deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs1' into jdrs

Browse Source
This commit is contained in:
jdeckerMS 2016-07-05 08:50:37 -07:00
commit 8e34fc9206
40 changed files with 764 additions and 319 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
education/windows/TOC.md
View File

@ -1,7 +1,10 @@
# [Windows 10 for education](index.md)
## [Change history for Windows 10 for Education](change-history-edu.md)
## [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
## [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
## [Setup options for Windows 10](set-up-windows-10.md)
### [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
### [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
## [Get Minecraft Education Edition](get-minecraft-for-education.md)
### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)

BIN
education/windows/images/ICDstart-option.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
education/windows/images/choose-package-icd.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
education/windows/images/connect-ad.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
education/windows/images/icd-adv-shared-pc.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
education/windows/images/icd-school-adv-edit.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
education/windows/images/icd-school.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
education/windows/images/icd-simple.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
education/windows/images/icdbrowse.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.8 KiB

BIN
education/windows/images/setup-options.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

109
education/windows/set-up-students-pcs-to-join-domain.md Normal file
View File

@ -0,0 +1,109 @@
---
title: Set up student PCs to join domain
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
keywords: ["shared cart", "shared PC", "school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
---
# Set up student PCs to join domain
**Applies to:**
- Windows 10
If your school uses Active Directory, use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package that will configure a PC for student use that is joined to the Active Directory domain. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
## Create the provisioning package
1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
2. Click **Provision school devices**.
![Provision school devices](images/icdstart-option.png)
3. Name your project and click **Finish**. The screens for school provisioning will walk you through the following steps.
![Wizard for school provisioning](images/icd-school.png)
4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
5. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
- Home to Education
- Pro to Education
- Pro to Enterprise
- Enterprise to Education
6. Click **Set up network**.
7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
8. Click **Enroll into Active Directory**.
9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
> **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
- Use a least-privileged domain account to join the device to the domain.
- Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
- [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
10. Click **Set up school settings**.
11. Toggle **Yes** or **No** to configure the PC for shared use.
12. (Optional) Toggle **Yes** or **No** to configure the PC for secure testing. If you select **Yes**, you must also enter the test account to be used and the URL for the test. If you don't configure the test account and URL in this provisioning package, you can do so after the PC is configured; for more information, see [Take tests in Windows 10](take-tests-in-windows-10.md).
10. Click **Finish**.
11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
12. Click **Create**.
13. You will see the file path for your provisioning package (by default, %windir%\Users\*your alias*\Windows Imaging and Configuration Designer (WICD)\*Project name*). Copy the provisioning package to a USB drive.
> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
## Apply package
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
![The first screen to set up a new PC](images/oobe.jpg)
2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
![Set up device?](images/setupmsg.jpg)
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
![Provision this device](images/prov.jpg)
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
![Choose a package](images/choose-package-icd.png)
5. Select **Yes, add it**.
![Do you trust this package?](images/trust-package.png)
6. Read and accept the Microsoft Software License Terms.
![Sign in](images/license-terms.png)
7. Select **Use Express settings**.
![Get going fast](images/express-settings.png)
8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
![Who owns this PC?](images/who-owns-pc.png)
9. On the **Choose how you'll connect** screen, select **Join a domain** and tap **Next**.
![Connect to Azure AD](images/connect-ad.png)
10. Sign in with your domain account and password. When you see the progress ring, you can remove the USB drive.

