From d137405205bd345329ae06783482bfb77ec5aeed Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 13 Jun 2019 11:09:41 -0700 Subject: [PATCH 01/14] added dev comments --- ...ew-in-windows-mdm-enrollment-management.md | 13 +- .../policy-configuration-service-provider.md | 14 ++ .../mdm/policy-csp-devicehealthmonitoring.md | 229 ++++++++++++++++++ 3 files changed, 251 insertions(+), 5 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-devicehealthmonitoring.md diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 66fea7504c..8cf23e8c68 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -33,7 +33,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - **Breaking changes and known issues** - [Get command inside an atomic command is not supported](#get-command-inside-an-atomic-command-is-not-supported) - - [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification-channel-uri-not-preserved-during-upgrade-from-windows81-to-windows10) + - [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification-channel-uri-not-preserved-during-upgrade-from-windows-81-to-windows-10) - [Apps installed using WMI classes are not removed](#apps-installed-using-wmi-classes-are-not-removed) - [Passing CDATA in SyncML does not work](#passing-cdata-in-syncml-does-not-work) - [SSL settings in IIS server for SCEP must be set to "Ignore"](#ssl-settings-in-iis-server-for-scep-must-be-set-to-ignore) @@ -46,7 +46,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#mcmcwfciw10mobile) - [Remote PIN reset not supported in Azure Active Directory joined mobile devices](#remote-pin-reset-not-supported-in-azure-active-directory-joined-mobile-devices) - [MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#mdm-client-will-immediately-check-in-with-the-mdm-server-after-client-renews-wns-channel-uri) - - [User provisioning failure in Azure Active Directory joined Windows 10 PC](#user-provisioning-failure-in-azure-active-directory-joined-windows10-pc) + - [User provisioning failure in Azure Active Directory joined Windows 10 PC](#user-provisioning-failure-in-azure-active-directory-joined-windows-10-pc) - [Requirements to note for VPN certificates also used for Kerberos Authentication](#requirements-to-note-for-vpn-certificates-also-used-for-kerberos-authentication) - [Device management agent for the push-button reset is not working](#device-management-agent-for-the-push-button-reset-is-not-working) @@ -96,6 +96,9 @@ For details about Microsoft mobile device management protocols for Windows 10 s -Connecting your Windows 10-based device to work using a deep link +Connecting your Windows 10-based device to work using a deep link

Added following deep link parameters to the table:

+ +

WiFi CSP

+

Deprecated the following node in Windows 10, version 1607:

+ + + diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index a9b74522ef..95e472b974 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 10/24/2018 +ms.date: 06/18/2019 --- # WiFi CSP @@ -79,7 +79,10 @@ If it is an IPvFuture address, then it must be specified as an IP literal as "\[ Supported operations are Get, Add, Delete, and Replace. **DisableInternetConnectivityChecks** -Added in Windows 10, version 1511.Optional. Disable the internet connectivity check for the profile. +> [!Note] +> Deprecated in Windows 10, version 1607. + +Added in Windows 10, version 1511. Optional. Disable the internet connectivity check for the profile. Value type is chr. From 33ae836b8390cf791e97060c398f06b663342e58 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 18 Jun 2019 16:30:59 -0700 Subject: [PATCH 11/14] Updated the deprecated note text --- windows/client-management/mdm/wifi-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 95e472b974..8b233ba1e3 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -80,7 +80,7 @@ Supported operations are Get, Add, Delete, and Replace. **DisableInternetConnectivityChecks** > [!Note] -> Deprecated in Windows 10, version 1607. +> This node has been deprecated since Windows 10, version 1607. Added in Windows 10, version 1511. Optional. Disable the internet connectivity check for the profile. From a8be54d2d4596413a8c5bbf6180b8e4d9a7397d2 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 19 Jun 2019 13:54:35 -0700 Subject: [PATCH 12/14] a few fixes and tweaks --- .../manage-windows-upgrades-with-upgrade-readiness.md | 11 +++++------ .../upgrade/upgrade-readiness-additional-insights.md | 2 +- .../deployment/windows-autopilot/existing-devices.md | 4 ++-- .../deployment/windows-autopilot/self-deploying.md | 5 ++--- .../windows-autopilot/windows-autopilot-whats-new.md | 3 +++ 5 files changed, 13 insertions(+), 12 deletions(-) diff --git a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md index 66da87eb73..7822a9c866 100644 --- a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md +++ b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md @@ -40,9 +40,8 @@ The Upgrade Readiness workflow steps you through the discovery and rationalizati ## **Related topics** -[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
-[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
-[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
-[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
-[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md)
-[Troubleshoot Upgrade Readiness](troubleshoot-upgrade-readiness.md)
+[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
+[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
+[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
+[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
+[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md) \ No newline at end of file diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index e7672a7634..09a0e88f33 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -93,4 +93,4 @@ Office add-ins provides a list of the Microsoft Office add-ins in your environme ## Related topics -[Upgrade Readiness release notes](upgrade-readiness-release-notes.md) +[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index 87042516a3..c177340864 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -91,7 +91,7 @@ See the following examples. Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON ``` - See the following sample output: + See the following sample output: (use the horizontal scroll bar at the bottom to view long lines) 
     PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
     {
@@ -124,7 +124,7 @@ See the following examples.
    |         CloudAssignedDeviceName (string, optional)         |                                                                          The name automatically assigned to the computer.  This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use.                                                                           |
 
