Merged PR 9787: Major rewrite

Major rewrite

windows/deployment/TOC.md

@@ -19,7 +19,7 @@
 
 ## [Deploy Windows 10](deploy.md)
 
-### [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md)
+### [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md)
 ### [Windows 10 in S mode](windows-10-pro-in-s-mode.md)
 ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
 ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)

windows/deployment/change-history-for-deploy-windows-10.md

@@ -38,7 +38,7 @@ New or changed topic | Description
 ## June 2017
 | New or changed topic | Description |
 |----------------------|-------------|
-| [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) | New |
+| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New |
 
 ## April 2017
 | New or changed topic | Description |

windows/deployment/deploy-whats-new.md

@@ -40,7 +40,7 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
 
 Windows Autopilot streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices.
 
-Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md).
+Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md).
 
 ### Upgrade Readiness
 

windows/deployment/deploy.md

@@ -17,7 +17,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
 
 |Topic |Description |
 |------|------------|
-|[Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
+|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
 |[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
 |[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
 |[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |

windows/deployment/windows-autopilot/TOC.md

@@ -1,8 +1,23 @@
-# [Overview of Windows Autopilot](windows-10-autopilot.md)
-
-## [The Windows Autopilot Deployment Program in Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
-## [The Windows Autopilot Deployment Program in Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
-## [The Windows Autopilot Deployment Program in Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
-## [The Windows Autopilot Deployment Program in Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
-## [Demo the Windows Autopilot Deployment Program on a Virtual Machine](windows-10-autopilot-demo-vm.md)
-
+# [Windows Autopilot](windows-autopilot.md)
+## [Requirements](windows-autopilot-requirements.md)
+### [Configuration requirements](windows-autopilot-requirements-configuration.md)
+### [Network requirements](windows-autopilot-requirements-network.md)
+### [Licensing requirements](windows-autopilot-requirements-licensing.md)
+## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
+### [User-driven mode](user-driven.md)
+### [Self-deploying mode](self-deploying.md)
+### [Enrollment status page](enrollment-status.md)
+### [Windows Autopilot Reset](windows-autopilot-reset.md)
+#### [Remote reset](windows-autopilot-reset-remote.md)
+#### [Local reset](windows-autopilot-reset-local.md)
+## Administering Autopilot
+### [Configuring](configure-autopilot.md)
+#### [Adding devices](add-devices.md)
+#### [Creating profiles](profiles.md)
+### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
+### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
+### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
+### [Administering Autopilot via Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
+## Getting started
+### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md)
+## [Troubleshooting](troubleshooting.md)

windows/deployment/windows-autopilot/add-devices.md

@@ -0,0 +1,67 @@
+---
+title: Adding devices
+description: How to add devices to Windows Autopilot
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/18
+---
+
+# Adding devices to Windows Autopilot
+
+**Applies to**
+
+-   Windows 10
+
+Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
+
+## Device identification
+
+To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation.
+
+The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device.
+
+Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot Deployment Service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as motherboard replacement, would not match, so the device would need to be re-uploaded.
+
+## Collecting the hardware ID from existing devices using PowerShell
+
+The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo).
+
+To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, these commands can be used:
+
+*md c:\\HWID*
+
+*Set-Location c:\\HWID*
+
+*Set-ExecutionPolicy Unrestricted*
+
+*Install-Script -Name Get-WindowsAutoPilotInfo*
+
+*Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv*
+
+Note that you must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information.
+
+## Collecting the hardware ID from existing devices using System Center Configuration Manager
+
+Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details.
+
+## Uploading hardware IDs
+
+Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism:
+
+For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options:
+
+-   [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
+
+-   [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
+
+-   [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
+
+-   [Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
+
+For those using Microsoft Intune, devices should normally be uploaded via Intune; for those using Microsoft 365 Business, its administrative portal would be used. For [Cloud Solution Provider (CSP)](https://partnercenter.microsoft.com/en-us/partner/cloud-solution-provider) partners uploading devices on the behalf of a customer that they are authorized to manage, Partner Center can be used. For any other scenario, the Microsoft Store for Business is available.