202
education/windows/set-up-students-pcs-with-apps.md Normal file
View File

@ -0,0 +1,202 @@
---
title: Provision student PCs with apps
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
keywords: ["shared cart", "shared PC", "school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
---
# Provision student PCs with apps
**Applies to:**
- Windows 10
This topic explains how to create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Add apps to a provisioning package](#add-apps-to-a-provisioning-package). If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md), and then follow the steps in [Create a provisioning package to add apps after initial setup](#create-a-provisioning-package-to-add-apps-after-initial-setup).
## Add apps to a provisioning package
1. Follow the steps to [create the provisioning package](set-up-students-pcs-to-join-domain.md#create-the-provisioning-package).
2. On the **Finish** page, select **Switch to advanced editor**.
![Switch to advanced editor](images/icd-school-adv-edit.png)
**Next steps**
- [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
- [Add a universal app to your package](#add-a-universal-app-to-your-package)
- [Build your package](#build-your-package)
- [Apply the provisioning package to a PC](#apply-package)
## Create a provisioning package to add apps after initial setup
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
2. Click **Advanced provisioning**.
![ICD start options](images/icdstart-option.png)
3. Name your project and click **Next**.
3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
**Next steps**
- [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
- [Add a universal app to your package](#add-a-universal-app-to-your-package)
- [Build your package](#build-your-package)
- [Apply the provisioning package to a PC](#apply-package)
## Add a desktop app to your package
1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**.
2. Add all the files required for the app install, including the data files and the installer.
3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the msiexec /quiet option.
> **Note**: If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703295%28v=vs.85%29.aspx).
**Next steps**
- (optional) [Add a universal app to your package](#add-a-universal-app-to-your-package)
- [Build your package](#build-your-package)
- [Apply the provisioning package to a PC](#apply-package)
## Add a universal app to your package
1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
2. For **UserContextApp**, specify the **PackageFamilyName** for the app. (how to find package family name)
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. (how will they know?)
5. For **UserContextAppLicense**, enter the **LicenseProductID**. (where to get)
**Next steps**
- (optional) [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
- [Build your package](#build-your-package)
- [Apply the provisioning package to a PC](#apply-package)
## Build your package
1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
2. Read the warning that project files may contain sensitive information, and click **OK**.
> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
3. On the **Export** menu, click **Provisioning package**.
1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
10. Set a value for **Package Version**.
**Tip**  
You can make changes to existing packages and change the version number to update previously applied packages.
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
**Important**  
We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
- Shared network folder
- SharePoint site
- Removable media (USB/SD)
**Next step**
- [Apply the provisioning package to a PC](#apply-package)
## Apply package
**During initial setup, from a USB drive**
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
![The first screen to set up a new PC](images/oobe.jpg)
2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
![Set up device?](images/setupmsg.jpg)
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
![Provision this device](images/prov.jpg)
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
![Choose a package](images/choose-package.png)
5. Select **Yes, add it**.
![Do you trust this package?](images/trust-package.png)
6. Read and accept the Microsoft Software License Terms.
![Sign in](images/license-terms.png)
7. Select **Use Express settings**.
![Get going fast](images/express-settings.png)
8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
![Who owns this PC?](images/who-owns-pc.png)
9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
![Connect to Azure AD](images/connect-aad.png)
10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
![Sign in](images/sign-in-prov.png)
**After setup, from a USB drive, network folder, or SharePoint site**
On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and select the package to install.
![add a package option](images/package.png)
## Learn more
- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
 

42
education/windows/set-up-windows-10.md Normal file
View File

@ -0,0 +1,42 @@
---
title: Setup options for Windows 10
description: Decide which option for setting up Windows 10 is right for you.
keywords: shared cart, shared PC, school
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
---
# Setup options for Windows 10
**Applies to:**
- Windows 10
MSA is only intended for consumer services. Schools may want to consider using MDM or group policy to block students from adding MSA as a secondary account
Reminder to schools that they should consider ratings when picking apps from the store. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, etc.
![Which tool to use to set up Windows 10](images/setup-options.png)
## In this section
- [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
- [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
## Related topics
[Take tests in Windows 10](take-tests-in-windows-10.md)
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)

BIN
windows/deploy/images/ICDstart-option.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/deploy/images/choose-package.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/deploy/images/connect-aad.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
windows/deploy/images/express-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 108 KiB

BIN
windows/deploy/images/icd-simple-edit.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/deploy/images/icd-simple.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/deploy/images/license-terms.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 180 KiB

BIN
windows/deploy/images/oobe.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/deploy/images/prov.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/deploy/images/setupmsg.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/deploy/images/sign-in-prov.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/deploy/images/trust-package.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/deploy/images/who-owns-pc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