 
-5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below:
+5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below: (use the horizontal scroll bar at the bottom if needed to view the entire command string)
 
     ```
     Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
index bcddf84201..38159d4743 100644
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -1,5 +1,5 @@
 ---
-title: Windows Autopilot Self-Deploying mode (Preview) 
+title: Windows Autopilot Self-Deploying mode
 description: Windows Autopilot deployment
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.reviewer: mniehaus
@@ -15,10 +15,9 @@ ms.collection: M365-modern-desktop
 ms.topic: article
 ---
 
-
 # Windows Autopilot Self-Deploying mode
 
-**Applies to: Windows 10, version 1809 or later**
+**Applies to: Windows 10, version 1903 or later**
 
 Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).  
 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
index 9f414b3464..40285c5f1b 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
@@ -42,6 +42,9 @@ Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch
 
 You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. 
 
+>[!NOTE]
+>Window 10, version 1903 is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
+
 ## Related topics
 
 [What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)


From 3c05ed1630c70b62d5ecc11e01b1a20bae52daf2 Mon Sep 17 00:00:00 2001
From: Greg Lindsay 
Date: Wed, 19 Jun 2019 14:06:51 -0700
Subject: [PATCH 13/14] added or later

---
 windows/deployment/windows-autopilot/self-deploying.md          | 2 +-
 .../deployment/windows-autopilot/windows-autopilot-whats-new.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
index 38159d4743..09ecd98706 100644
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -38,7 +38,7 @@ Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage
 Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode.  The devices must also support TPM device attestation.  (All newly-manufactured Windows devices should meet these requirements.)
 
 >[!NOTE]
->If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error.  (Hyper-V virtual TPMs are not supported.)
+>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported).. Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
 
 In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed.  See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. 
 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
index 40285c5f1b..57c91a67e4 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
@@ -43,7 +43,7 @@ Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch
 You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. 
 
 >[!NOTE]
->Window 10, version 1903 is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
+>Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
 
 ## Related topics
 

From 06d5970104c1717930d89d05bb7d9eb14b04f5bf Mon Sep 17 00:00:00 2001
From: Greg Lindsay 
Date: Wed, 19 Jun 2019 14:41:55 -0700
Subject: [PATCH 14/14] added more public PR

---
 .../windows-autopilot/autopilot-faq.md        | 49 ++++++++++---------
 .../windows-autopilot/self-deploying.md       |  3 ++
 2 files changed, 28 insertions(+), 24 deletions(-)

diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md
index 9df667a4bc..59296c932d 100644
--- a/windows/deployment/windows-autopilot/autopilot-faq.md
+++ b/windows/deployment/windows-autopilot/autopilot-faq.md
@@ -93,15 +93,15 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
 
 ## The end user experience
 
-|                                                                                  Question                                                                                  |                                                                                                                                                                                                                                                                                                                                Answer                                                                                                                                                                                                                                                                                                                                |
-|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|                                                                  How do I know that I received Autopilot?                                                                  |                                                                                                                                                                                                             You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.                                                                                                                                                                                                             |
-|                                                              Windows Autopilot didn’t work, what do I do now?                                                              | Questions and actions to assist in troubleshooting:  Did a screen not get skipped?   Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin  Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts.  For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). |
-| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |                                                                                                                                                                        No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE.                                                                                                                                                                        |
-|         What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy?          |                                                      If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience.  The IT Admin would then have to manually enrol that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience.                                                      |
-|                                          What may be a reason why I did not receive a customized sign-in screen during Autopilot?                                          |                                                                                                                                                                                                                                                                                  Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.                                                                                                                                                                                                                                                                                  |
-|                               What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned?                                |                                                                                                                                                                                                                                                                                    The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device.                                                                                                                                                                                                                                                                                    |
-|                                                                    How can I collect logs on Autopilot?                                                                    |                                                                                                                                                                                                                            The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.                                                                                                                                                                                                                            |
+|Question|Answer|
+|----|-----|
+|How do I know that I received Autopilot?|You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.|
+|Windows Autopilot didn’t work, what do I do now?| Questions and actions to assist in troubleshooting:  Did a screen not get skipped?   Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin  Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts.  For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). |
+| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE.|
+|What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy?          |If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience.  The IT Admin would then have to manually enrol that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience.|
+|What may be a reason why I did not receive a customized sign-in screen during Autopilot?                                          |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.|
+|What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned?                                |The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device.|
+|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.|
 
