Fi connection

As part of Insider Preview (Build 19041.1364 or above), Windows Autopilot Deployment for HoloLens 2 supports Wi-Fi connection in addition to the ethernet based connection. In other words, you do not need to use ethernet to USB C or Wi-Fi to USB C adapter, instead you can connect the device to your available Wi-Fi internet network and deploy the device with Windows Autopilot. 

 

Learn more about Insider Preview for Microsoft HoloLens and other available features.

 

We look forward to hearing your feedback on these two Insiders preview features and thank you in advance for your interest and participation!

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.