121
windows/deploy/provision-pcs-for-initial-deployment.md
View File

@ -1,6 +1,6 @@
---
title: Provision PCs with common settings (Windows 10)
description: Create a provisioning package to apply settings to a PC running Windows 10.
description: Create a provisioning package to apply common settings to a PC running Windows 10.
ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: W10
@ -16,16 +16,127 @@ author: jdeckerMS
- Windows 10
Create a provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.
This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
## Advantages
- You can configure new devices without reimaging.
- Works on both mobile and desktop devices.
- No network connectivity required.
- Simple to apply.
[Learn more about the benefits and uses of provisioning packages.](../whats-new/new-provisioning-packages.md)
## What does simple provisioning do?
In a simple provisioning package, you can configure:
- Device name
- Upgraded product edition
- Wi-Fi network
- Active Directory enrollment
- Local administrator account
Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md).
> **Tip!** Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
![open advanced editor](images/icd-simple-edit.png)
## Create the provisioning package
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
2. Click **Simple provisioning**.
![ICD start options](images/icdstart-option.png)
3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps.
![ICD simple provisioning](images/icd-simple.png)
4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
5. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
- Pro to Education
- Pro to Enterprise
- Enterprise to Education
6. Click **Set up network**.
7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
8. Click **Enroll into Active Directory**.
9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
> **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
- Use a least-privileged domain account to join the device to the domain.
- Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
- [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
10. Click **Finish**.
11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
12. Click **Create**.
> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
## Apply package
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
![The first screen to set up a new PC](images/oobe.jpg)
2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
![Set up device?](images/setupmsg.jpg)
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
![Provision this device](images/prov.jpg)
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
![Choose a package](images/choose-package.png)
5. Select **Yes, add it**.
![Do you trust this package?](images/trust-package.png)
6. Read and accept the Microsoft Software License Terms.
![Sign in](images/license-terms.png)
7. Select **Use Express settings**.
![Get going fast](images/express-settings.png)
8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
![Who owns this PC?](images/who-owns-pc.png)
9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
![Connect to Azure AD](images/connect-aad.png)
10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
![Sign in](images/sign-in-prov.png)
## Learn more
- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
- [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
 

178
windows/deploy/provision-pcs-with-apps-and-certificates.md
View File

@ -16,19 +16,183 @@ author: jdeckerMS
- Windows 10
Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.
This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
## Advantages
- You can configure new devices without reimaging.
- Works on both mobile and desktop devices.
- No network connectivity required.
- Simple to apply.
[Learn more about the benefits and uses of provisioning packages.](../whats-new/new-provisioning-packages.md)
## Create the provisioning package
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
2. Click **Advanced provisioning**.
![ICD start options](images/icdstart-option.png)
3. Name your project and click **Next**.
3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
### Add a desktop app to your package
1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**.
2. Add all the files required for the app install, including the data files and the installer.
3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the msiexec /quiet option.
> **Note**: If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703295%28v=vs.85%29.aspx).
### Add a universal app to your package
1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
2. For **UserContextApp**, specify the **PackageFamilyName** for the app. (how to find package family name)
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. (how will they know?)
5. For **UserContextAppLicense**, enter the **LicenseProductID**. (where to get)
### Add a certificate to your package
1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
2. Enter a **CertificateName** and then click **Add**.
2. Enter the **CertificatePassword**.
3. For **CertificatePath**, browse and select the certificate to be used.
4. Set **ExportCertificate** to **False**.
5. For **KeyLocation**, select **Software only**.
### Add other settings to your package
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
### Build your package
1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
2. Read the warning that project files may contain sensitive information, and click **OK**.
> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
3. On the **Export** menu, click **Provisioning package**.
1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
10. Set a value for **Package Version**.
**Tip**  
You can make changes to existing packages and change the version number to update previously applied packages.
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
**Important**  
We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
- Shared network folder
- SharePoint site
- Removable media (USB/SD)
- Email
- USB tether (mobile only)
- NFC (mobile only)
## Apply package
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
![The first screen to set up a new PC](images/oobe.jpg)
2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
![Set up device?](images/setupmsg.jpg)
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
![Provision this device](images/prov.jpg)
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
![Choose a package](images/choose-package.png)
5. Select **Yes, add it**.
![Do you trust this package?](images/trust-package.png)
6. Read and accept the Microsoft Software License Terms.
![Sign in](images/license-terms.png)
7. Select **Use Express settings**.
![Get going fast](images/express-settings.png)
8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
![Who owns this PC?](images/who-owns-pc.png)
9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
![Connect to Azure AD](images/connect-aad.png)
10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
![Sign in](images/sign-in-prov.png)
## Learn more
- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
- [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
 