windows/deployment/windows-autopilot/configure-autopilot.md

@@ -0,0 +1,32 @@
+---
+title: Configure Autopilot deployment
+description: How to configure Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/18
+---
+
+# Configure Autopilot deployment
+
+**Applies to**
+
+-   Windows 10
+
+## Deploying new devices
+
+When deploying new devices using Windows Autopilot, a common set of steps are required:
+
+1.  [Register devices with the Windows Autopilot deployment service](add-devices.md). Ideally, this step would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
+
+2.  [Assign a profile of settings to each device](profiles.md), specifying how the device should be deployed and what user experience should be presented.
+
+3.  Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download the profile settings which are used to customize the end user experience.
+
+<img src="./images/image2.png" width="511" height="249" />
+

windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md

@@ -1,5 +1,5 @@
 ---
-title: Demo the Windows Autopilot Deployment Program on a Virtual Machine
+title: Demonstrate Autopilot deployment on a VM
 description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
@@ -8,11 +8,11 @@ ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
-ms.author: coreyp
-ms.date: 05/09/18
+ms.author: greg-lindsay
+ms.date: 07/13/18
 ---
 
-# Demo the Windows Autopilot Deployment Program on a Virtual Machine
+# Demonstrate Autopilot deployment on a VM
 
 **Applies to**
 
@@ -27,10 +27,10 @@ In this topic you'll learn how to set-up a Windows Autopilot deployment for a Vi
 
 These are the thing you'll need on your device to get started:
 * Installation media for the latest version of Windows 10 Professional or Enterprise (ISO file)
-* Internet access (see [Network connectivity requirements](windows-10-autopilot.md#network-connectivity-requirements))
+* Internet access (see [Network connectivity requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#network-connectivity-requirements))
 * Hypervisor needs to be unoccupied, or used by Hyper-V, as we will be using Hyper-V to create the Virtual Machine
 
-See additional prerequisites in the [Windows Autopilot overview topic](windows-10-autopilot.md#prerequisites).
+See additional prerequisites in the [Windows Autopilot overview topic](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#prerequisites).
 
 ## Create your Virtual Machine
 
@@ -209,4 +209,3 @@ Once you select a language and a keyboard layout, your company branded sign-in s
 
 Windows Autopilot will now take over to automatically join your Virtual Machine into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
 
-Missing something in this topic? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-autopilot-demo-vm.md). 

windows/deployment/windows-autopilot/enrollment-status.md

@@ -0,0 +1,52 @@
+---
+title: Windows Autopilot Enrollment Status page 
+description: Gives an overview of the enrollment status page capabilities, configuration
+keywords: Autopilot Plug and Forget, Windows 10
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype:
+ms.localizationpriority: high
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot Enrollment Status page
+
+The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process.  Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete. 
+ 
+ ![Enrollment Status Page](images/enrollment-status-page.png)
+
+## Available settings
+
+ The following settings can be configured:
+
+ - Show app and profile installation progress.  When enabled, the Enrollment Status page is displayed.
+ - Block device use until all apps and profiles are installed.  When enabled, the Enrollment Status page will be displayed until the device configuraton process is complete.  When not enabled, the user can dismiss the page at any time.
+ - Allow users to reset device if installation errors occur.
+ - Allow users to use device if installation errors occur.
+ - Show error when installation takes longer than the specified number of minutes.
+ - Show custom error message when an error occurs.
+ - Allow users to collect logs about installation errors.
+
+## Installation progresss tracked
+
+The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process.  The specific types of policies that are tracked include:
+
+- Certain types of app installations.
+    - Enterprise modern apps (Appx/MSIX) installed by the [Enterprise Modern App Managment CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprisemodernappmanagement-csp).
+    - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprisedesktopappmanagement-csp).
+- Certain device configuration policies.
+
+Presently the following types of policies are not tracked:
+
+- Intune Management Extentions PowerShell scripts.
+- Office 365 ProPlus installations.
+- System Center Configuration Manager apps, packages, and task sequences.
+
+## For more information
+
+For more information on configuring the Enrollment Status page, [see the Microsoft Intune documentation](https://docs.microsoft.com/en-us/intune/windows-enrollment-status).  For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp).
+

