simple and adv prov

windows/deploy/provision-pcs-for-initial-deployment.md

@@ -15,11 +15,10 @@ author: jdeckerMS
 **Applies to**
 
 -   Windows 10
--   Windows 10 Mobile
 
-This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.
+This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
 
-In Windows 10, you can apply a provisioning package at any time. You can put a provisioning package on a USB drive to apply to off-the-shelf devices during setup, making it fast and easy to configure new devices. 
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. 
 
 ## Advantages
 -   You can configure new devices without reimaging.
@@ -28,9 +27,22 @@ In Windows 10, you can apply a provisioning package at any time. You can put a
 
 -   No network connectivity required.
 
--   Simple for people to apply.
+-   Simple to apply.
 
--   Ensure compliance and security before a device is enrolled in MDM.
+## What does simple provisioning do?
+
+In a simple provisioning package, you can configure:
+
+- Device name
+- Upgraded product edition
+- Wi-Fi network 
+- Active Directory enrollment
+- Local administrator account 
+
+Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md). 
+
+> **Tip!**  Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
+![open advanced editor](images/icd-simple-edit.png)
 
 ## Create the provisioning package
 
@@ -40,17 +52,18 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
 
 2. Click **Simple provisioning**.
 
-3. Name your project and click **Finish**.
+  ![ICD start options](images/icdstart-option.png)   
+
+3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps.
+
+  ![ICD simple provisioning](images/icd-simple.png)
 
 4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
 
 5. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
-    - Home to Education
     - Pro to Education
     - Pro to Enterprise
     - Enterprise to Education
-    - Mobile to Mobile Enterprise
-
    
 6. Click **Set up network**.
 
@@ -65,10 +78,9 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
       - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
       - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
 
-
 10. Click **Finish**.
 
-11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under Protect your package, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
+11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
 
 12. Click **Create**.
 
@@ -76,14 +88,52 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
 
 ## Apply package
 
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
 
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+6. Read and accept the Microsoft Software License Terms.  
+
+    ![Sign in](images/license-terms.png)
+    
+7. Select **Use Express settings**.
+
+    ![Get going fast](images/express-settings.png)
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+    ![Who owns this PC?](images/who-owns-pc.png)
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+    ![Connect to Azure AD](images/connect-aad.png)
+
+10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+    ![Sign in](images/sign-in-prov.png)
 
 ## Learn more
+-   [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
 
+-   Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
 
--   [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+-   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
-
--   [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
 
  
 

windows/deploy/provision-pcs-with-apps-and-certificates.md

@@ -16,19 +16,182 @@ author: jdeckerMS
 
 -   Windows 10
 
-Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.
+This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. 
+
+## Advantages
+-   You can configure new devices without reimaging.
+
+-   Works on both mobile and desktop devices.
+
+-   No network connectivity required.
+
+-   Simple to apply.
 
 
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Advanced provisioning**.
+
+  ![ICD start options](images/icdstart-option.png)  
+  
+3. Name your project and click **Next**.
+
+3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.  
+
+
+### Add a desktop app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. 
+
+2. Add all the files required for the app install, including the data files and the installer.
+
+3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the msiexec /quiet option. 
+
+> **Note**: If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703295%28v=vs.85%29.aspx). 
+
+
+### Add a universal app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. 
+
+2. For **UserContextApp**, specify the **PackageFamilyName** for the app. (how to find package family name)
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. (how will they know?)
+
+5. For **UserContextAppLicense**, enter the **LicenseProductID**. (where to get)
+
+
+### Add a certificate to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. 
+
+2. Enter a **CertificateName** and then click **Add**. 
+
+2. Enter the **CertificatePassword**. 
+
+3. For **CertificatePath**, browse and select the certificate to be used. 
+
+4. Set **ExportCertificate** to **False**.
+
+5. For **KeyLocation**, select **Software only**. 
+
+
+### Add other settings to your package 
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+### Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+> **Important**  When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+10. Set a value for **Package Version**.
+
+    **Tip**  
+    You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+        **Important**  
+        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+    -   Shared network folder
+
+    -   SharePoint site
+
+    -   Removable media (USB/SD)
+
+    -   Email
+
+    -   USB tether (mobile only)
+
+    -   NFC (mobile only)
+
+
+
+## Apply package
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+6. Read and accept the Microsoft Software License Terms.  
+
+    ![Sign in](images/license-terms.png)
+    
+7. Select **Use Express settings**.
+
+    ![Get going fast](images/express-settings.png)
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+    ![Who owns this PC?](images/who-owns-pc.png)
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+    ![Connect to Azure AD](images/connect-aad.png)
+
+10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+    ![Sign in](images/sign-in-prov.png)
 
 ## Learn more
+-   [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
 
+-   Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
 
--   [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+-   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
-
--   [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
-
- 
-