Why pre-provision Windows devices?

Recently I was asked again; “Why do you pre-provision devices?”

I, or actually we, got that question several times last year. Also, in conversations with Microsoft this question pops up regularly.

So, why do we pre-provision (aka. White Glove) devices?
There are two main reasons to do this:

                  • Security
                  • Employee Experience
And in addition, of course, the costs.

Security

Looking at security, by pre-provisioning devices we make sure we block things like Shift-F10, the Recovery Command prompt, etc. and to have the security policies applied before we hand the device over to the employee.

Employee Experience

Pre-provisioning devices will limit the time the employee needs to enroll the device to around 15 mins, with all applications installed on the device when the employee gets the desktop.

As part of the pre-provisioning process, we make sure:
  • The drivers and firmware are updated to the latest version before pre-provisioning.
  • All core applications are installed as part of pre-provisioning. Depending on the country there will be between 30 and 45 applications installed.
Taking this approach will also prevent issues with poor Internet connections some employees might have at their location and employees shutting down the device in the middle of application installations.

Costs

Not the main driver, but also worth mentioning are the costs we save by pre-provisioning devices before they are handout to employees. And of course, this will depend on the size of you company and the line of business you are in and the configuration of the devices.

Let's take a company with 60.000 Windows devices. If we would we replace them after 5 years, we must hand out 12000 new devices per year. Next, we have new employees joining the company, which also means about 4000 to 6000 devices handouts. And, if we add the break fix handling, we end up with around 20000 devices being handed out yearly!

So, let’s do a simple calculation:

Engineers in the larger countries will pre-provision about 40 to 50 devices per day, in smaller countries the volumes are lower. So, let’s take an average of 25 per engineer per day. This means:
  • 20000 devices / 25 per engineer per day = 800 days = 6400 hour/year
If we would handout the devices directly to the employees and the average enrollment taking 1,5 hours instead of 15 mins per employee, it would mean:
  • 20000 devices * 1,25 hours = 25000 hour/year
If we would take an average rate per employee of 80 euro, it would mean:
  • 25000 – 6400 = 18.400 * 80 euros = 1.488.000 euro/year we save!
Of course, this is the simple calculation, and we didn’t calculate the costs for the setup and management of a staging area (location, network connections, etc.). But on the other hand, we also did not include the actual rate per employee, where typically the rate a first line engineer will much lower than the rate for an average bank employee.

So, the conclusion: Safer devices and happier employees with less costs!

Comments

  1. Abdullah Ollivierre16 January, 2025 21:54

    ### Summary: Why Pre-Provision Windows Devices?

    **Key Reasons for Pre-Provisioning Devices:**
    1. **Security**: Ensures security measures (e.g., blocking Shift-F10, Recovery Command Prompt) are in place before employees receive devices, along with pre-applied security policies.
    2. **Employee Experience**: Reduces enrollment time to ~15 minutes. Devices come fully updated with drivers, firmware, and essential applications (30-45 apps, depending on the region). This approach avoids issues with poor internet or interruptions during installations.

    **Additional Consideration - Cost Savings**:
    - Pre-provisioning saves significant time and money compared to enrolling devices directly with employees.
    - Example:
    - For a company with 60,000 devices, replacing ~20,000 devices annually, pre-provisioning saves an estimated **€1.488M/year** compared to direct handouts.
    - Engineers can pre-provision ~25 devices/day, saving 18,400 hours annually when compared to employees enrolling devices themselves (1.5 hours/device).

    **Conclusion**: Pre-provisioning leads to safer devices, better employee satisfaction, and substantial cost savings for large enterprises.

    ReplyDelete
  2. Abdullah Ollivierre16 January, 2025 21:55

    **Subject:** Feedback on Your Blog: Pre-Provisioning Windows Devices

    Dear Mr. Peter,

    Thank you for sharing your detailed and insightful blog on pre-provisioning Windows devices. It was an excellent read, and I appreciate the effort you put into explaining the rationale, benefits, and cost implications of this approach.

    That said, I have a few observations and suggestions I'd like to share:

    1. **Device Volume Context**:
    While the calculations you provided make a compelling case for cost savings in large enterprises, it's worth noting that many organizations don't operate on the same scale as your example. Few companies replace 20,000 devices annually, though I recognize that such cases do exist. Your illustration effectively demonstrates the potential savings but may come across as an edge case for most readers.

    2. **Alternative Approach Using TAP**:
    If pre-provisioning is already part of the process, why not consider driving the entire setup via Autopilot and leveraging the **Temporary Access Password (TAP)** for the primary user? This method could eliminate some intermediate steps and streamline the process directly to the desktop, making the deployment even more efficient.

    3. **Flexibility of Pre-Provisioning**:
    As you noted, pre-provisioning has clear benefits in terms of security, employee experience, and cost. However, it's worth acknowledging that it isn't always mandatory. Exploring alternate workflows, like direct-to-user provisioning using TAP, could offer additional value for companies that may not require pre-provisioning as rigorously.

    Overall, I agree with your points about enhanced security, reduced enrollment time, and substantial savings, particularly for large enterprises. However, introducing more flexible provisioning options could make the process even more adaptable for diverse organizational needs.

    Thank you once again for your thoughtful article. If you'd like to discuss these ideas further or have any questions, please feel free to reach out.

    Best regards,
    Abdullah Ollivierre

    ReplyDelete

Post a Comment

Popular posts from this blog

The workplace journey to the cloud

Image
My goal for this year is to share my experiences in moving the workplaces of our enterprise to the cloud with a broader audience. I will create a series of blogs on different topics this year. But let’s start with an introduction as this is my first blog ever. I am currently employed by ING, the largest Dutch Bank with around 60.000 employees and offices in over 40 countries worldwide. I have been working for ING for 8 years (of which 4 as external). Before I joined ING I was, this century, employed by Wortell, Siemens (Atos) and the Ceasar Group, as either Technical Specialist or (Technical) Project Manager. Mainly working on infrastructure and workplace projects. My career in IT started over 3 decades ago as an IT engineer at a small company building and selling personal computers, where I did everything from purchase to support. Back then I did beta testing of Microsoft DOS 4.01, but also installed Novell and Banyan Vines networks. In the years that followed I got certified as an IT...
Read more