windows/deployment/windows-autopilot/profiles.md

@@ -0,0 +1,35 @@
+---
+title: Configure Autopilot profiles
+description: How to configure Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/18
+---
+
+# Configure Autopilot profiles
+
+**Applies to**
+
+-   Windows 10
+
+For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied to specify the exact behavior of that device when it is deployed. The following profile settings are available:
+
+-   **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process.
+
+-   **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process.
+
+-   **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organization’s name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings.
+
+-   **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool.
+
+-   **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete.
+
+-   **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users.
+
+-   **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details.

windows/deployment/windows-autopilot/rip-and-replace.md

@@ -0,0 +1,19 @@
+---
+title: Rip and Replace
+description: Listing of Autopilot scenarios
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Rip and replace
+
+**Applies to: Windows 10**
+
+DO NOT PUBLISH.  Just a placeholder for now, coming with 1809.

windows/deployment/windows-autopilot/self-deploying.md

@@ -0,0 +1,76 @@
+---
+title: Windows Autopilot Self-Deploying mode (Preview) 
+description: Gives an overview of Autopilot Plug and Forget and how to use it.
+keywords: Autopilot Plug and Forget, Windows 10
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype:
+ms.localizationpriority: high
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot Self-Deploying mode (Preview)
+
+**Applies to: Windows 10, build 17672 or later**
+
+Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required.
+>[!NOTE]
+>In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed.  See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding) for more details. 
+
+![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png)
+
+>[!NOTE]
+>While today there is a “Next” button that must be clicked to continue the deployment process, and an Activities opt-in page in OOBE, both of these will be removed in future Insider Preview builds to enable a completely automated deployment process – no user authentication or user interaction will be required. 
+ 
+Self-deploying mode can register the device into an organization’s Azure Active Directory tenant, enroll the device in the organization’s mobile device management (MDM) provider (leveraging Azure AD for automatic MDM enrollment), and ensure that all policies, applications, certificates, and networking profiles are provisioned on the device before the user ever logs on (levering the enrollment status page to prevent access to the desktop until the device is fully provisioned). 
+
+>[!NOTE]
+>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join.  All devices will be joined to Azure Active Directory.
+
+Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode.
+
+>[!NOTE]
+>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error.
+
+Windows Autopilot self-deploying mode enables you to effortlessly deploy Windows 10 as a kiosk, digital signage device, or a shared device.  When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10.  See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details.
+  
+Windows Autopilot self-deploying mode is available on Windows 10 build 17672 or higher. When configuring an Autopilot profile in Microsoft Intune, you’ll see a new drop-down menu that asks for the deployment mode. In that menu, select Self-deploying (preview) and apply that profile to the devices you’d like to validate. 
+
+## Step by step
+
+In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed:
+
+-   Create an Autopilot profile for self-deploying mode with the desired settings.  In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.)
+-   If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
+
+For each machine that will be deployed using self-deploying mode, these additional steps are needed:
+
+-   Ensure that the device supports TPM 2.0 and device attestation.  (Note that virtual machines are not supported.)
+-   Ensure that the device has been added to Windows Autopilot.  This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later.  See [Adding devices to Windows Autopilot](add-devices.md) for more information.
+-   Ensure an Autopilot profile has been assigned to the device:
+    -   If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
+    -   If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
+    -   If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
+
+## Validation
+
+When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed:
+
+-   Once connected to a network, the Autopilot profile will be downloaded.
+-   If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available.  Otherwise, manual steps are required:
+    -   If multiple languages are preinstalled in Windows 10, the user must pick a language.
+    -   The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
+-   If connected via Ethernet, no network prompt is expected.  If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
+-   Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
+-   The device will join Azure Active Directory.
+-   After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
+-   The [enrollment status page](enrollment-status.md) will be displayed.
+-   Depending on the device settings deployed, the device will either:
+    -   Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
+    -   Automatically sign in as a local account, for devices configured as a kiosk or digital signage.
+
+In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.

