deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'public' into patch-1

Browse Source
This commit is contained in:
Greg Lindsay
2020-01-08 09:50:07 -08:00
committed by GitHub
parent ca2babbc5a 63df4e77b0
commit 2c2e06a709
671 changed files with 6989 additions and 6788 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/deployment/windows-autopilot/TOC.md
View File

@ -20,6 +20,7 @@
## [Enrollment Status Page](enrollment-status.md)
## [BitLocker encryption](bitlocker.md)
## [DFCI management](dfci-management.md)
## [Windows Autopilot update](autopilot-update.md)
## [Troubleshooting](troubleshooting.md)
## [Known issues](known-issues.md)

3
windows/deployment/windows-autopilot/add-devices.md
View File

@ -63,6 +63,9 @@ Note that the hardware hash also contains details about when it was generated, s
Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [Whats new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file.
> [!Note]
> Before uploading the CSV file on Intune, please make sure that the first row contains the device serial number, Windows product ID, hardware hash, group tag, and assigned user. If there is header information on the top of CSV file, please delete that header information. See details at [Enroll Windows devices in Intune](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot).
### Collecting the hardware ID from existing devices using PowerShell
The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo).

2
windows/deployment/windows-autopilot/autopilot-device-guidelines.md
View File

@ -2,7 +2,7 @@
title: Windows Autopilot device guidelines
ms.reviewer:
manager: laurawi
description: Windows Autopilot deployment
description: Learn all about hardware, firmware, and software best practices for Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy