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
 

88
windows/deploy/windows-10-poc.md
View File

@ -1,88 +0,0 @@
---
title: Deploy Windows 10 in a test lab (Windows 10)
description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
---
# Deploy Windows 10 in a test lab
**Applies to**
- Windows 10
## Setting up a proof of concept deployment lab
This following topics provide instructions for setting up a proof of concept (PoC) lab where you can deploy Windows 10 in a private environment using a minimum amount of resources. The lab utilizes the Microsoft Hyper-V platform to run virtual machines that provide all the services and tools required to deploy Windows 10 on a network.
<table border="1" cellpadding="2">
<tr>
<td BGCOLOR="#a0e4fa">Topic</td>
<td BGCOLOR="#a0e4fa">Description</td>
</tr>
<tr>
<td>[Configure the PoC environment](#configure-the-poc-environment)</td>
<td>Instructions are provided for installing and configuring Hyper-V and configuring VHDs in preparation for different deployment scenarios.</td>
</tr>
<tr>
<td>Topic 2</td>
<td>Description 2</td>
</tr>
<tr>
<td>Topic 3</td>
<td>Description 3</td>
</tr>
<tr>
<td>Topic 4</td>
<td>Description 4</td>
</tr>
</table>
## Configure the PoC environment
### Requirements
To complete the procedures in this topic
### Install Hyper-V
Use one of the following procedures to install Hyper-V on the Hyper-V host computer:
Install Hyper-V on a computer running Windows 8/8.1 or Windows 10
Starting with Windows 8, the host computers microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
If your processor supports SLAT Hyper-V Manager is already included in Windows under Programs and Features.
[hyper-v feature](images/hyper-v-feature.png)
Note If you installed a 32-bit version of Windows, you wont be able to create and manage local virtual machines. To fully manage virtual machines by using the host computer, you must install the 64-bit version of Windows 8.1 or Windows 8.
The Hyper-V feature is not installed by default in Windows 8. To get it, you can use the following Windows PowerShell command:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V All
You can also install it via the Control Panel in Windows under Turn Windows features on or off, as shown here:
Important If you know that your processor supports SLAT, but you still get an error message that states Hyper-V cannot be installed, you might need to enable virtualization in the BIOS. The location of this setting will depend on the manufacturer and BIOS version. The following image shows an example of the required settings (under Security) in a Hewlett-Packard BIOS for an Intel processor:
[security BIOS settings](images/sec-bios.png)
### Configure Hyper-V
### Download VHDs
### Configure VHDs
## Related Topics
[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
 
 

57
windows/keep-secure/service-accounts.md
View File

@ -102,55 +102,8 @@ Virtual accounts apply to the Windows operating systems that are designated in t
The following table provides links to additional resources that are related to standalone managed service accounts, group managed service accounts, and virtual accounts.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Content type</th>
<th>References</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>Product evaluation</strong></p></td>
<td><p>[What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)</p>
<p>[Managed Service Accounts Documentation for Windows 7 and Windows Server 2008 R2](http://technet.microsoft.com/library/ff641731.aspx)</p>
<p>[Service Accounts Step-by-Step Guide](http://technet.microsoft.com/library/dd548356.aspx)</p>
<p>[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx)</p></td>
</tr>
<tr class="even">
<td><p><strong>Deployment</strong></p></td>
<td><p>[Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx)</p></td>
</tr>
<tr class="odd">
<td><p><strong>Operations</strong></p></td>
<td><p>[Managed Service Accounts in Active Directory](http://technet.microsoft.com/library/dd378925.aspx)</p></td>
</tr>
<tr class="even">
<td><p><strong>Tools and settings</strong></p></td>
<td><p>[Managed Service Accounts in Active Directory Domain Services](http://technet.microsoft.com/library/dd378925.aspx)</p></td>
</tr>
<tr class="odd">
<td><p><strong>Community resources</strong></p></td>
<td><p>[Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting](http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx)</p></td>
</tr>
<tr class="even">
<td><p><strong>Related technologies</strong></p></td>
<td><p>[Security Principals Technical Overview](security-principals.md)</p>
<p>[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx)</p></td>
</tr>
</tbody>
</table>
 
 
 
| Content type | References |
|---------------|-------------|
| **Product evaluation** | [What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)<br>[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx) |
| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
| **Related technologies** | [Security Principals Technical Overview](security-principals.md)<br>[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) |