windows/deployment/windows-autopilot/troubleshooting.md

@@ -0,0 +1,92 @@
+---
+title: Troubleshooting Windows Autopilot
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Troubleshooting Windows Autopilot
+
+**Applies to: Windows 10**
+
+Windows Autopilot is designed to simplify all parts of the Windows device lifecycle, but there are always situations where issues may arise, either due to configuration or other issues.  To assist with troubleshooting efforts, review the following information.
+
+## Windows Autopilot deployment
+
+Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same.  It is useful to understand the flow for a specific device:
+
+-   Network connection established.  This can be a wireless (Wi-fi) or wired (Ethernet) connection.
+-   Windows Autopilot profile downloaded.  Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place.
+-   User authentication.  When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated.
+-   Azure Active Directory join.  For user-driven deployments, the device will be joined to Azure AD using the specified user credentials.  For self-deploying scenarios, the device will be joined without specifying any user credentials.
+-   Automatic MDM enrollment.  As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune).
+-   Settings are applied.  If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed.  If not configured or available, settings will be applied after the user is signed in.
+
+For troubleshooting, key activities to perform are:
+
+-   Configuration.  Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements-configuration.md)?
+-   Network connectivity.  Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements-network.md)?
+-   Autopilot OOBE behavior.  Were only the expected out-of-box experience screens displayed?  Was the Azure AD credentials page customized with organization-specific details as expected?
+-   Azure AD join issues.  Was the device able to join Azure Active Directory?
+-   MDM enrollment issues.  Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?
+
+### Troubleshooting Autopilot OOBE issues
+
+If the expected Autopilot behavior does not occur during the out-of-box experience (OOBE), it is useful to see whether the device received an Autopilot profile and what settings that profile contained.  Depending on the Windows 10 release, there are different mechanisms available to do that.
+
+#### Windows 10 version 1803 and above
+
+To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries.  These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot**.  The following events may be recorded, depending on the scenario and profile configuration.
+
+| Event ID | Type | Description |
+|----------|------|-------------| 
+| 100 | Warning | “AutoPilot policy [name] not found.”  This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. |
+| 101 | Info | “AutoPilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].”  This shows Autopilot retrieving and processing numeric OOBE settings. |
+| 103 | Info | “AutoPilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].”  This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. |
+| 109 | Info | “AutoPilotGetOobeSettingsOverride succeeded:  OOBE setting [setting name]; state = [state].”  This shows Autopilot retrieving and processing state-related OOBE settings. |
+| 111 | Info | “AutoPilotRetrieveSettings succeeded.”  This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. |
+| 153 | Info | “AutoPilotManager reported the state changed from [original state] to [new state].”  Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. |
+| 160 | Info | “AutoPilotRetrieveSettings beginning acquisition.”  This shows that Autopilot is getting ready to download the needed Autopilot profile settings. |
+| 161 | Info | “AutoPilotManager retrieve settings succeeded.”  The Autopilot profile was successfully downloaded. |
+| 163 | Info | “AutoPilotManager determined download is not required and the device is already provisioned.  Clean or reset the device to change this.”  This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. |
+| 164 | Info | “AutoPilotManager determined Internet is available to attempt policy download.” |
+| 171 | Error | “AutoPilotManager failed to set TPM identity confirmed.  HRESULT=[error code].”  This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. | 
+| 172 | Error | “AutoPilotManager failed to set AutoPilot profile as available.  HRESULT=[error code].”  This is typically related to event ID 171. |
+
+In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above.
+
+#### Windows 10 version 1709 and above
+
+On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service.  These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot**.  Available registry entries include:
+
+| Value | Description |
+|-------|-------------|
+| AadTenantId | The GUID of the Azure AD tenant the user signed into.  This should match the tenant that the device was registered with; if it does not match the user will receive an error. |
+| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, e.g. “contosomn.onmicrosoft.com.”  If the device is not registered with Autopilot, this value will be blank. |
+| CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value).  If the device isn’t registered with Autopilot, this value will be blank.|
+| IsAutoPilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot.  This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. |
+| TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with.  If this is 0, the user would be shown an error and forced to start over. |
+| CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured.  Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 |
+
+#### Windows 10 version 1703 and above
+
+On Windows 10 version 1703 and above, ETW tracing can be used to capture detailed information from Autopilot and related components.  The resulting ETW trace files can then be viewed using the Windows Performance Analyzer or similar tools.  See [the advanced troubleshooting blog](https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-windows-autopilot-level-300400/) for more information.
+
+### Troubleshooting Azure AD Join issues
+
+The most common issue joining a device to Azure AD is related to Azure AD permissions.  Ensure [the correct configuration is in place](windows-autopilot-requirements-configuration.md) to allow users to join devices to Azure AD.  Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD.
+
+Error code 801C0003 will typically be reported on an error page titled "Something went wrong."  This error means that the Azure AD join failed.
+
+### Troubleshooting Intune enrollment issues
+
+See [this knowledge base article](https://support.microsoft.com/en-us/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues.  Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user.
+
+Error code 80180018 will typiclaly be reported on an error page titled "Something went wrong."  This error means that the MDM enrollment failed.