109
windows/deployment/windows-autopilot/autopilot-faq.md
View File

@ -1,6 +1,6 @@
---
title: Windows Autopilot FAQ
ms.reviewer: This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
ms.reviewer: This topic provides OEMs, partners, administrators, and end users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
manager: laurawi
description: Support information for Windows Autopilot
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
@ -21,35 +21,36 @@ ms.topic: article
**Applies to: Windows 10**
This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
This article provides OEMs, partners, administrators, and end users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
A [glossary](#glossary) of abbreviations used in this topic is provided at the end.
A [glossary](#glossary) of abbreviations used in this article is provided at the end.
## Microsoft Partner Center
| Question | Answer |
| --- | --- |
| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is this needed to allow the business customer to access their devices in MSfB? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. |
| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM would need to advise the tenant to access MSfB. Auto-notification from MSfB to the tenant is being developed. |
| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customers behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer, which directs the customer to a consent page in Microsoft Store for Business. The steps explaining this process are [here](registration-auth.md). |
| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. |
| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesnt support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).|
| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices for testing the file. This can be done today in the Partner Center. <br><br>Go [here](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions) for more information. |
| Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. |
| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access: <br><br>1. <b>Direct CSP</b>: Gets direct authorization from the customer to register devices. <br><br>2. <b>Indirect CSP Provider</b>: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center. <br><br>3. <b>Indirect CSP Reseller</b>: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. |
| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is it needed to allow the business customer to access their devices in Microsoft Store for Business (MSfB)? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be reused with future device uploads. |
| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM needs to advise the tenant to access MSfB. Autonotification from MSfB to the tenant is being developed. |
| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customers behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer that directs the customer to a consent page in MSfB. For more information, see [Registration](registration-auth.md). |
| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a Cloud Solution Provider (CSP) using the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. |
| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesnt support removing the local admin account. However, it does support restricting the user performing Azure Active Directory (Azure AD) domain join in OOBE to a standard account (versus an administrator account by default).|
| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account that has access to devices for testing the file. This can be done today in the Partner Center. <br><br>For more information, see [Create user accounts and set permissions](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions). |
| Must I become a CSP to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. |
| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority and access: <br><br>1. <b>Direct CSP</b>: Gets direct authorization from the customer to register devices. <br><br>2. <b>Indirect CSP Provider</b>: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center. <br><br>3. <b>Indirect CSP Reseller</b>: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which means that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. |
## Manufacturing
| Question | Answer |
| --- | --- |
| What changes need to be made in the factory OS image for customer configuration settings? |No changes are required on the factory floor to enable Windows Autopilot deployment. |
| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K Hardware Hash. |
| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (i.e., registration) completed on their behalf. |
| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K hardware hash. |
| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (that is, registration) completed on their behalf. |
| Does the OEM need to manage or collect any custom imaging files from customers and perform any image uploads to Microsoft? | No change, OEMs just send the CBRs as usual to Microsoft. No images are sent to Microsoft to enable Windows Autopilot. Windows Autopilot only customizes OOBE and allows policy configurations (disables admin account, for example). |
| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment, otherwise no impacts. |
| Will there be any change to the existing CBR with 4k Hardware Hash? | No. |
| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customers behalf, in which case they would upload the device ID via a CSV file into Microsoft Partner Center, or use the OEM Direct API. |
| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment. Otherwise, there are no impacts. |
| Will there be any change to the existing CBR with 4K hardware hash? | No. |
| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customers behalf, in which case they would upload the device ID using a CSV file into Microsoft Partner Center, or use the OEM Direct API. |
| Is there a contract or amendment for an OEM to participate in Windows Autopilot Deployment? | No. |
## CSV schema
@ -57,72 +58,72 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
| Question | Answer |
| --- | --- |
| Can a comma be used in the CSV file? | No. |
| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the In Microsoft Store for Business section of this guide. |
| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the In Microsoft Store for Business section of this guide. |
| Is there a limit to the number of devices that can be listed in the CSV file? | Yes, the CSV file can only contain 1,000 devices to apply to a single profile. If more than 1,000 devices need to be applied to a profile, the devices need to be uploaded through multiple CSV files. |
| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | Microsoft recommends encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). |
| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | We recommend encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). |
## Hardware hash
| Question | Answer |
| --- | --- |
| Must every Hardware Hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit Hardware Hashes which meet the outlined requirement. |
| What is the reason for needing the SMBIOS UUID, MAC Address and Disk Serial Number in the Hardware Hash details? | For creating the Hardware Hash, these are the fields that are needed to identify a device, as parts of the device are added/removed. Since we dont have a unique identifier for Windows devices, this is the best logic to identify a device. |
| What is difference between OA3 Hardware Hash, 4K Hardware Hash, and Windows Autopilot Hardware Hash? | None. Theyre different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. |