3
windows/manage/TOC.md
View File

@ -6,8 +6,7 @@
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
### [Bulk provisioning for Windows 10 devices](simple-bulk-provisioning.md)
### [Diagnostics for devices managed by MDM](diagnostics-for-mdm-devices.md)
### [Diagnostics for Windows 10 devices](diagnostics-for-mdm-devices.md)
### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)

101
windows/manage/diagnostics-for-mdm-devices.md
View File

@ -1,5 +1,5 @@
---
title: Device Policy State Log (Windows 10)
title: Diagnostics for Windows 10 devices (Windows 10)
description: Device Policy State log in Windows 10, Version 1607, collects info about policies.
keywords: ["mdm", "udiag", "device policy", "mdmdiagnostics"]
ms.prod: W10
@ -8,80 +8,74 @@ ms.sitesec: library
author: jdeckerMS
---
# Device Policy State Log
# Diagnostics for Windows 10 devices
**Applies to**
- Windows 10
- Windows 10 Mobile
[Diagnostics capability for devices managed by any MDM provider.](https://microsoft.sharepoint.com/teams/osg_core_ens/mgmt/OSMan Wiki/MDM Diagnostics - Generating and Processing Log files.aspx)
(which SKUs?)
[Redstone spec](https://microsoft.sharepoint.com/teams/specstore/_layouts/15/WopiFrame.aspx?sourcedoc=%7b7E8742A2-03A1-451C-BA07-F2573B044CBF%7d&file=DM%20-%20MDM%20Diagnostics-RS.docx&action=default&DefaultItemOpen=1)
(this isn't really MDM-managed only, is it? It can be done locally/email?)
The Device Policy State Log, a new log in Windows 10, Version 1607, collects information on the state of policies applied to the device to help you determine which sources are applying policies or configurations to the device. This log is a tool that enables the helpdesk to be more effectively in remotely diagnosing and resolving issues with the device.
Two new diagnostic tools for Windows 10, version 1607, help IT administrators diagnose and resolve issues with remote devices enrolled in mobile device management (MDM): the [Device Policy State Log](#device-policy-state-log) and [UDiag](#udiag). Windows 10 for desktop editions and Windows 10 Mobile make it simple for users to export log files that you can then analyze with these tools.
Users can easily generate this log, both on PCs and mobile devices. (screenshot of UI)
## Export management log files
Go to **Settings > Accounts > Work access > Export your management log files**.
![Export your management log files](images/export-mgt-desktop.png)
- On desktop devices, the file is saved to C:/Users/Public/Public Documents/MDMDiagnostics/MDMDiagReport.xml
- On phones, the file is saved to *phone*/Documents/MDMDiagnostics/MDMDiagReport.xml
The MDMDiagReport.xml can be used with [Device Policy State Log](#device-policy-state-log) and [UDiag](#udiag) to help you resolve issues.
## Device Policy State Log
The Device Policy State Log collects information on the state of policies applied to the device to help you determine which sources are applying policies or configurations to the device. Help desk personnel can use this log to diagnose and resolve issues with a remote device.
After you obtain the management log file from the user's device, run the mdmReportGenerator.ps1 script on log to create report. (download mdmReportGenerator.ps1 and mdmDiagnoseHelpers.psm1) This PowerShell script asks you to enter the name of the management log file and a name for the report that it will create, as shown in the following example:
![Enter file name for input and output](images/mdm-diag-report-powershell.png)
The script produces the report in html format. There are two sections to the report, Configuration and Policy Information.
The configuration section lists the GUID of the sources that are applying configurations to the device.
![Configuration source Exachange ActiveSync](images/config-source.png)
The policy information section displays information about the specific policies that are being enforced and on the device. For each policy, you will see the Area grouping, the Policy name, its default and current value, and the configuration source. You can compare the configuration source GUID in the policy information section to the GUIDs in the configuration section to identify the source of the policy.
![Policies applied by a configuration source](images/config-policy.png)
(run script on log to create report)
## UDiag
There are two sections to the report, Configuration and Policy Information. The configuration section enumerates the GUID of the sources that are applying configurations to the device.
The UDiag tool applies rules to Event Tracing for Windows (ETW) files to help determine the root cause of an issue.