windows/deployment/windows-autopilot/user-driven-aad.md

@@ -0,0 +1,19 @@
+---
+title: User-driven mode for AAD
+description: Listing of Autopilot scenarios
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot user-driven mode for Azure Active Directory
+
+**Applies to: Windows 10**
+
+DO NOT PUBLISH.  This eventually will contain the AAD-specific instuctions currently in user-driven.md.

windows/deployment/windows-autopilot/user-driven-hybrid.md

@@ -0,0 +1,20 @@
+---
+title: Hybrid AAD Join
+description: Listing of Autopilot scenarios
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+
+# Windows Autopilot user-driven mode for Hybrid Azure Active Directory Join
+
+**Applies to: Windows 10**
+
+DO NOT PUBLISH.  This eventually will contain the AD-specific (hybrid) instuctions.  This will be in preview at a later point in time.

windows/deployment/windows-autopilot/user-driven.md

@@ -0,0 +1,62 @@
+---
+title: Windows Autopilot User-Driven Mode
+description: Canonical Autopilot scenario
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot User-Driven Mode
+
+**Applies to: Windows 10 version 1703 and above**
+
+Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device.  The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions:
+
+-   Unbox the device, plug it in, and turn it on.
+-   Choose a language, locale and keyboard.
+-   Connect it to a wireless or wired network with internet access.
+-   Specify your e-mail address and password for your organization account.
+
+After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization.  Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available.
+
+Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory.  Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release.  See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
+
+## Step by step
+
+In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
+
+-   Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory.  See [Configure device settings](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
+-   Create an Autopilot profile for user-driven mode with the desired settings.  In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
+-   If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
+
+For each machine that will be deployed using user-driven deployment, these additional steps are needed:
+
+-   Ensure that the device has been added to Windows Autopilot.  This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later.  See [Adding devices to Windows Autopilot](add-devices.md) for more information.
+-   Ensure an Autopilot profile has been assigned to the device:
+    -   If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
+    -   If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
+    -   If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
+
+## Validation
+
+When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed:
+
+-   If multiple languages are preinstalled in Windows 10, the user must pick a language.
+-   The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
+-   If connected via Ethernet, no network prompt is expected.  If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
+-   Once connected to a network, the Autopilot profile will be downloaded.
+-   Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
+-   The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text.
+-   Once correct credentials have been entered, the device will join Azure Active Directory.
+-   After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
+-   If configured, the [enrollment status page](enrollment-status.md) will be displayed.
+-   Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided.
+-   Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks.
+
+In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.

windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md

@@ -0,0 +1,34 @@
+---
+title: Windows Autopilot configuration requirements
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot configuration requirements
+
+**Applies to: Windows 10**
+
+Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.  
+
+-   Configure Azure Active Directory automatic enrollment.  For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/en-us/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details.  If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
+-   Configure Azure Active Directory custom branding.  In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed.  See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding) for more details.  Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
+-   Enable [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
+
+Specific scenarios will then have additional requirements.  Generally, there are two specific tasks:
+
+-   Device registration.  Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios.  See [Adding devices to Windows Autopilot](add-devices.md) for more details.
+-   Profile configuration.  Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device.  See [Configure Autopilot profiles](profiles.md) for details.  Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
+
+See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
+
+For a walkthrough for some of these and related steps, see this video:
+</br>
+<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe> 

windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md

@@ -0,0 +1,37 @@
+---
+title: Windows Autopilot licensing requirements
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot licesning requirements
+
+**Applies to: Windows 10**
+
+Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
+
+-   Windows 10 version 1703 or higher must be used. The Professional, Professional for Education, Business, Enterprise, and Education editions are supported.
+
+-   One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality:
+
+    -   Microsoft 365 Business subscriptions
+
+    -   Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
+
+    -   Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features
+
+    -   Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service)
+
+Additionally, the following are also recommended but not required:
+
+-   Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services)
+
+-   [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise

windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md

@@ -0,0 +1,83 @@
+---
+title: Windows Autopilot networking requirements
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot networking requirements
+
+**Applies to: Windows 10**
+
+Windows Autopilot depends on a variety of internet-based services; access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
+
+-   Ensure DNS name resolution for internet DNS names
+
+-   Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
+
+In environments that have more restrictive internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the needed services. For additional details about each of these services and their specific requirements, review the following details:
+
+-   **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service using the same services used for Windows Activation. See the following link for details:
+
+    -   <https://support.microsoft.com/en-us/help/921471/windows-activation-or-validation-fails-with-error-code-0x8004fe33>
+
+-   **Azure Active Directory.**  User credentials are validated by Azure Active Directory, then the device may also be joined to Azure Active Directory. See the following link for more information:
+
+    -   <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2>
+
+-   **Intune.**  Once authenticated, Azure Active Directory will trigger the enrollment of the device into the Intune MDM service. See the following link for details:
+
+    -   <https://docs.microsoft.com/en-us/intune/network-bandwidth-use> (Network communication requirements section)
+
+-   **Windows Update.**  During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates.
+
+    -   <https://support.microsoft.com/en-us/help/818018/how-to-solve-connection-problems-concerning-windows-update-or-microsof>
+
+    -   NOTE:  If Windows Update is inaccessible, the AutoPilot process will still continue.
+
+-   **Delivery Optimization.**  When downloading Windows Updates and Microsoft Store apps and app updates (with additional content types expected in the future), the Delivery Optimization service is contacted to enable peer-to-peer sharing of content, so that all devices don’t need to download it from the internet.
+
+    -   <https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization>
+
+    -   NOTE: If Delivery Optimization is inaccessible, the AutoPilot process will still continue.
+
+-   **Network Time Protocol (NTP) Sync.**  When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate.
+
+    -   Ensure that UDP port 123 to time.windows.com is accessible.
+
+-   **Domain Name Services (DNS).**  To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names.
+
+-   **Diagnostics data.**  To enable Windows Analytics and related diagnostics capabilities, see the following documentation:
+
+    -   <https://docs.microsoft.com/en-us/windows/configuration/configure-windows-diagnostic-data-in-your-organization>
+
+    -   NOTE: If diagnostic data cannot be sent, the Autopilot process will still continue.
+
+-   **Network Connection Status Indicator (NCSI).**  Windows must be able to tell that the device is able to access the internet.
+
+    -   <https://docs.microsoft.com/en-us/windows/configuration/manage-windows-endpoints-version-1709> (Network Connection Status Indicator section, [www.msftconnecttest.com](http://www.msftconnecttest.com) must be resolvable via DNS and accessible via HTTP)
+
+-   **Windows Notification Services (WNS).**  This service is used to enable Windows to receive notifications from apps and services.
+
+    -   <https://docs.microsoft.com/en-us/windows/configuration/manage-windows-endpoints-version-1709> (Microsoft store section)
+
+    -   NOTE: If the WNS services are not available, the Autopilot process will still continue.
+
+-   **Microsoft Store, Microsoft Store for Business.**  Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in.
+
+    -   <https://docs.microsoft.com/en-us/microsoft-store/prerequisites-microsoft-store-for-business> (also includes Azure AD and Windows Notification Services)
+
+    -   NOTE: If the Microsoft Store is not accessible, the AutoPilot process will still continue.
+
+-   **Office 365.**  As part of the Intune device configuration, installation of Office 365 ProPlus may be required.
+
+    -   <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above)
+
+-   **Certificate revocation lists (CRLs).**  Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented in the Office documentation at <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl> and <https://aka.ms/o365chains>.

