From 681702055a9cab1ca99c8526ab5dae7ffaf2cf35 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 28 Nov 2017 11:40:58 -0800 Subject: [PATCH 1/7] added known issue fix for scheduled tasks --- .../credential-guard/credential-guard-known-issues.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/access-protection/credential-guard/credential-guard-known-issues.md index 9e81fbf823..9bfda4e9da 100644 --- a/windows/access-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/access-protection/credential-guard/credential-guard-known-issues.md @@ -17,6 +17,14 @@ author: brianlic-msft Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). +The following known issue has been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/help/4051033): + +- Scheduled tasks with stored credentials fail to run when Credential Guard is enabled. The task fails and reports event ID 104 with the following message:
+ "Task Scheduler failed to log on ‘\Test’ .
+ Failure occurred in ‘LogonUserExEx’ .
+ User Action: Ensure the credentials for the task are correctly specified.
+ Additional Data: Error Value: 2147943726. 2147943726 : ERROR\_LOGON\_FAILURE (The user name or password is incorrect)." + The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: - [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217) From 468953d070bc53c8545242ff6bc3dcacca3da9ab Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 28 Nov 2017 11:58:17 -0800 Subject: [PATCH 2/7] added known issue fix for scheduled tasks --- .../credential-guard/credential-guard-known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/access-protection/credential-guard/credential-guard-known-issues.md index 9bfda4e9da..9da03bcc5e 100644 --- a/windows/access-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/access-protection/credential-guard/credential-guard-known-issues.md @@ -19,7 +19,7 @@ Windows Defender Credential Guard has certain application requirements. Windows The following known issue has been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/help/4051033): -- Scheduled tasks with stored credentials fail to run when Credential Guard is enabled. The task fails and reports event ID 104 with the following message:
+- Scheduled tasks with stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
"Task Scheduler failed to log on ‘\Test’ .
Failure occurred in ‘LogonUserExEx’ .
User Action: Ensure the credentials for the task are correctly specified.
From 01f741096029049ee16824d2fcb5df78d384fd15 Mon Sep 17 00:00:00 2001 From: "Michael C. Bazarewsky" Date: Thu, 7 Dec 2017 18:52:58 -0500 Subject: [PATCH 3/7] Missed a fix in the GP paths --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md index 619efaea4c..9307ef0ef1 100644 --- a/windows/access-protection/credential-guard/credential-guard-manage.md +++ b/windows/access-protection/credential-guard/credential-guard-manage.md @@ -142,7 +142,7 @@ For client machines that are running Windows 10 1703, LSAIso is running whenever If you have to disable Windows Defender Credential Guard on a PC, you can use the following set of procedures, or you can [use the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). -1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Windows Defender Device Guard** -> **Turn on Virtualization Based Security**). +1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). 2. Delete the following registry settings: - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity From 83f2dfa675fc2ed3f9467e2819161e0e25d6d5b6 Mon Sep 17 00:00:00 2001 From: Carol S Date: Mon, 11 Dec 2017 16:12:46 -0800 Subject: [PATCH 4/7] Change "the the" typo --- education/windows/use-set-up-school-pcs-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index f475914bdb..d1aee6e024 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -195,7 +195,7 @@ The **Set up School PCs** app guides you through the configuration choices for t 2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. 3. Enter the assessment URL. - You can leave the URL blank so that students can enter one later. This enables teachers to use the the Take a Test account for daily quizzes or tests by having students manually enter a URL. + You can leave the URL blank so that students can enter one later. This enables teachers to use the Take a Test account for daily quizzes or tests by having students manually enter a URL. **Figure 5** - Configure the Take a Test app From d099f238dbbd6269f706675ace5b809b0f8b7add Mon Sep 17 00:00:00 2001 From: arottem Date: Tue, 12 Dec 2017 13:45:08 -0800 Subject: [PATCH 5/7] Update maximum CPU language --- ...onfigure-advanced-scan-types-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index 4555e9324a..771d56a805 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -60,7 +60,7 @@ Scan files on the network | Scan > Scan network files | Disabled | `-DisableScan Scan packed executables | Scan > Scan packed executables | Enabled | Not available Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning` Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available - Specify the maximum CPU load (as a percentage) during a scan. This is a maximum - scans will not always use the maximum load defined here, but they will never exceed it | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor` + Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor` Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available **Use Configuration Manager to configure scanning options:** @@ -103,4 +103,4 @@ If Windows Defender Antivirus detects a threat inside an email, it will show you - [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) - [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md) - [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From 631fc0437b91691b11faedc382d9116182ac749b Mon Sep 17 00:00:00 2001 From: Nicholas Brower Date: Wed, 13 Dec 2017 20:58:04 +0000 Subject: [PATCH 6/7] Merged PR 4956: Auto-updating new MDM policies with scope info. --- .../mdm/policy-csp-authentication.md | 11 ++++- .../mdm/policy-csp-cellular.md | 44 ++++++++++++++++++- .../mdm/policy-csp-connectivity.md | 10 ++++- .../mdm/policy-csp-search.md | 21 ++++++++- .../client-management/mdm/policy-csp-start.md | 10 ++++- .../mdm/policy-csp-storage.md | 13 +++++- .../mdm/policy-csp-update.md | 10 ++++- .../mdm/policy-csp-wirelessdisplay.md | 18 +++++++- 8 files changed, 126 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index b54669925f..f6f807675f 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/17/2017 +ms.date: 12/13/2017 --- # Policy CSP - Authentication @@ -203,6 +203,15 @@ ms.date: 11/17/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0 diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 162361e9a8..86748d5dac 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/17/2017 +ms.date: 12/13/2017 --- # Policy CSP - Cellular @@ -63,6 +63,15 @@ ms.date: 11/17/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +

+ + Added in Windows 10, version 1709. This policy setting specifies whether Windows apps can access cellular data. @@ -83,7 +92,7 @@ Suported values: - 0 - User is in control - 1 - Force Allow - 2 - Force Deny - +
@@ -113,8 +122,18 @@ Suported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. +
@@ -144,8 +163,18 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. +
@@ -175,8 +204,18 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. +
@@ -226,6 +265,7 @@ Supported values: - 0 - Hide - 1 - Show + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 3f8c6af012..c297a932b7 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/20/2017 +ms.date: 12/13/2017 --- # Policy CSP - Connectivity @@ -662,7 +662,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): +> [!div class = "checklist"] +> * Device + +
+ + Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com. diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 43345e1b02..b9792695ad 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/13/2017 +ms.date: 12/13/2017 --- # Policy CSP - Search @@ -207,6 +207,15 @@ ms.date: 11/13/2017 **Search/AllowStoringImagesFromVisionSearch** + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

This policy has been deprecated. @@ -287,10 +296,18 @@ ms.date: 11/13/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +

+ +

Allow Windows indexer. Value type is integer. -

diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 1d6cc70973..9223235010 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/17/2017 +ms.date: 12/13/2017 --- # Policy CSP - Start @@ -933,7 +933,15 @@ ms.date: 11/17/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): +> [!div class = "checklist"] +> * User + +
+ +

Added in Windows 10, version 1709. Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 3c30db9054..57e64d4e9f 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/13/2017 +ms.date: 12/13/2017 --- # Policy CSP - Storage @@ -19,7 +19,7 @@ ms.date: 11/13/2017 ## Storage policies

-
+
Storage/AllowDiskHealthModelUpdates
@@ -54,6 +54,15 @@ ms.date: 11/13/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Added in Windows 10, version 1709. Allows disk health model updates. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 1432ed2327..764bb97294 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/13/2017 +ms.date: 12/13/2017 --- # Policy CSP - Update @@ -1485,7 +1485,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): +> [!div class = "checklist"] +> * Device + +

+ +

Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer. diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 5b9fe8f804..1d647c60c2 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/13/2017 +ms.date: 12/13/2017 --- # Policy CSP - WirelessDisplay @@ -72,7 +72,15 @@ ms.date: 11/13/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): +> [!div class = "checklist"] +> * Device + +

+ +

Added in Windows 10, version 1709. This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement. @@ -108,7 +116,15 @@ ms.date: 11/13/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): +> [!div class = "checklist"] +> * Device + +

