How we have always done it

At its core, imaging is a process where one installs the OS, drivers and applications and configures the settings on a system to meet an organization's specific requirements. Then, that configuration is copied onto other devices to ensure proper functionality and consistency throughout the environment. 

Initially, 20+ years ago, we did this by making a complete copy of a hard drive from a physical system and duplicating it onto another device. This was a manual, slow and oftentimes difficult process requiring a separate image for each unique model in an environment. 

Over the years, we have seen many improvements in the process: we can now create a single device-agnostic image and inject drivers (usually provided by the OEM in a single driver pack) during deployment; the image creation and deployment processes can be completely automated; apps and settings can be applied or updated on the fly; and we can use mass deployment tools to do this at significant scale and efficiency. These are all great improvements, and we have gotten REALLY good at it, but ultimately, the methodology itself is inherently inefficient.

When devices are initially procured, the OEMs have already gone through the effort of installing the operating system, providing and installing the right drivers, and, in some cases, even installing desired applications, all before they even leave the factory floor. So, it really makes no sense for every major organization to dismiss all of the work that the OEM did, only to then do it again themselves. Does it? OK, to be fair, until recently we really did not have a better option, but I still assert it was dumb.

 

We have better ways now

Enter Windows 10. Microsoft made a small but impactful change with Windows 10 (which obviously carries over to Windows 11) that, for the first time, made it a true mobile operating system. As part of the out-of-the-box experience (OOBE), Windows now checks in with Microsoft before the initial system setup is complete. This is what Windows Autopilot is all about. This enables a device to be pre-registered to an organization and have a Modern Device Management platform assigned to manage it before delivery.  Then as part of the OOBE, that management platform can inject security settings, applications and even OS edition upgrades into the setup process before a user even sees a sign-on screen.

Administrators set up security policies, deployment profiles, and mandatory application installs to ensure that the devices are configured correctly without ever having to touch the physical device. They can also leverage the work done by the OEMs to gather the right drivers, install the operating system, etc. This process can also be user driven, meaning that the device is not required to be pre-registered by the OEM. In this case, all the assigned configurations happen as soon as a user signs into a device with their corporate account. 

One could even go so far as to allow a user to purchase a device from a retail store and be confident knowing that the same policies would be applied - ensuring that the device will function securely in the corporate environment. To be clear, this is not something I would recommend as a standard procedure, but it is a possible course of action for extreme scenarios such as when trying to assist a high-profile user whose device was broken during travel, or a method for providing emergency replacement devices in the wake of a cyber event, etc.  It is a possibility that does exist now.

All of these settings, policies and applications are not tied to the hardware, so the EUC administrators do not need to be concerned with the details around the drivers necessary for every model on every operating system - instead, they can focus on providing better and simplified experiences for their users. Further, in the event that the company decides to shift from one OEM to another, whether that be due to pricing changes, device availability, or the whims of the folks signing the check; the EUC team does not need to rush to ensure the imaging process contains the drivers required to work on the new hardware.

 

Why is this better?

So, what do we gain from this? Several things:

  • An improved user experience. Thirty years ago, we had to repackage applications in such a specific way that shortcuts had to be positioned in a precise spot on the desktop, or our users would freak out and not know how to do their jobs. Fortunately, that is no longer the case. Users are familiar with the Start Menu, they know how to search for an application, they understand the idea of an App store. These are things they have become accustomed to and, in fact, expect from their devices and want the same experience from their Windows device. When they get a new device, the experience of setting it up should be roughly the same regardless of the OS it is running. Giving them this experience will increase their satisfaction.
  • Added security: When the OOBE process checks in with Microsoft, it also ensures that all the latest operating system patches have been applied; by default, deploying an image does not do this. If your deployment methodology is robust and diligently updated, you can approximate this; however, it is very time consuming and high effort, all to achieve what is handled natively by Windows Autopilot.
  • Increased Administrator productivity. At the highest levels, we want our EUC team to provide services that benefit the company. Expertise in finding appropriate storage and network drivers to ensure we can boot a device after we destroy the OS and the drivers that were already on there are not exactly utilizing our resources to their fullest potential.
  • Hardware future-proofing. Provisioning is hardware agnostic. We can change device models, resellers or even OEMs, and our provisioning process is still just as robust and reliable as it was before the change. With imaging, that is rarely the case. As devices change, our imaging solution needs to have appropriate network and storage drivers updated to ensure the new devices will function.
  • Reduced infrastructure maintenance costs. Modern device provisioning is hosted in the cloud. Microsoft Intune runs in Azure, Omnissa Workspace ONE lives in AWS, etc. but regardless of the management platform you choose, the underlying infrastructure does not need to be maintained by your organization. Additionally, this means that there is no hard requirement for devices to be on a corporate network to ensure that they are properly provisioned. Users can provision devices from their own home - or the local Starbucks for all we care, and it's still just as secure.
  • Reduction in time required to get a newly standardized model into production. You no longer need to acquire, test and deploy drivers for each new model as this is handled by your OEM. This makes up the majority of work required to move a new model from testing to production ready.

 

Do we lose out on anything?

As with every change, there are downsides, but in this instance, they are minimal.

  • There is some retraining to be sure: application packaging, for instance, is different but not too much. The resources that have been trained on the new methods can use these same skills to manage and provision non-Windows devices as well. Windows, iOS, Android, MAC and Linux (to some degree) can all be managed through the same tools that you are provisioning from, so your Administrators are being cross-trained at the same time.
  • Cloud connectivity is required, so not all aspects of all businesses can take full advantage of this new methodology.
  • You may get pushback from some, saying, "We have been doing it this way for a long time; we have a good solution; if it's not broken—why fix it?" Ultimately, this is just short-sighted. The legacy methods of deployment via imaging will work for now, but that's not a good enough reason to not look at better ways of provisioning/managing your devices.

 

The bottom line

The shift from traditional imaging to modern device provisioning requires a mindset change in the way organizations deploy and manage their end-user devices. Leveraging the features provided by modern device provisioning and device management has numerous benefits. These benefits include enhanced user experience, better security by ensuring the OS is up to date before providing a user access to the OS, reduced infrastructure costs, and the ability to adopt new hardware rapidly with minimal disruption.

While provisioning requires cloud connectivity and may require some retraining for IT administrators, the trade-offs are outweighed by the gains in efficiency, scalability and future-proofing of IT operations. More importantly, the skills gained in this transition will be used to manage all the devices in your environment, increasing the versatility and value of IT professionals.

Embracing cloud-based provisioning is an important step in implementing a zero-trust security strategy. It empowers organizations to fully leverage the flexibility and efficiency gains offered by modern device management. Administrators can rest assured that, by the time devices are accessible to users, all security and compliance configurations have been applied — regardless of their connection to the corporate network. These same cloud-based management platforms continue to maintain compliance for these devices, irrespective of their corporate network connectivity.

Lastly, it's worth acknowledging that provisioning is not without its challenges. If your organization currently leverages Active Directory Group Policy Objects (GPOs) for applying device security and compliance settings, then there is some work to be done to move to Configuration Service Provider (CSP) files.  Considering the advantages, modern device provisioning is a big step forward in achieving a more dynamic and robust EUC environment.

Technologies