windows/deployment/windows-autopilot/windows-autopilot-requirements.md

@@ -0,0 +1,23 @@
+---
+title: Windows Autopilot requirements
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot requirements
+
+**Applies to: Windows 10**
+
+Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune.  In order to use Windows Autopilot and leverage these capabilities, some requirements must be met:
+
+-   [Licensing requirements](windows-autopilot-requirements-licensing.md) must be met.
+-   [Networking requirements](windows-autopilot-requirements-network.md) need to be met.
+-   [Configuration requirements](windows-autopilot-requirements-configuration.md) need to be completed.

windows/deployment/windows-autopilot/windows-autopilot-reset-local.md

@@ -0,0 +1,64 @@
+---
+title: Reset devices using local Windows Autopilot Reset
+description: Gives an overview of Local Autopilot Reset and how to use it.
+keywords: Autopilot Reset, Windows 10
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype:
+ms.localizationpriority: high
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Reset devices with local Windows Autopilot Reset 
+
+**Applies to: Windows 10, version 1709 and above
+
+IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
+
+To enable local Autopilot Reset in Windows 10:
+
+1. [Enable the policy for the feature](#enable-autopilot-reset)
+2. [Trigger a reset for each device](#trigger-autopilot-reset)
+
+## Enable local Windows Autopilot Reset
+
+To enable a local Windows Autopilot Reset, the **DisableAutomaticReDeploymentCredentials** policy must be configured. This policy is documented in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, local Windows Autopilot is disabled. This ensures that a local Autopilot Reset is not triggered by accident.
+
+You can set the policy using one of these methods:
+
+- MDM provider
+
+    - When using Intune, you can create a new device configuration profile, specifying "Windows 10 or later" for the platform, "Device restrictions" for the profile type, and "General" for the settings category.  The **Automatic Redeployment** setting should be set to **Allow**.  Deploy this setting to all devices where a local reset should be permitted.
+    - If you're using an MDM provider other than Intune, check your MDM provider documentation on how to set this policy. 
+
+- Windows Configuration Designer
+
+    You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting to 0 and then create a provisioning package.
+
+- Set up School PCs app
+
+    The latest release of the Set up School PCs app supports enabling local Windows Autopilot Reset.
+
+## Trigger local Windows Autopilot Reset
+
+Performing a local Windows Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it is done, the device is again ready for use. 
+
+**To trigger a local Autopilot Reset**
+
+1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**. 
+
+    ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png)
+
+    This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes:
+    1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset
+    2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process.
+
+    ![Custom login screen for local Autopilot Reset](images/autopilot-reset-customlogin.png)
+
+2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger the local Autopilot Reset.
+
+    Once the local Autopilot Reset is triggered, the reset process starts. Once provisioning is complete, the device is again ready for use.

windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md

@@ -0,0 +1,36 @@
+---
+title: Reset devices with remote Autopilot Reset (Preview)
+description: Gives an overview of remote Autopilot Reset and how to use it.
+keywords: Autopilot Reset, Windows 10
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype:
+ms.localizationpriority: high
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Reset devices with remote Windows Autopilot Reset (Preview)
+
+**Applies to: Windows 10, build 17672 or later**
+
+When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process.
+
+To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed, joined to Azure AD, and configured to use the [enrollment status page](enrollment-status.md).
+
+## Triggering a remote Windows Autopilot Reset
+
+To trigger a remote Windows Autopilot Reset via Intune, follow these steps:
+ 
+-   Navigate to **Devices** tab in the Intune console. 
+-   In the **All devices** view, select the targeted reset devices and then click **More** to view device actions. 
+-   Select **Autopilot Reset** to kick-off the reset task. 
+
+>[!NOTE]
+>The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher.
+
+Once the reset is complete, the device is again ready for use.
+ 

windows/deployment/windows-autopilot/windows-autopilot-reset.md

@@ -0,0 +1,53 @@
+---
+title: Windows Autopilot Reset
+description: Gives an overview of Remote Autopilot Reset and how to use it.
+keywords: Autopilot Reset, Windows 10
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype:
+ms.localizationpriority: high
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot Reset
+
+**Applies to: Windows 10** 
+
+Windows Autopilot Reset removes personal files, apps, and settings and reapplies a device’s original settings, maintaining its identity connection to Azure AD and its management connection to Intune so that the device is once again ready for use. Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and simply. 
+
+The Windows Autopilot Reset process automatically retains information from the existing device:
+ 
+-   Set the region, language, and keyboard to the originally-configured values.
+-   Wi-Fi connection details.
+-   Provisioning packages previously applied to the device, as well as a provisioning package present on a USB drive when the reset process is initiated. 
+-   Azure Active Directory device membership and MDM enrollment information.
+
+Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages.  For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed.  This requires configuring the device to use the [enrollment status page](enrollment-status.md).
+
+>[!IMPORTANT] 
+>To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection. 
+
+## Scenarios
+
+Windows Autopilot Reset supports two scenarios:
+
+-   [Local reset](windows-autopilot-reset-local.md), initiated by IT personnel or other administrators from the organization.
+-   [Remote reset](windows-autopilot-reset-remote.md), initiated remotely by IT personnel via an MDM service such as Microsoft Intune.
+
+Additional requirements and configuration details apply with each scenario; see the detailed links above for more information.
+
+## Troubleshooting
+
+Windows Autopilot Reset requires that the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is correctly configured and enabled on the device. If it is not configured and enabled, an error such as `Error code: ERROR_NOT_SUPPORTED (0x80070032)` will be reported.
+
+To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
+
+```
+reagentc /enable
+```
+
+If Windows Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance.

windows/deployment/windows-autopilot/windows-autopilot-scenarios.md

@@ -0,0 +1,26 @@
+---
+title: Windows Autopilot scenarios
+description: Listing of Autopilot scenarios
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot scenarios
+
+**Applies to: Windows 10**
+
+Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/en-us/windows/client-management/manage-windows-10-in-your-organization-modern-management).
+
+For details about these scenarios, see these additional topics:
+
+-   [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person.
+-   [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.
+-   [Windows Autopilot Reset](windows-autopilot-reset.md), 
+

windows/deployment/windows-autopilot/windows-autopilot.md

@@ -0,0 +1,26 @@
+---
+title: Overview of Windows Autopilot
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Overview of Windows Autopilot
+
+**Applies to: Windows 10**
+
+Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users.
+
+<img src="images/image1.png">
+
+When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images as well as drivers for every model of device being used. Instead of re-imaging the device, that existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise, to support advanced features).
+
+Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can help with device re-purposing scenarios, leveraging Windows Autopilot Reset to quickly prepare a device for a new user, as well as in break/fix scenarios to enable a device to quickly be brought back to a business-ready state.
+