The policy information section displays information about the specific policies that are being enforced and on the device. For each policy you will see the Area grouping, the Policy name, its default and current value, in addition to the configuration source.
(download UDiag)
Event Trace Log (ETL) file
To generate on desktop or phone:
1. **Settings** > **Accounts** > **Work access** > **Export your management log files**
2. File is saved:
- on desktop: Clicking on **Export** will generate the diagnostic log file, and save it in C:\Users\Public\Documents\MDMDiagnostics
- on phone: Copy the file from the phone
- Either connect phone to PC and copy the file from Phone\Documents\MDMDiagnostics
OR
- Mail the log file from your phone by selecting the file from This Device\Documents\MDMDiagnostics
UDiag tool: Uses rule-based analysis to determine root cause based on Event Tracing for Windows (ETW) files; reduces the amount of time needed to determine what the root case of an issue is based on ETW analysis
To analyze MDMDiagReport.xml using UDiag
1. Open UDiag, and select Device Management.
2. Select your source for the log files ("cab of logs" or "directory of logs")
Investigating log content, identifying patterns, and adding a root cause analysis to the database (Advanced users/providers)
1. While at the 'Root Causes List' panel, click the 'Diagnose' button at the bottom.
2. You will then be brought to the Diagnosis panel where you can investigate and tag root causes from the content
[1] Evidence Groups
◦When a set of logs are loaded into UDiag, the contents are processed (e.g. ETW) and organized into evidence groups.
•[2] Decision Tree View
◦This view shows the loaded decision tree for the current topic/topic area.
◦When a decision node is selected, a user can modify the regular expression and add/edit/delete an RCA for that node. Any RCA matches found in the current log set will have an 'RCA' label that is either Red or Yellow.
•[3] Evidence View
◦Selecting an evidence group from [1], loads its content into this evidence view. Use this view to investigate issues and determine root causes. Drag and drop lines from the Evidence View [3] into the Decision Tree View [2], to build your RCA pattern.
- Evidence Groups: When a set of logs are loaded into UDiag, the contents are processed (e.g. ETW) and organized into evidence groups.
- Decision Tree View: This view shows the loaded decision tree for the current topic/topic area. When a decision node is selected, a user can modify the regular expression and add/edit/delete an RCA for that node. Any RCA matches found in the current log set will have an 'RCA' label that is either Red or Yellow.
- Evidence View: Selecting an evidence group loads its content into this evidence view. Use this view to investigate issues and determine root causes. Drag and drop lines from the Evidence View into the Decision Tree View, to build your root cause analysis pattern. ([Learn more about techniques for root cause analysis.](https://technet.microsoft.com/en-us/library/cc543298.aspx))
Device Policy State Log implementation: what does admin have to do on MDM side to enable "export your management log file"?[DK] Nothing. Generating the log is entirely a client side behavior. There is a new capability in the Diagnostic Log CSP that will enable a MDM ISV to trigger generation and capture of the log over the MDM channel.
Can admin pull logs without user action? [DK] Yes via the diagnostic log CSP
Is MDMDiagnostics.xml the file created by "export your management log file"? [DK] Yes
"Run PowerShell script to process the file" is that the user doing it? How can this workflow work in an enterprise where employees aren't computer-savvy? [DK] This is intended to be done by the help desk guy.
@ -93,5 +87,16 @@ Investigating log content, identifying patterns, and adding a root cause analysi
Can admins create custom rule sets? [DK] Right now, no. but open to feedback on this.
Link to [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx)
[Diagnostics capability for devices managed by any MDM provider.](https://microsoft.sharepoint.com/teams/osg_core_ens/mgmt/OSMan Wiki/MDM Diagnostics - Generating and Processing Log files.aspx)
[Redstone spec](https://microsoft.sharepoint.com/teams/specstore/_layouts/15/WopiFrame.aspx?sourcedoc=%7b7E8742A2-03A1-451C-BA07-F2573B044CBF%7d&file=DM%20-%20MDM%20Diagnostics-RS.docx&action=default&DefaultItemOpen=1)
## Related topics
[DiagnosticLog CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt219118.aspx)
[Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120.aspx)