| What is the thought around parts replacement and/or repair for the NIC (network interface controller) and/or Disk? Will the Hardware Hash become invalid? | Yes. If you replace parts, you need to gather the new Hardware Hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, its a new device you MUST have new Hardware Hash. If you replace one network card, its probably not a new device, and the device will function with the old Hardware Hash. However, as a best practice, you should assume the old Hardware Hash is invalid and get a new Hardware Hash after any hardware changes this is Microsofts strong recommendation any time you replace parts. |
| Must every hardware hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address, and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit hardware hashes that meet the outlined requirement. |
| What is the reason for needing the SMBIOS UUID, MAC Address, and Disk Serial Number in the hardware hash details? | For creating the hardware hash, these are the fields that are needed to identify a device, as parts of the device are added or removed. Since we dont have a unique identifier for Windows devices, this is the best logic to identify a device. |
| What is difference between OA3 hardware hash, 4K hardware hash, and Windows Autopilot hardware hash? | None. Theyre different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. |
| What is the thought around parts replacement and repair for the NIC (network interface controller) and Disk? Will the hardware hash become invalid? | Yes. If you replace parts, you need to gather the new hardware hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, its a new device and you must have new hardware hash. If you replace one network card, its probably not a new device, and the device will function with the old hardware hash. However, as a best practice, you should assume the old hardware hash is invalid and get a new hardware hash after any hardware changes. This is recommended anytime you replace parts. |
## Motherboard replacement
| Question | Answer |
| --- | --- |
| How does Autopilot handle motherboard replacement scenarios? | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today. <br><br>To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID). <br><br>**Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.|
| How does Autopilot handle motherboard replacement scenarios? | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image, as is the case today. <br><br>To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K hardware hash (or device ID). <br><br>**Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K hardware hash information using a CSV file to customer, and let customer reregister the device using MSfB or Intune.|
## SMBIOS
| Question | Answer |
| --- | --- |
| Any specific requirement to SMBIOS UUID? | It must be unique as specified in the Windows 10 hardware requirements. |
| What is the requirement on the SMBIOS table to meet the Windows Autopilot Hardware Hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). |
| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the Hardware Hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub |
| What is the requirement on the SMBIOS table to meet the Windows Autopilot hardware hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). |
| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the hardware hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub |
## Technical interface
| Question | Answer |
| --- | --- |
| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the exact mechanisms/”interface” for doing this operation varies depending on the exact scenario being discussed. |
| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be extra specific usage rules. The System disk serial number is more important than any other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, both will be used. |
| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the method for performing this operation varies depending on the scenario. |
| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number are on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be specific usage rules. The system disk serial number is more important than the other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, as both will be used. |
## The end user experience
## The end-user experience
|Question|Answer|
|----|-----|
|How do I know that I received Autopilot?|You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.|
|Windows Autopilot didnt work, what do I do now?| Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). |
| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE.|
|What is the experience if a device isnt registered or if an IT Admin doesnt configure Windows Autopilot prior to an end user attempting to self-deploy? |If the device isnt registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enroll that device into the MDM, after whichthe next time that device is reset”—it will go through the Windows Autopilot OOBE experience.|
|What may be a reason why I did not receive a customized sign-in screen during Autopilot? |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.|
|What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned? |The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device.|
|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.|
|Windows Autopilot didnt work, what do I do now?| Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that Azure AD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information: run licensingdiag.exe and send the .cab (Cabinet) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from Windows Performance Recorder (WPR). Often in these cases, users are not signing into the right Azure AD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). |
| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is reimaged or reset, the new profile settings will take effect the next time the device goes through OOBE.|
|What is the experience if a device isnt registered or if an IT Admin doesnt configure Windows Autopilot prior to an end user attempting to self-deploy? |If the device isnt registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will not be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enroll that device into the MDM, after which the next time that device is reset, it will go through the Windows Autopilot OOBE experience.|
|Why didn't I receive a customized sign-in screen during Autopilot? |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.|
|What happens if a device is registered with Azure AD but does not have a Windows Autopilot profile assigned? |The regular Azure AD OOBE will occur since no Windows Autopilot profile was assigned to the device.|
|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a WPR trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.|
## MDM
| Question | Answer |
| --- | --- |
| Must we use Intune for our MDM? | No. No, any MDM will work with Autopilot, but others probably wont have the same full suite of Windows Autopilot features as Intune. Youll get the best experience from Intune. |
| Must we use Intune for our MDM? | No, any MDM will work with Autopilot, but others probably wont have the same full suite of Windows Autopilot features as Intune. Youll get the best experience from Intune. |
| Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. |
| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premises configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune cant support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. |
| Must we use System Center Configuration Manager (SCCM) for Windows Autopilot | No. Co-management (described above) is optional. |
| Must we use SCCM for Windows Autopilot | No. Co-management (described above) is optional. |
