From 2436f248fb05f7688fe8a511603a3e723dbc5c71 Mon Sep 17 00:00:00 2001 From: Matt Nelson Date: Tue, 20 Jun 2017 11:07:09 -0400 Subject: [PATCH 1/8] Updated to include fsiAnyCpu.exe Same as FSI.exe, has different fileName. --- .../device-guard/deploy-code-integrity-policies-steps.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index df7aacb570..8f0f7d4c6f 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -38,6 +38,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - csi.exe - dnx.exe - fsi.exe +- fsiAnyCpu.exe - kd.exe - lxssmanager.dll - msbuild.exe[1] @@ -110,6 +111,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -175,6 +177,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + From 34e135859f64a4c97e03b155c5ecfa8351d7dcce Mon Sep 17 00:00:00 2001 From: Matt Nelson Date: Tue, 20 Jun 2017 12:01:19 -0400 Subject: [PATCH 2/8] Updated to include Alex Ionescu credit Alex contributed to the bash.exe and lxssmanager.dll findings. Reference: https://twitter.com/aionescu/status/876226982534565889 --- .../device-guard/deploy-code-integrity-policies-steps.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 8f0f7d4c6f..5cbed02e22 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -60,6 +60,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Matt Graeber | @mattifestation| |Matt Nelson | @enigma0x3| |Oddvar Moe |@Oddvarmoe| +|Alex Ionescu | @aionescu|
From d12d7affec2f517ea30d9f335565164c08307ddb Mon Sep 17 00:00:00 2001 From: Matt Nelson Date: Wed, 28 Jun 2017 11:18:18 -0700 Subject: [PATCH 3/8] added ntkd debugger kernel debugger, nearly identical to kd.exe --- .../device-guard/deploy-code-integrity-policies-steps.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 8f0f7d4c6f..6ee22448d8 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -40,6 +40,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - fsi.exe - fsiAnyCpu.exe - kd.exe +- ntkd.exe - lxssmanager.dll - msbuild.exe[1] - mshta.exe @@ -102,6 +103,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -168,6 +170,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + From a1823d2e93a2c8b7e6dc6a44340c9e6638f9e5c5 Mon Sep 17 00:00:00 2001 From: arottem Date: Wed, 28 Jun 2017 12:51:01 -0700 Subject: [PATCH 4/8] Update enable-cloud-protection-windows-defender-antivirus.md --- .../enable-cloud-protection-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index d5f456a9fb..4057fe4655 100644 --- a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -18,7 +18,7 @@ author: iaanw **Applies to:** -- Windows 10, version 1703 +- Windows 10 **Audience** @@ -150,4 +150,4 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](http - [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) - [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From fe715f1b0b387134ea3405e1c3acf586c3d8052e Mon Sep 17 00:00:00 2001 From: intothedarkness Date: Wed, 28 Jun 2017 12:53:39 -0700 Subject: [PATCH 5/8] Update copying-the-mbam-25-group-policy-templates.md --- mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md index 8991e9e68f..e76227cb88 100644 --- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md +++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md @@ -16,14 +16,14 @@ ms.prod: w10 Before deploying the MBAM Client installation, you must download the MBAM Group Policy Templates, which contain Group Policy settings that define MBAM implementation settings for BitLocker Drive Encryption. After downloading the templates, you then set the Group Policy settings to implement across your enterprise. ## Downloading and deploying the MDOP Group Policy templates - - MDOP Group Policy templates are available for download in a self-extracting, compressed file, grouped by technology and version. **How to download and deploy the MDOP Group Policy templates** 1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates -](https://www.microsoft.com/en-us/download/details.aspx?id=54957). +](https://www.microsoft.com/en-us/download/details.aspx?id=55531 + +). 2. Run the downloaded file to extract the template folders. From 3226727009ac757ff3a2018aafe04177c532c087 Mon Sep 17 00:00:00 2001 From: intothedarkness Date: Wed, 28 Jun 2017 12:57:58 -0700 Subject: [PATCH 6/8] Update copying-the-mbam-25-group-policy-templates.md update the AMDX template to new link --- mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md index 8991e9e68f..dab054da3e 100644 --- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md +++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md @@ -23,7 +23,7 @@ MDOP Group Policy templates are available for download in a self-extracting, com **How to download and deploy the MDOP Group Policy templates** 1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates -](https://www.microsoft.com/en-us/download/details.aspx?id=54957). +](https://www.microsoft.com/en-us/download/details.aspx?id=55531). 2. Run the downloaded file to extract the template folders. From b3be0d2623f464a4cad2659b9ffc5f3909f75d00 Mon Sep 17 00:00:00 2001 From: intothedarkness Date: Wed, 28 Jun 2017 13:03:00 -0700 Subject: [PATCH 7/8] Revert "Update copying-the-mbam-25-group-policy-templates.md" --- mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md index e76227cb88..8991e9e68f 100644 --- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md +++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md @@ -16,14 +16,14 @@ ms.prod: w10 Before deploying the MBAM Client installation, you must download the MBAM Group Policy Templates, which contain Group Policy settings that define MBAM implementation settings for BitLocker Drive Encryption. After downloading the templates, you then set the Group Policy settings to implement across your enterprise. ## Downloading and deploying the MDOP Group Policy templates + + MDOP Group Policy templates are available for download in a self-extracting, compressed file, grouped by technology and version. **How to download and deploy the MDOP Group Policy templates** 1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates -](https://www.microsoft.com/en-us/download/details.aspx?id=55531 - -). +](https://www.microsoft.com/en-us/download/details.aspx?id=54957). 