Deploying Windows Machines with No AD

Workspace ONE has long been referred to as the "Switzerland of MDM's" - in the sense that it supports a variety of different device types, ownership types, and directories. Workspace ONE does not have a requirement of on-premise Active Directory, Entra ID, Okta, PingOne, so on - it can support management, and onboarding, of devices regardless of identity provider. In this article, I am going to describe how you can zero touch / light touch Windows machines without any on premise active directory or Entra ID to manage user identity on the computer. 

Background

To accomplish this, we are going to leverage Drop Ship Provisioning Offline (Omnissa Documentation Link), which I'll abbreviate going forward as DSP Offline. We can use this to create a provisioning package and unattend.xml file to customize the Windows out of box experience and to pre-install certain applications on the device, in addition to staging the device with Intelligent Hub. This is important, and a big value add, as immediately when the device is opened and OOBE is completed, applications are installed for the user to be immediately productive. Any deltas/additional applications and profiles will be resolved once the user signs into Hub. For this specific use case, we want to use DSP Offline because the user will still go through the Windows out-of-box experience to create their user account. While we will not synchronize the user account with an authoritative IdP (like we would with Entra ID or on prem AD), we can still manage the length/complexity/history of the password with a passcode profile from UEM. 

A note on password profile from Workspace ONE UEM: You can leverage the password profile to make sure the local user account on a device complies with specified requirements. There is also an ability to trigger a password change for the local user from Workspace ONE UEM - but this is only available for basic users in UEM. That is, any users provisioned by an IdP, SAML or otherwise, would not be eligible for this functionality. For more detail, please see this Omnissa Doc. 

Step 1: Configure Workspace ONE UEM

In this example, I will be using a SaaS tenant of Workspace ONE UEM. I will assume that you already have applications uploaded into the console, profiles assigned to the device, and user accounts already synchronized with Workspace ONE UEM. 

Note: What IdP you are using, and how it is configured, can make a difference here. For instance, any SCIM 2.0 IdP is supported with Omnissa Identity Services, but requires password grant flows to be enabled  (which is a feature flag you need to contact support to have enabled, and is in tech preview at time of writing). If you are using SAML with JIT provisioning, ensure that the required attributes are specified as well. I will keep this article fairly generic since there is a lot of variation that can happen with identity configurations. But please note that if there is an attribute issue (ex. ExternalId not present), the device may enroll but will not show hub services or will give you an error once enrolled. 

First, make sure that all applications that you would like to put into the provisioning package (to be pre-installed on the device) are already assigned to the smart group/OG in which the device is to be enrolled, and are assigned to be automatically installed. 

Next, we need to create a staging account. In your UEM console, go to Accounts - Users - Add - Add user. Fill in all asterisked fields. Then, under the advanced tab, scroll down and expand "Staging". Enable staging, and enable single user devices. Then click save. We will need the staging user credential later on. 

Next, you want to push a passcode profile to your smart group / OG that the device will enroll into. This will make sure the user account has a password with desired history/complexity/length requirement. You can create this in resources - profiles - add, Windows, and using the Password payload. 

Next, we are going to actually create the provisioning package and unattend.xml file in the UEM console. Go to Devices - Staging - Desktop Staging (the verbiage of where this is may depend on the version of the console you are using). You're in the right place if your screen looks like this: 

Note: There is also a setting in the UEM console labeled "Drop Ship Provisioning". This is for DSP Online, while also a very powerful provisioning tool for Windows, we will not be leveraging in this article.

Click "New". Give the provisioning package a name and description (how it will be identified in the UEM console by other administrators). Next it will ask whether you want to create "Drop Ship Provisioning - Offline" or "Encrypted Package". 

Drop Ship Provisioning - Offline: This will output two files: the provisioning package file and unattend.xml to customize the Windows OOBE. You can leverage the Workspace ONE Provisioning Tool with these two inputs, while Windows is in Audit mode, to provision a Windows computer. You can also leverage these files with other softwares to provision Windows machines. 

Encrypted Package: Will also output the same two files, but will be in a singlular file encrypted with the specified password. You can use this package by either simply double clicking on it in Windows in Audit Mode (and will launch the provisioning tool automatically) or by putting it on a USB drive and plugging it in on the first Windows OOBE screen. 

In this example, we will proceed with the encrypted package. I'll input a password and click next. 

Next we need to specify the workgroup join information, whether you want to show the EULA / privacy pages, what workgroup name you prefer, a Windows Activation key if desired, so on. Note, you can specify the Windows activation key using a profile later on as well. A lot of these preferences are just that - what you would prefer and can be adjusted. I will select to hide all pages. Further down, it will ask if you want to create a local user and/or an administrator account. In this example, I will elect to not create a local user account (as I want the user to do this as part of OOBE), but I will create the Administrator account with a specified password (in case "IT" needs to access the computer). Finally, at the bottom, I am going to input my staging information for Workspace ONE. Note, your enrollment server will be your console URL, but subsititute "cn" for "ds". So instead of "cn1784.awmdm.com" it will be "ds1784.awmdm.com". I will also input my group ID (not OG name) for enrollment, and the staging credentials I created earlier. Then I will click Next. 

Next, it will show all applications available in the OG. I will select the applications I want to pre-install as part of staging, and click next. 

Note: You don't need to select all applications, just any important ones. These will be immediately available when the user goes to the desktop, and any updates/additional applications not checked but assigned/profiles will land over the air automatically once the user signs into Hub. 

Finally, you will see a summary page to review all of your configurations. If everything looks good, click "Save and Export". The process to generate the package will take a few minutes; you will be emailed when it is available for download from the console. 

Now that you have the package downloaded, put it on a USB drive as we'll need it in a little bit. 

Step 2: Provision the Device

Turn on your computer and make sure you are on the country selection screen. 

At this point, disconnect the computer from internet. The "Offline" part of DSP "Offline" refers to the fact that applications are staged offline, and this helps to ensure applications don't try to phone home / update in the middle of staging.

On the computer, press Control + Shift + F3 to go into Audit Mode. Once at the desktop, insert the USB drive with the encrypted PPKG on it. Double click the provisioning package. Accept any prompts and enter the encryption password when prompted. 

The Workspace ONE Provisioning Tool will run and stage the device. When it is complete, the computer will run through sysprep automatically and restart. 

Step 3: User Setup 

Now, we are going to go through the out of box experience for Windows, following the prompts. 

Windows may also perform any updates at this time depending on how recently generated the Windows installation media was downloaded for the computer. This can be mitigated by redownloading updated Windows installation media. 

Once out of box experience completes, I'll be at alogin screen where the user can complete login to Windows. 

Once they reach the desktop, Hub will open and ask them to sign in to complete device enrollment. They will be met with the Hub enrollment workflow, but note that the applications that we selected earlier were already installed, and Hub shows them as such instead of waiting to be downloaded. 

Once the user clicks "Get Started", they can now go to their desktop and see any SaaS/Horizon desktop entitlements through Intelligent Hub 

Conclusion

Now that we are finished, this device is fully managed by Workspace ONE UEM without leaning on any active directory. Note - with the password policy, the user may be prompted to change the password on the local machine on the next sign in, but once completed, the password will be compliant with policy.