## Features
| Question | Answer |
| --- | --- |
| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. Its useful for scenarios where a standard user account isnt needed (e.g., shared devices, or KIOSK devices). |
| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. Its useful for scenarios where a standard user account isnt needed (for example, shared devices, or KIOSK devices). |
| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premises Active Directory domain controller (in addition to being Azure AD joined). |
| Windows Autopilot reset | Removes user apps and settings from a device, but maintains AAD domain join and MDM enrollment. Useful for when transferring a device from one user to another. |
| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created A username hint can be added Sign-in page text can be personalized The companys logo can be included |
| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Win 7/8 devices. |
| Windows Autopilot reset | Removes user apps and settings from a device, but maintains Azure AD domain join and MDM enrollment. Useful for when transferring a device from one user to another. |
| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created. A username hint can be added Sign-in page text can be personalized. The companys logo can be included |
| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Windows 7- and Windows 8-based devices. |
@ -131,20 +132,20 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
|Question|Answer
|------------------|-----------------|
|If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.|
|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.|
|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:<br><br><I>Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.</I> <br><br>**Key takeaways**: When using pre-Windows 10, version 1703 7B clients the users domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. |
|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.|
|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients must run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:<br><br><I>Windows Autopilot will not apply its profiles to the machine unless Azure AD credentials match the expected Azure AD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same Azure AD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, you can determine that if the user signs into a domain with a tenant matching the one they registered with, you can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.</I> <br><br>**Key takeaways**: When using pre-Windows 10, version 1703 7B clients the users domain must match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. |
|What is the impact of not updating to 7B?|See the detailed scenario described directly above.|
|Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isnt supported on other SKUs.|
|Does Windows Autopilot work after MBR or image re-installation?|Yes.|
| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune. (These are somewhat configurable but not infinite.) Youll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.|
|What happens if a device is registered to a malicious agent? |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur.|
|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.|
|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft.|
|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering: <br><br>1. OEM Direct API (only available to TVOs) <br>2. MPC via the MPC API (must be a CSP) <br>3. MPC via manual upload of CSV file in the UI (must be a CSP) <br>4. MSfB via CSV file upload <br>5. Intune via CSV file upload <br>6. Microsoft 365 Business portal via CSV file upload|
|How many ways are there to create a Windows Autopilot profile?|There are four ways to create & assign an Windows Autopilot profile: <br><br>1. Through MPC (must be a CSP) <br>2. Through MSfB <br>3. Through Intune (or another MDM) <br>4. Microsoft 365 Business portal <br><br>Microsoft recommends creation and assignment of profiles through Intune. |
| What are some common causes of registration failures? |1. Bad or missing Hardware hash entries can lead to faulty registration attempts <br>2. Hidden special characters in CSV files. <br><br>To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.|
|Is Windows Autopilot supported on other SKUs, for example, Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isnt supported on other SKUs.|
|Does Windows Autopilot work after MBR or image reinstallation?|Yes.|
| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular Azure AD user can enroll in Azure AD, as well as the number of devices that are supported per user in Intune. (These are configurable but not infinite.) Youll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.|
|What happens if a device is registered to a malicious agent? |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile using the Azure AD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through Azure AD to the proper Azure AD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular Azure AD OOBE will occur.|
|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the Azure AD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.|
|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data that enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service at any time, and, in that event, the business data is removed by Microsoft.|
|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering: <br><br>1. OEM Direct API (only available to TVOs) <br>2. MPC using the MPC API (must be a CSP) <br>3. MPC using manual upload of CSV file in the UI (must be a CSP) <br>4. MSfB using CSV file upload <br>5. Intune using CSV file upload <br>6. Microsoft 365 Business portal using CSV file upload|
|How many ways are there to create a Windows Autopilot profile?|There are four ways to create and assign a Windows Autopilot profile: <br><br>1. Through MPC (must be a CSP) <br>2. Through MSfB <br>3. Through Intune (or another MDM) <br>4. Microsoft 365 Business portal <br><br>Microsoft recommends creation and assignment of profiles through Intune. |
| What are some common causes of registration failures? |1. Bad or missing hardware hash entries can lead to faulty registration attempts <br>2. Hidden special characters in CSV files. <br><br>To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.|
| Is Autopilot supported on IoT devices? | Autopilot is not supported on IoT Core devices, and there are currently no plans to add this support. Autopilot is supported on Windows 10 IoT Enterprise SAC devices. Autopilot is supported on Windows 10 Enterprise LTSC 2019 and above; it is not supported on earlier versions of LTSC.|
| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using public Azure. Public Azure does not include the three entities listed below:<br>- Azure Germany <br>- Azure China<br>- Azure Government<br>So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China, the Contoso employees would not be able to use Autopilot.|
| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using global Azure. Global Azure does not include the three entities listed below:<br>- Azure Germany <br>- Azure China 21Vianet<br>- Azure Government<br>So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China 21Vianet, the Contoso employees would not be able to use Autopilot.|
## Glossary
@ -156,8 +157,8 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
| OEM | Original Equipment Manufacturer |
| CSP | Cloud Solution Provider |
| MSfB | Microsoft Store for Business |
| AAD | Azure Active Directory |
| 4K HH | 4K Hardware Hash |
| Azure AD | Azure Active Directory |
| 4K HH | 4K hardware hash |
| CBR | Computer Build Report |
| EC | Enterprise Commerce |
| DDS | Device Directory Service |