2. Run the downloaded file to extract the template folders. From 85a1a568ca034c35f3bbc26803c947f59fcd73ad Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 28 Jun 2017 23:16:46 +0000 Subject: [PATCH 8/8] Merged PR 1994: Publishing a Windows AutoPilot (new topic) should go live tomorrow --- windows/deployment/windows-10-auto-pilot.md | 107 ++++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 windows/deployment/windows-10-auto-pilot.md diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-auto-pilot.md new file mode 100644 index 0000000000..da64ff50b4 --- /dev/null +++ b/windows/deployment/windows-10-auto-pilot.md @@ -0,0 +1,107 @@ +--- +title: Overview of Windows AutoPilot +description: This topic goes over Auto-Pilot and how it helps setup OOBE Windows 10 devices. +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.sitesec: library +ms.pagetype: deploy +author: DaniHalfin +--- + +# Overview of Windows AutoPilot + +**Applies to** + +- Windows 10 + +Windows AutoPilot is a collection of technologies used to setup and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.
+This solution enables the IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. + +## Benefits of Windows AutoPilot + +Traditionally, IT Pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach. + +From the users' perspective, it only takes a few simple operations to make their device ready to use. + +From the IT Pros' perspective, the only interaction required from the end-user, is to connect to a network and to verify their credentials. Everything past that is automated. + +Windows AutoPilot allows you to: +* Automatically join devices to Azure Active Directory +* Auto-enroll devices into MDM services, such as Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) +* Restrict the Administrator account creation +* Create and auto-assign devices to configuration groups based on the devices' profile +* Customize OOBE content specific to the organization + +### Prerequisites + +* [Devices must be registered to the organization](#registering-devices-to-your-organization) +* Devices have to be pre-installed with Windows 10, version 1703 or later +* Devices must have access to the internet +* [Azure AD premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) +* Microsoft Intune or other MDM services to manage your devices + +## Windows AutoPilot Scenarios + +### Cloud-Driven + +The Cloud-Driven scenario enables you to pre-register devices through the Windows AutoPilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. + +#### The Windows AutoPilot Deployment Program experience + +The end user unboxes and turns on a new device. What follows are a few simple configuration steps: +* Select a language and keyboard layout +* Connect to the network +* Provide email address (the email of the user's Azure Active Directory account) and password + +Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure Active Directory, enrolled in Microsoft Intune (or any other MDM service). + +MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. + +
+ + +#### Registering devices to your organization + +In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. + +If you would like to capture that information by yourself, the following PowerShell script will generate a text file with the device's hardware ID. + +```PowerShell +$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'" +$wmi.DeviceHardwareData | Out-File "$($env:COMPUTERNAME).txt" +``` +>[!NOTE] +>This PowerShell script requires elevated permissions. The output format might not fit the upload method. Check out the [Microsoft Store for Business](/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) for additional guidance. + +By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization. +Additional options and customization is available through these portals to pre-configure the devices. + +Options available for Windows 10, Version 1703: +* Skipping Work or Home usage selection (*Automatic*) +* Skipping OEM registration, OneDrive and Cortana (*Automatic*) +* Skipping privacy settings +* Preventing the account used to set-up the device from getting local administrator permissions + +Additional options we are working on for the next Windows 10 release: +* Skipping EULA +* Personalizing the setup experience +* MDM Support + +To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for [Microsoft Store for Business](/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). + +### IT-Driven + +If you are planning to use to configure these devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with WCD, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). + +### Teacher-Driven + +If you're an IT Pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. + +## Ensuring your device can be auto-enrolled to MDM + +In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Intune, please follow [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. + +>[!NOTE] +>MDM Auto-enrollment requires an Azure AD Premium P1 or P2 subscription. \ No newline at end of file