SIA 929 - Autopilot and Configuration Service

We require professional services to deliver a Microsoft Autopilot user driven implementation within our tenancy to an agreed specification which has been outlined within the following section Autopilot Implementation Customer Requirements The solution must utilise Windows Autopilot for Microsoft Entra joined devices for provisioning and enrolment of new Windows devices to Microsoft Intune. The solution must align Windows 11 device security to the National Cyber Security Center (NCSC) Device Security framework where applicable. The solution must use Win32 application deployment for EXE and MSI installs. Existing line-of-business application deployment must be reviewed and aligned with recommendations for application deployment, managing a list of applications centrally using the Microsoft Company Portal app. The solution must support Windows Autopilot devices connecting to the existing Azure User Tunnel. The solution must centrally manage Windows Defender Antivirus and Firewall settings. The solution must automatically assign a primary user to devices when enrolling to Microsoft Intune. The solution must use Compliance policies to evaluate device health for key security settings such as device encryption, operating system version, and antivirus protection. The solution should remove reliance on PowerShell scripts for security settings and application management. The solution must allow access to on-premises network shares and network printers Microsoft Entra joined devices when connect to the Azure VPN. The solution should provide a means to deploy printer drivers and print queues to Microsoft Entra joined devices. The existing BitLocker Encryption policies should be reviewed and migrated to Endpoint security-backed policies. Autopilot Implementation Technical Requirements The solution must configure Windows Autopilot profiles to use User-Driven mode for Microsoft Entra joined devices. The solution must enable and configure Windows LAPS in Microsoft Entra ID to support managing and rotating local administrator passwords on devices. The solution must use BitLocker settings in Microsoft Intune to silently encrypt Windows Autopilot devices and escrow keys to Microsoft Entra ID. The solution must configure Compliance policies and actions for non-compliance rules based upon agreed configuration and requirements for access. The solution must enable Windows Hello for Business (WHfB) for Windows Autopilot devices to replace username and passwords with Biometrics or a PIN. The solution must introduce Cloud Kerberos trust to support WHfB credentials being used to access on-premises services e.g., file shares. The solution must provide users with the ability to select a wireless network at the login screen. The solution must deploy a set of core applications via Microsoft Intune prior to users being able to access the desktop. Windows devices could receive CIS benchmark configuration, for areas not covered by NCSC Device Security.