BIN
windows/manage/images/config-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/manage/images/config-source.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
windows/manage/images/export-mgt-desktop.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/manage/images/export-mgt-mobile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/manage/images/mdm-diag-report-powershell.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

99
windows/manage/set-up-shared-or-guest-pc.md
View File

@ -140,20 +140,19 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
> **Important**: It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
<table style="width:100%" border="1">
<caption><strong>Admin Templates</strong> > <strong>Control Panel</strong> > <strong>Personalization</strong> </caption>
<table border="1">
<thead><tr><th colspan="2"><p>Policy path</p></th></tr>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr> </thead>
<tbody>
<tr><td colspan="2"><p><strong>Admin Templates</strong> > <strong>Control Panel</strong> > <strong>Personalization</strong></p></td>
</tr>
<tr><td><p>Prevent enabling lock screen slide show</p></td><td><p>Enabled</p></td>
</tr>
<tr><td><p>Prevent changing lock screen and logon image</p></td><td><p>Enabled</p></td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Button Settings</strong></caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr><td colspan="2"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Button Settings</strong></p></td>
</tr>
<tr><td><p>Select the Power button action (plugged in)</p></td><td><p>Sleep</p></td>
</tr>
<tr><td><p>Select the Power button action (on battery)</p></td><td><p>Sleep</p></td>
@ -163,12 +162,9 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
<tr><td><p>Select the lid switch action (plugged in)</p></td><td><p>Sleep</p></td>
</tr>
<tr><td><p>Select the lid switch action (on battery)</p></td><td><p>Sleep</p></td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Sleep Settings</strong></caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr><td colspan="2"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Sleep Settings</strong></p></td>
</tr>
<tr><td><p>Require a password when a computer wakes (plugged in)</p></td><td><p>Enabled</p></td>
</tr>
<tr><td><p>Require a password when a computer wakes (on battery)</p></td><td><p>Enabled</p></td>
@ -192,21 +188,14 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
<tr> <td> <p> Specify the system hibernate timeout (plugged in) </p> </td> <td> <p> Enabled, 0 </p> </td>
</tr>
<tr> <td> <p> Specify the system hibernate timeout (on battery) </p> </td> <td> <p> Enabled, 0 </p> </td>
</tr> </table><bbr/>
<table style="width:100%" border="1">
<caption <strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Video and Display Settings</strong> ></caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>System</strong>><strong>Power Management</strong>><strong>Video and Display Settings</strong> </p> </td> </tr>
<tr> <td> <p> Turn off the display (plugged in) </p> </td> <td> <p> 1 hour </p> </td>
</tr>
<tr> <td> <p> Turn off the display (on battery </p> </td> <td> <p> 1 hour </p> </td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption> <strong>Admin Templates</strong> > <strong>System</strong> > <strong>Logon</strong> </caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>System</strong>><strong>Logon</strong> </p> </td>
</tr>
<tr> <td> <p> Show first sign-in animation </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Hide entry points for Fast User Switching </p> </td> <td> <p> Enabled </p> </td>
@ -220,19 +209,13 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
<tr> <td> <p> Allow users to select when a password is required when resuming from connected standby </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Block user from showing account details on sign-in </p> </td> <td> <p> Enabled </p> </td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption><strong>Admin Templates</strong> > <strong>System</strong> > <strong>User Profiles</strong> </caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>System</strong>><strong>User Profiles</strong> </p> </td>
</tr>
<tr> <td> <p> Turn off the advertising ID </p> </td> <td> <p> Enabled </p> </td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption> <strong>Admin Templates</strong> > <strong>Windows Components </strong> </caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components </strong> </p> </td>
</tr>
<tr> <td> <p> Do not show Windows Tips </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Turn off Microsoft consumer experiences </p> </td> <td> <p> Enabled </p> </td>
@ -240,68 +223,47 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
<tr> <td> <p> Microsoft Passport for Work </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Prevent the usage of OneDrive for file storage </p> </td> <td> <p> Enabled </p> </td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>Biometrics</strong> </caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Biometrics</strong> </p> </td>
</tr>
<tr> <td> <p> Allow the use of biometrics </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Allow users to log on using biometrics </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Allow domain users to log on using biometrics </p> </td> <td> <p> Disabled </p> </td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>Data Collection and Preview Builds</strong></caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Data Collection and Preview Builds</strong> </p> </td>
</tr>
<tr> <td> <p> Toggle user control over Insider builds </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Disable pre-release features or settings </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Do not show feedback notifications </p> </td> <td> <p> Enabled </p> </td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>File Explorer</strong> </caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>File Explorer</strong> </p> </td>
</tr>
<tr> <td> <p> Show lock in the user tile menu </p> </td> <td> <p> Disabled </p> </td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption><strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>Maintenance Scheduler</strong></caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Maintenance Scheduler</strong> </p> </td>
</tr>
<tr> <td> <p> Automatic Maintenance Activation Boundary </p> </td> <td> <p> 12am </p> </td>
</tr>
<tr> <td> <p> Automatic Maintenance Random Delay </p> </td> <td> <p> Enabled, 2 hours </p> </td>
</tr>
<tr> <td> <p> Automatic Maintenance WakeUp Policy </p> </td> <td> <p> Enabled </p> </td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>Microsoft Edge</strong> </caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Microsoft Edge</strong> </p> </td>
</tr>
<tr> <td> <p> Open a new tab with an empty tab </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Configure corporate home pages </p> </td> <td> <p> Enabled, about:blank </p> </td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption><strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>Search</strong></caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Search</strong> </p> </td>
</tr>
<tr> <td> <p> Allow Cortana </p> </td> <td> <p> Disabled </p> </td>
</tr> </table><br/>
<table style="width:100%" border="1">
<caption><strong>Windows Settings</strong> > <strong>Security Settings</strong> > <strong>Local Policies</strong> > <strong>Security Options</strong> </caption>
<tr><th><p>Policy name</p></th><th><p>Value</p></th>
</tr>
<tr> <td colspan="2"> <p> <strong>Windows Settings</strong>><strong>Security Settings</strong>><strong>Local Policies</strong>><strong>Security Options</strong> </p> </td>
</tr>
<tr> <td> <p> Interactive logon: Do not display last user name </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Interactive logon: Sign-in last interactive user automatically after a system-initiated restart </p> </td> <td> <p> Disabled </p> </td>
@ -310,6 +272,7 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
</tr>
<tr> <td> <p> User Account Control: Behavior of the elevation prompt for standard users </p> </td> <td> <p> Auto deny </p> </td>
</tr>
</tbody>
</table> </br></br>