2
windows/deployment/windows-autopilot/autopilot-support.md
View File

@ -1,6 +1,6 @@
---
title: Windows Autopilot support
description: Support information for Windows Autopilot
description: Find out who to contact for help with your Windows Autopilot installation.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy

48
windows/deployment/windows-autopilot/autopilot-update.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Windows Autopilot update
ms.reviewer:
manager: laurawi
description: Windows Autopilot update
keywords: Autopilot, update, Windows 10
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
ms.localizationpriority: medium
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot update
**Applies to**
- Windows 10, version 1903
Windows Autopilot update enables you to get the latest Autopilot features and critical issue fixes without the need to move to latest Windows OS version. With Autopilot update, organizations can keep their current OS version and still benefit from new Autopilot features and bug fixes.
During the Autopilot deployment process, Windows Autopilot update has been added as a new node after the critical [Windows Zero Day Patch (ZDP) update](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) check. During the update process, Windows Autopilot devices reach out to Windows Update to check for a new Autopilot update. If there is an Autopilot update available, the device will download and install the update, then restart automatically. See the following example.
![Autopilot update 1](images/update1.png)<br>
![Autopilot update 2](images/update2.png)<br>
![Autopilot update 3](images/update3.png)
The following diagram illustrates a typical Windows Autopilot deployment orchestration during the Out of Box Experience (OOBE) with the new Windows Autopilot update node.
![Autopilot update flow](images/update-flow.png)
## Release cadence
- When an Autopilot update is available, it is typically released on the 4th Tuesday of the month. The update could be released on a different week if there is an exception.
- A knowledge base (KB) article will also be published to document the changes that are included in the update.
For a list of released updates, see [Autopilot update history](windows-autopilot-whats-new.md#windows-autopilot-update-history).
## See also
[Windows Update during OOBE](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe)<br>
[What's new in Windows Autopilot](windows-autopilot-whats-new.md)<br>