+ +

Added in Windows 10, version 1709. This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery. From 75f1bb14f40a5d9491133cf33db15569c1ddcf77 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 13 Dec 2017 23:24:29 +0000 Subject: [PATCH 7/7] Merged PR 4961: Change file name auto-pilot to autopilot and set redirect It was bugging me --- .openpublishing.redirection.json | 5 + windows/deployment/TOC.md | 2 +- windows/deployment/index.md | 4 +- ...-auto-pilot.md => windows-10-autopilot.md} | 292 +++++++++--------- 4 files changed, 154 insertions(+), 149 deletions(-) rename windows/deployment/{windows-10-auto-pilot.md => windows-10-autopilot.md} (98%) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 64b57d5103..8050f6b985 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -8399,6 +8399,11 @@ "source_path": "windows/deployment/windows-10-enterprise-activation-subscription.md", "redirect_url": "/windows/deployment/windows-10-enterprise-subscription-activation", "redirect_document_id": true +}, +{ +"source_path": "windows/deployment/windows-10-auto-pilot.md", +"redirect_url": "/windows/deployment/windows-10-autopilot", +"redirect_document_id": true } ] } \ No newline at end of file diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 4b6e85ba51..e91d215f05 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -10,7 +10,7 @@ ## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) ## [Deploy Windows 10](deploy.md) -### [Overview of Windows AutoPilot](windows-10-auto-pilot.md) +### [Overview of Windows AutoPilot](windows-10-autopilot.md) ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) ### [Windows 10 volume license media](windows-10-media.md) diff --git a/windows/deployment/index.md b/windows/deployment/index.md index 6650d26235..dbf9d10e91 100644 --- a/windows/deployment/index.md +++ b/windows/deployment/index.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: high -ms.date: 10/20/2017 +ms.date: 12/13/2017 author: greg-lindsay --- @@ -28,7 +28,7 @@ Windows 10 upgrade options are discussed and information is provided about plann |Topic |Description | |------|------------| -|[Overview of Windows AutoPilot](windows-10-auto-pilot.md) |Windows AutoPilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. | +|[Overview of Windows AutoPilot](windows-10-autopilot.md) |Windows AutoPilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. | |[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. | |[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. | |[Windows 10 volume license media](windows-10-media.md) |This topic provides information about media available in the Microsoft Volume Licensing Service Center. | diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-autopilot.md similarity index 98% rename from windows/deployment/windows-10-auto-pilot.md rename to windows/deployment/windows-10-autopilot.md index 1526ab85ba..2f0c290c8a 100644 --- a/windows/deployment/windows-10-auto-pilot.md +++ b/windows/deployment/windows-10-autopilot.md @@ -1,146 +1,146 @@ ---- -title: Overview of Windows AutoPilot -description: This topic goes over Windows AutoPilot and how it helps setup OOBE Windows 10 devices. -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: high -ms.sitesec: library -ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 11/30/2017 ---- - -# Overview of Windows AutoPilot - -**Applies to** - -- Windows 10 - -Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.
-This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. - -## Benefits of Windows AutoPilot - -Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach. - -From the users' perspective, it only takes a few simple operations to make their device ready to use. - -From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated. - -Windows AutoPilot allows you to: -* Automatically join devices to Azure Active Directory (Azure AD) -* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) -* Restrict the Administrator account creation -* Create and auto-assign devices to configuration groups based on a device's profile -* Customize OOBE content specific to the organization - -### Prerequisites - -* [Devices must be registered to the organization](#registering-devices-to-your-organization) -* [Company branding needs to be configured](#configure-company-branding-for-oobe) -* [Network connectivity to cloud services used by Windows AutoPilot](#network-connectivity-requirements) -* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later -* Devices must have access to the internet -* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) -* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal) -* Microsoft Intune or other MDM services to manage your devices - -## Windows AutoPilot Scenarios - -### Cloud-Driven - -The Cloud-Driven scenario enables you to pre-register devices through the Windows AutoPilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. - -#### The Windows AutoPilot Deployment Program experience - -The end user unboxes and turns on a new device. What follows are a few simple configuration steps: -* Select a language and keyboard layout -* Connect to the network -* Provide email address (the email address of the user's Azure AD account) and password - -Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). - -MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. - -
- - -#### Registering devices to your organization - -In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. - -If you would like to capture that information by yourself, you can use the [Get-WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo), which will generate a .csv file with the device's hardware ID. - ->[!NOTE] ->This PowerShell script requires elevated permissions. - -By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization. -Additional options and customization is available through these portals to pre-configure the devices. - -For information on how to upload device information, see [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#add-devices-and-apply-autopilot-deployment-profile) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) guidance. - -#### OOBE customization - -Deployment profiles are used to configure the Out-Of-the-Box-Experience (OOBE) on devices deployed through the Windows AutoPilot Deployment Program. - -These are the OOBE customization options available for Windows 10, starting with version 1703: -* Skipping Work or Home usage selection (*Automatic*) -* Skipping OEM registration, OneDrive and Cortana (*Automatic*) -* Skipping privacy settings -* Skipping EULA (*staring with Windows 10, version 1709*) -* Preventing the account used to set-up the device from getting local administrator permissions - -We are working to add additional options to further personalize and streamline the setup experience in future releases. - -To configure and apply deployment profiles, see guidance for the various available administration options: -* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) -* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) -* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) -* [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) - -##### Configure company branding for OOBE - -In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first. - -See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. - -#### Network connectivity requirements - -The Windows AutoPilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices. - -To manage devices behind firewalls and proxy servers, the following URLs need to be accessible: - -* https://go.microsoft.com -* https://login.microsoftonline.com -* https://login.live.com -* https://account.live.com -* https://signup.live.com -* https://licensing.mp.microsoft.com -* https://licensing.md.mp.microsoft.com -* ctldl.windowsupdate.com -* download.windowsupdate.com - ->[!NOTE] ->Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. - ->[!TIP] ->If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidlines for [Microsoft Intune](https://docs.microsoft.com/en-us/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). - -### IT-Driven - -If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). - -### Teacher-Driven - -If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. - -## Ensuring your device can be auto-enrolled to MDM - -In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. - ->[!NOTE] ->MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. - -Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-auto-pilot.md). +--- +title: Overview of Windows AutoPilot +description: This topic goes over Windows AutoPilot and how it helps setup OOBE Windows 10 devices. +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: high +ms.sitesec: library +ms.pagetype: deploy +author: DaniHalfin +ms.author: daniha +ms.date: 12/13/2017 +--- + +# Overview of Windows AutoPilot + +**Applies to** + +- Windows 10 + +Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.
+This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. + +## Benefits of Windows AutoPilot + +Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach. + +From the users' perspective, it only takes a few simple operations to make their device ready to use. + +From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated. + +Windows AutoPilot allows you to: +* Automatically join devices to Azure Active Directory (Azure AD) +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) +* Restrict the Administrator account creation +* Create and auto-assign devices to configuration groups based on a device's profile +* Customize OOBE content specific to the organization + +### Prerequisites + +* [Devices must be registered to the organization](#registering-devices-to-your-organization) +* [Company branding needs to be configured](#configure-company-branding-for-oobe) +* [Network connectivity to cloud services used by Windows AutoPilot](#network-connectivity-requirements) +* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later +* Devices must have access to the internet +* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) +* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal) +* Microsoft Intune or other MDM services to manage your devices + +## Windows AutoPilot Scenarios + +### Cloud-Driven + +The Cloud-Driven scenario enables you to pre-register devices through the Windows AutoPilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. + +#### The Windows AutoPilot Deployment Program experience + +The end user unboxes and turns on a new device. What follows are a few simple configuration steps: +* Select a language and keyboard layout +* Connect to the network +* Provide email address (the email address of the user's Azure AD account) and password + +Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). + +MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. + +
+ + +#### Registering devices to your organization + +In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. + +If you would like to capture that information by yourself, you can use the [Get-WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo), which will generate a .csv file with the device's hardware ID. + +>[!NOTE] +>This PowerShell script requires elevated permissions. + +By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization. +Additional options and customization is available through these portals to pre-configure the devices. + +For information on how to upload device information, see [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#add-devices-and-apply-autopilot-deployment-profile) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) guidance. + +#### OOBE customization + +Deployment profiles are used to configure the Out-Of-the-Box-Experience (OOBE) on devices deployed through the Windows AutoPilot Deployment Program. + +These are the OOBE customization options available for Windows 10, starting with version 1703: +* Skipping Work or Home usage selection (*Automatic*) +* Skipping OEM registration, OneDrive and Cortana (*Automatic*) +* Skipping privacy settings +* Skipping EULA (*staring with Windows 10, version 1709*) +* Preventing the account used to set-up the device from getting local administrator permissions + +We are working to add additional options to further personalize and streamline the setup experience in future releases. + +To configure and apply deployment profiles, see guidance for the various available administration options: +* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) +* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) +* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) +* [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) + +##### Configure company branding for OOBE + +In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first. + +See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. + +#### Network connectivity requirements + +The Windows AutoPilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices. + +To manage devices behind firewalls and proxy servers, the following URLs need to be accessible: + +* https://go.microsoft.com +* https://login.microsoftonline.com +* https://login.live.com +* https://account.live.com +* https://signup.live.com +* https://licensing.mp.microsoft.com +* https://licensing.md.mp.microsoft.com +* ctldl.windowsupdate.com +* download.windowsupdate.com + +>[!NOTE] +>Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. + +>[!TIP] +>If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidlines for [Microsoft Intune](https://docs.microsoft.com/en-us/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). + +### IT-Driven + +If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). + +### Teacher-Driven + +If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. + +## Ensuring your device can be auto-enrolled to MDM + +In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. + +>[!NOTE] +>MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-auto-pilot.md).