13
windows/manage/simple-bulk-provisioning.md
View File

@ -1,13 +0,0 @@
---
title: Simple bulk provisioning (Windows 10)
description: Use Windows 10 Configuration Designer for easy provisioning packages.
keywords: ["runtime provisioning", "provisioning package", "bulk provisioning"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# simple bulk provisioning
adding text to make it build

21
windows/whats-new/new-provisioning-packages.md
View File

@ -25,7 +25,7 @@ Provisioning packages are simple enough that with a short set of written instruc
## New in Windows 10, Version 1607
The Windows Assessment and Deployment Kit (ADK) for Windows 10 included the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios.
The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios.
![Configuration Designer options](images/icd.png)
@ -46,7 +46,7 @@ Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT
* Mobile Iron (password-string based enrollment)
* Other MDMs (cert-based enrollment)
> **Note:** Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see Set up students' PCs to join domain (link to be added).
> **Note:** Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index).
## Benefits of provisioning packages
@ -76,15 +76,16 @@ The following table provides some examples of what can be configured using provi
| Customization options | Examples |
|--------------------------|-----------------------------------------------------------------------------------------------|
| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
| Applications | Windows apps, line-of-business applications |
| Bulk enrollment into MDM | Automatic enrollment into Microsoft Intune or a third-party MDM service |
| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* |
| Certificates | Root certification authority (CA), client certificates |
| Connectivity profiles | Wi-Fi, proxy settings, Email |
| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
| Data assets | Documents, music, videos, pictures |
| Start menu customization | Start menu layout, application pinning |
| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices.
 
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
@ -94,19 +95,13 @@ For details about the settings you can customize in provisioning packages, see [
With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must install the Windows Assessment and Deployment Kit (ADK) for Windows 10 [from the Windows Insider Program site](http://go.microsoft.com/fwlink/p/?linkid=533700).
While running ADKsetup.exe, select the following features from the **Select the features you want to install** dialog box:
- Deployment Tools
- Windows Preinstallation Environment (Windows PE)
While running ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box:
- Windows Imaging and Configuration Designer (ICD)
- Windows User State Migration Tool (USMT)
> **Note:** In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features.
Windows ICD depends on other tools in order to work correctly. If you only select Windows ICD in the installation wizard, the other tools listed above will also be selected for installation.
Once you have installed Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
After you install Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
## Applying a provisioning package to a device