4
windows/deployment/windows-autopilot/existing-devices.md
View File

@ -1,6 +1,6 @@
---
title: Windows Autopilot for existing devices
description: Windows Autopilot deployment
description: Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
@ -70,7 +70,7 @@ See the following examples.
Install-Module WindowsAutopilotIntune -Force
Install-Module Microsoft.Graph.Intune -Force
```
3. Enter the following lines and provide Intune administrative credentials
- Be sure that the user account you specify has sufficient administrative rights.

BIN
windows/deployment/windows-autopilot/images/update-flow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
windows/deployment/windows-autopilot/images/update1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/deployment/windows-autopilot/images/update2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/deployment/windows-autopilot/images/update3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

2
windows/deployment/windows-autopilot/index.md
View File

@ -1,6 +1,6 @@
---
title: Windows Autopilot deployment
description: Windows Autopilot deployment
description: Discover resources for Windows Autopilot deployment with this guide.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi

2
windows/deployment/windows-autopilot/known-issues.md
View File

@ -2,7 +2,7 @@
title: Windows Autopilot known issues
ms.reviewer:
manager: laurawi
description: Windows Autopilot deployment
description: Inform yourself about known issues that may occur during Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy

97
windows/deployment/windows-autopilot/profiles.md
View File

@ -1,48 +1,49 @@
---
title: Configure Autopilot profiles
description: Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Configure Autopilot profiles
**Applies to**
- Windows 10
For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices).
## Profile settings
The following profile settings are available:
- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process.
- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process.
- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organizations name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings.
- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool.
- **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete.
- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users.
- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details.
## Related topics
[Profile download](troubleshooting.md#profile-download)
---
title: Configure Autopilot profiles
description: Learn how to configure device profiles while performing a Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Configure Autopilot profiles
**Applies to**
- Windows 10
For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices).
## Profile settings
The following profile settings are available:
- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process.
- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process.
- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organizations name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings.
- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool.
- **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete.
- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users.
- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details.
## Related topics
[Profile download](troubleshooting.md#profile-download)
[Registering devices](add-devices.md)

167
windows/deployment/windows-autopilot/registration-auth.md
View File

@ -1,81 +1,86 @@
---
title: Windows Autopilot customer consent
description: Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot customer consent
**Applies to: Windows 10**
This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customers behalf.
## CSP authorization
CSP partners can get customer authorization to register Windows Autopilot devices on the customers behalf per the following restrictions:
<table>
<tr><td>Direct CSP<td>Gets direct authorization from the customer to register devices.
<tr><td>Indirect CSP Provider<td>Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.
<tr><td>Indirect CSP Reseller<td>Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs.
</table>
### Steps
For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process:
1. CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf. To do so:
- CSP logs into Microsoft Partner Center
- Click **Dashboard** on the top menu
- Click **Customer** on the side menu
- Click the **Request a reseller relationship** link:
![Request a reseller relationship](images/csp1.png)
- Select the checkbox indicating whether or not you want delegated admin rights:
![Delegated rights](images/csp2.png)
- NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
- Send the template above to the customer via email.
2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
![Global admin](images/csp3.png)
NOTE: A user without global admin privileges who clicks the link will see a message similar to the following:
![Not global admin](images/csp4.png)
3. Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously.
4. The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSPs MPC account under their **customers** list, for example:
![Customers](images/csp5.png)
## OEM authorization
Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com.
1. OEM emails link to their customer.
2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page:
![Global admin](images/csp6.png)
NOTE: A user without global admin privileges who clicks the link will see a message similar to the following:
![Not global admin](images/csp7.png)
3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and theyre done. Authorization happens instantaneously.
4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, its a best practice recommendation for OEM partners to run the API check to confirm theyve received customer consent before attempting to register devices, thus avoiding errors in the registration process.
## Summary
At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked.
---
title: Windows Autopilot customer consent
description: Learn how a cloud service provider (CSP) partner or an OEM can get customer authorization to register Windows Autopilot devices on the customers behalf.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot customer consent
**Applies to: Windows 10**
This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customers behalf.
## CSP authorization
CSP partners can get customer authorization to register Windows Autopilot devices on the customers behalf per the following restrictions:
<table>
<tr><td>Direct CSP<td>Gets direct authorization from the customer to register devices.
<tr><td>Indirect CSP Provider<td>Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.
<tr><td>Indirect CSP Reseller<td>Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs.
</table>
### Steps
For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process:
1. CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf. To do so:
- CSP logs into Microsoft Partner Center
- Click **Dashboard** on the top menu
- Click **Customer** on the side menu
- Click the **Request a reseller relationship** link:
![Request a reseller relationship](images/csp1.png)
- Select the checkbox indicating whether or not you want delegated admin rights:
![Delegated rights](images/csp2.png)
- NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
- Send the template above to the customer via email.
2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
![Global admin](images/csp3.png)
> [!NOTE]
> A user without global admin privileges who clicks the link will see a message similar to the following:
![Not global admin](images/csp4.png)
3. Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously.
4. The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSPs MPC account under their **customers** list, for example:
![Customers](images/csp5.png)
## OEM authorization
Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com.
1. OEM emails link to their customer.
2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page:
![Global admin](images/csp6.png)
> [!NOTE]
> A user without global admin privileges who clicks the link will see a message similar to the following:
![Not global admin](images/csp7.png)
3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and theyre done. Authorization happens instantaneously.
4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, its a best practice recommendation for OEM partners to run the API check to confirm theyve received customer consent before attempting to register devices, thus avoiding errors in the registration process.
> [!NOTE]
> During the OEM authorization registration process, no delegated admin permissions are granted to the OEM.
## Summary
At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked.

2
windows/deployment/windows-autopilot/self-deploying.md
View File

@ -1,6 +1,6 @@
---
title: Windows Autopilot Self-Deploying mode
description: Windows Autopilot deployment