 ## MDM
 
@@ -127,21 +127,22 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
 
 ## General
 
-|                                                                             Question                                                                             |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     Answer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-|------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|                                            If I wipe the machine and restart, will I still receive Windows Autopilot?                                            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-|                                                    Can I harvest the device fingerprint on existing machines?                                                    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-|                                                   What is Windows 10, version 1703 7B and why does it matter?                                                    | Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.  

**Key Take-Aways**:  When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. |
-|                                                            What is the impact of not updating to 7B?                                                             |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               See the detailed scenario described directly above.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-|                                    Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile.                                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              No, Windows Autopilot isn’t supported on other SKUs.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-|                                                 Does Windows Autopilot work after MBR or image re-installation?                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Yes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune.  (These are somewhat configurable but not “infinite.”)  You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-|                                                   What happens if a device is registered to a malicious agent?                                                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below.  If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-|                                                           Where is the Windows Autopilot data stored?                                                            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-|                                           Why is Windows Autopilot data stored in the US and not in a sovereign cloud?                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-|                                                How many ways are there to register a device for Windows Autopilot                                                |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                There are six ways to register a device, depending on who is doing the registering: 

1.  OEM Direct API (only available to TVOs) 
2. MPC via the MPC API (must be a CSP) 
3. MPC via manual upload of CSV file in the UI (must be a CSP) 
4. MSfB via CSV file upload 
5. Intune via CSV file upload 
6.  Microsoft 365 Business portal via CSV file upload                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-|                                                 How many ways are there to create an Windows Autopilot profile?                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There are four ways to create & assign an Windows Autopilot profile: 

1.   Through MPC (must be a CSP) 
2.  Through MSfB 
3. Through Intune (or another MDM) 
4.  Microsoft 365 Business portal 

Microsoft recommends creation and assignment of profiles through Intune.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-|                                                      What are some common causes of registration failures?                                                       |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
1.  Bad or missing Hardware hash entries can lead to faulty registration attempts 
2.    Hidden special characters in CSV files.  

To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+|Question|Answer
+|------------------|-----------------|
+|If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.|
+|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.|
+|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.  

**Key Take-Aways**:  When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. |
+|What is the impact of not updating to 7B?|See the detailed scenario described directly above.|
+|Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isn’t supported on other SKUs.|
+|Does Windows Autopilot work after MBR or image re-installation?|Yes.|
+| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune.  (These are somewhat configurable but not “infinite.”)  You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.|
+|What happens if a device is registered to a malicious agent?                                                   |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below.  If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur.|
+|Where is the Windows Autopilot data stored?                                                            |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.|
+|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft.|
+|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering: 

1.  OEM Direct API (only available to TVOs) 
2. MPC via the MPC API (must be a CSP) 
3. MPC via manual upload of CSV file in the UI (must be a CSP) 
4. MSfB via CSV file upload 
5. Intune via CSV file upload 
6.  Microsoft 365 Business portal via CSV file upload|
+|How many ways are there to create an Windows Autopilot profile?|There are four ways to create & assign an Windows Autopilot profile: 

1.   Through MPC (must be a CSP) 
2.  Through MSfB 
3. Through Intune (or another MDM) 
4.  Microsoft 365 Business portal 

Microsoft recommends creation and assignment of profiles through Intune.  |
+| What are some common causes of registration failures? |
1.  Bad or missing Hardware hash entries can lead to faulty registration attempts 
2.    Hidden special characters in CSV files.  

To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.|
+|  Is Autopilot supported in all regions/countries? |  
Autopilot only supports customers using public Azure. Public Azure does not include the three entities listed below:
- Azure Germany 
- Azure China
- Azure Government
So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China, the Contoso employees would not be able to use Autopilot.|
 
 ## Glossary
 
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
index 09ecd98706..48841e967b 100644
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -67,4 +67,7 @@ When performing a self-deploying mode deployment using Windows Autopilot, the fo
     -   Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
     -   Automatically sign in as a local account, for devices configured as a kiosk or digital signage.
 
+>[!NOTE]
+>Deploying EAS policies using self-deploying mode for kiosk deployments will cause auto-logon functionality to fail. 
+
 In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.