description: Self-deploying mode allows a device to be deployed with little to no user interaction. This mode mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi

2
windows/deployment/windows-autopilot/troubleshooting.md
View File

@ -1,6 +1,6 @@
---
title: Troubleshooting Windows Autopilot
description: Windows Autopilot deployment
description: Learn how to handle issues as they arise during the Windows Autopilot deployment process.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi

2
windows/deployment/windows-autopilot/user-driven.md
View File

@ -1,6 +1,6 @@
---
title: Windows Autopilot User-Driven Mode
description: Windows Autopilot deployment
description: Windows Autopilot user-driven mode allows devices to be deployed to a ready-to-use state without requiring help from IT personnel.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi

2
windows/deployment/windows-autopilot/windows-autopilot-requirements.md
View File

@ -2,7 +2,7 @@
title: Windows Autopilot requirements
ms.reviewer:
manager: laurawi
description: Windows Autopilot deployment
description: Inform yourself about software, networking, licensing, and configuration requirements for Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy

11
windows/deployment/windows-autopilot/windows-autopilot-reset.md
View File

@ -1,6 +1,6 @@
---
title: Windows Autopilot Reset
description: Windows Autopilot deployment
description: Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and easily.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
@ -9,7 +9,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
@ -31,7 +32,9 @@ The Windows Autopilot Reset process automatically retains information from the e
- Azure Active Directory device membership and MDM enrollment information.
Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed.
Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed.
When Autopilot reset is used on a device, the device's primary user will be removed. The next user who signs in after the reset will be set as the primary user.
>[!NOTE]
>The Autopilot Reset does not support Hybrid Azure AD joined devices.
@ -84,7 +87,7 @@ Performing a local Windows Autopilot Reset is a two-step process: trigger it and
1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**.
![Enter CTRL+Windows key+R on the Windows lock screen](images/autopilot-reset-lockscreen.png)
This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes:
1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset

137
windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
View File

@ -1,67 +1,70 @@
---
title: Windows Autopilot scenarios and capabilities
description: Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot scenarios and capabilities
**Applies to: Windows 10**
## Scenarios
Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management).
The following Windows Autopilot scenarios are described in this guide:
| Scenario | More information |
| --- | --- |
| Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md) |
| Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.| [Windows Autopilot self-deploying mode](self-deploying.md) |
| Re-deploy a device in a business-ready state.| [Windows Autopilot Reset](windows-autopilot-reset.md) |
| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) |
| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) |
## Windows Autopilot capabilities
### Windows Autopilot is self-updating during OOBE
Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates.
### Cortana voiceover and speech recognition during OOBE
In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default.
HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions
The key value is a DWORD with **0** = disabled and **1** = enabled.
| Value | Description |
| --- | --- |
| 0 | Cortana voiceover is disabled |
| 1 | Cortana voiceover is enabled |
| No value | Device will fall back to default behavior of the edition |
To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce).
### Bitlocker encryption
With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md)
## Related topics
---
title: Windows Autopilot scenarios and capabilities
description: Follow along with several typical Windows Autopilot deployment scenarios, such as re-deploying a device in a business-ready state.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot scenarios and capabilities
**Applies to: Windows 10**
## Scenarios
Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management).
The following Windows Autopilot scenarios are described in this guide:
| Scenario | More information |
| --- | --- |
| Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md) |
| Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.| [Windows Autopilot self-deploying mode](self-deploying.md) |
| Re-deploy a device in a business-ready state.| [Windows Autopilot Reset](windows-autopilot-reset.md) |
| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) |
| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) |
## Windows Autopilot capabilities
### Windows Autopilot is self-updating during OOBE
Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates.
See [Windows Autopilot update](autopilot-update.md) for more information.
### Cortana voiceover and speech recognition during OOBE
In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default.
HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions
The key value is a DWORD with **0** = disabled and **1** = enabled.
| Value | Description |
| --- | --- |
| 0 | Cortana voiceover is disabled |
| 1 | Cortana voiceover is enabled |
| No value | Device will fall back to default behavior of the edition |
To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce).
### Bitlocker encryption
With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md)
## Related topics
[Windows Autopilot: What's new](windows-autopilot-whats-new.md)

109
windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
View File

@ -1,51 +1,58 @@
---
title: Windows Autopilot what's new
ms.reviewer:
manager: laurawi
description: Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot: What's new
**Applies to**
- Windows 10
## New in Windows 10, version 1903
[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video:
<br>
> [!VIDEO https://www.youtube.com/embed/nE5XSOBV0rI]
Also new in this version of Windows:
- The Intune enrollment status page (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover and speech recognition during OOBE](windows-autopilot-scenarios.md#cortana-voiceover-and-speech-recognition-during-oobe) is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
- [Windows Autopilot is self-updating during OOBE](windows-autopilot-scenarios.md#windows-autopilot-is-self-updating-during-oobe). Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
- Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE.
## New in Windows 10, version 1809
Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organizations MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
>[!NOTE]
>Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
## Related topics
[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)<br>
---
title: Windows Autopilot what's new
ms.reviewer:
manager: laurawi
description: Read news and resources about the latest updates and past versions of Windows Autopilot.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot: What's new
**Applies to**
- Windows 10
## Windows Autopilot update history
The following [Windows Autopilot updates](autopilot-update.md) are available. **Note**: Updates are automatically downloaded and applied during the Windows Autopilot deployment process.
No updates are available yet. Check back here later for more information.
## New in Windows 10, version 1903
[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video:
<br>
> [!VIDEO https://www.youtube.com/embed/nE5XSOBV0rI]
Also new in this version of Windows:
- The Intune enrollment status page (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover and speech recognition during OOBE](windows-autopilot-scenarios.md#cortana-voiceover-and-speech-recognition-during-oobe) is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
- [Windows Autopilot is self-updating during OOBE](windows-autopilot-scenarios.md#windows-autopilot-is-self-updating-during-oobe). Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
- Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE.
## New in Windows 10, version 1809
Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organizations MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
>[!NOTE]
>Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
## Related topics
[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)<br>
[What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/)

2
windows/deployment/windows-autopilot/windows-autopilot.md
View File

@ -1,6 +1,6 @@
---
title: Overview of Windows Autopilot
description: Windows Autopilot deployment
description: Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi