deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2icd

Browse Source 
# Conflicts:
#	windows/deploy/provisioning-apply-package.md
#	windows/deploy/provisioning-create-package.md
#	windows/deploy/provisioning-how-it-works.md
#	windows/deploy/provisioning-install-icd.md
#	windows/deploy/provisioning-packages.md
#	windows/manage/configure-windows-10-taskbar.md
#	windows/manage/customize-and-export-start-layout.md

#	windows/manage/customize-windows-10-start-screens-by-using-group-policy.md

#	windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md

#	windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
#	windows/manage/lockdown-xml.md
#	windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
#	windows/manage/settings-that-can-be-locked-down.md
#	windows/manage/start-layout-xml-desktop.md
#	windows/manage/start-layout-xml-mobile.md
#	windows/manage/windows-10-start-layout-options-and-policies.md
#	windows/manage/windows-spotlight.md
This commit is contained in:
jdeckerMS
2017-02-21 12:07:25 -08:00
parent 24911562e2
commit 99ce7ba725
18 changed files with 1 additions and 3725 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
windows/deploy/provisioning-apply-package.md
View File

@ -1,96 +0,0 @@
---
title: Apply a provisioning package (Windows 10)
description: Provisioning packages can be applied to a device during the first-run experience (OOBE) and after ("runtime").
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Apply a provisioning package
**Applies to**
- Windows 10
- Windows 10 Mobile
Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
## Desktop editions
### During initial setup, from a USB drive
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
![The first screen to set up a new PC](images/oobe.jpg)
2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
![Set up device?](images/setupmsg.jpg)
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
![Provision this device](images/prov.jpg)
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
![Choose a package](images/choose-package.png)
5. Select **Yes, add it**.
![Do you trust this package?](images/trust-package.png)
### After setup, from a USB drive, network folder, or SharePoint site
On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
![add a package option](images/package.png)
## Mobile editions
### Using removable media
1. Insert an SD card containing the provisioning package into the device.
2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
![add a package option](images/packages-mobile.png)
3. Click **Add**.
4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
![Is this package from a source you trust](images/package-trust.png)
### Copying the provisioning package to the device
1. Connect the device to your PC through USB.
2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device.
3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
![Is this package from a source you trust](images/package-trust.png)
## Related topics
- [Provisioning packages for Windows 10](provisioning-packages.md)
- [How provisioning works in Windows 10](provisioning-how-it-works.md)
- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
- [NFC-based device provisioning](provisioning-nfc.md)
- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

156
windows/deploy/provisioning-create-package.md
View File

@ -1,156 +0,0 @@
---
title: Create a provisioning package (Windows 10)
description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Create a provisioning package for Windows 10
**Applies to**
- Windows 10
- Windows 10 Mobile
You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10 or Windows 10 Mobile.
>[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
>[!TIP]
>We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain.
## Start a new project
1. Open Windows Configuration Designer:
- From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut,
or
- If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
![Configuration Designer wizards](images/icd-create-options-1703.png)
- The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards).
(NEED TO LINK TO WIZARD TOPICS)
- For instructions on **Simple provisioning**, see [Provision PCs with common settings](provision-pcs-for-initial-deployment.md).
- For instructions on **Provision school devices**, see [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain).
- The **Advanced provisioning** option opens a new project with all **Runtime settings** available. The rest of this procedure uses **Advanced provisioning**.
>[!TIP]
>You can start a project in the simple editor and then switch the project to the advanced editor.
>
>![Switch to advanced editor](images/icd-switch.png)
3. Enter a name for your project, and then click **Next**.
4. Select the settings you want to configure, based on the type of device, and then click **Next**. The following table describes the options.
| Windows edition | Settings available for customization | Provisioning package can apply to |
| --- | --- | --- |
| All Windows editions | Common settings | All Windows 10 devices |
| All Windows desktop editions | Common settings and settings specific to desktop devices | All Windows 10 desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education) |
| All Windows mobile editions | Common settings and settings specific to mobile devices | All Windows 10 Mobile devices |
| Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices |
| Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) |
| Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) |
5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning packge to import to your project, and then click **Finish**.
>[!TIP]
>**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly.
After you click **Finish**, Windows Configuration Designer will open the **Available customizations** pane.
## Configure settings
For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings.
![What the ICD interface looks like](images/icd-runtime.png)
The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
The process for configuring settings is similar for all settings. The following table shows an example.
<table>
<tr><td>![step one](images/one.png)</br>Expand a category.</td><td>![Expand Certificates category](images/icd-step1.png)</td></tr>
<tr><td>![step two](images/two.png)</br>Select a setting.</td><td>![Select ClientCertificates](images/icd-step2.png)</td></tr>
<tr><td>![step three](images/three.png)</br>Enter a value for the setting. Click **Add** if the button is displayed.</td><td>![Enter a name for the certificate](images/icd-step3.png)</td></tr>
<tr><td>![step four](images/four.png)</br>Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and additional settings are displayed.</td><td>![Additional settings for client certificate](images/icd-step4.png)</td></tr>
<tr><td>![step five](images/five.png)</br>When the setting is configured, it is displayed in the **Selected customizations** pane.</td><td>![Selected customizations pane](images/icd-step5.png)</td></tr>
</table>
For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
![Windows Configuration Designer opens the reference topic when you select a setting](images/icd-setting-help.png)
## Build package
1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**.
![Export on top bar](images/icd-export-menu.png)
2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**:
- **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
- **Version (in Major.Minor format** - - Optional. You can change the default package version by specifying a new value in the **Version** field.
- **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages).
- **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0.
3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate. Both selections are optional. Click **Next** after you make your selections.
- **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen.
- **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
>[!NOTE]
>You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.
>
>If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.
4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows Configuration Designer uses the project folder as the output location.
5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click Cancel. This cancels the current build process, closes the wizard, and takes you back to the Customizations Page.
6. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
7. When you are done, click **Finish** to close the wizard and go back to the Customizations page.
**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
## Learn more
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
- [How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://docs.microsoft.com/sccm/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
## Related topics
- [Provisioning packages for Windows 10](provisioning-packages.md)
- [How provisioning works in Windows 10](provisioning-how-it-works.md)
- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
- [NFC-based device provisioning](provisioning-nfc.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

182
windows/deploy/provisioning-how-it-works.md
View File

@ -1,182 +0,0 @@
---
title: How provisioning works in Windows 10 (Windows 10)
description: A provisioning package (.ppkg) is a container for a collection of configuration settings.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# How provisioning works in Windows 10
**Applies to**
- Windows 10
- Windows 10 Mobile
Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) or through the Windows Store.
## Provisioning packages
A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or simply downloaded to the device.
To enable adding multiple sets of settings or configurations, the configuration data used by the provisioning engine is built out of multiple configuration sources that consist of separate provisioning packages. Each provisioning package contains the provisioning data from a different source.
A provisioning package (.ppkg) is a container for a collection of configuration settings. The package has the following format:
- Package metadata The metadata contains basic information about the package such as package name, description, version, ranking, and so on.
- XML descriptors Each descriptor defines a customization asset or configuration setting included in the package.
- Asset payloads The payloads of a customization asset or a configuration setting associated with an app or data asset.
You can use provisioning packages for runtime device provisioning by accessing the package on a removable media attached to the device, through near field communication (NFC), or by downloading from a remote source location.
## Precedence for provisioning packages
When multiple provisioning packages are available for device provisioning, the combination of package owner type and package rank level defined in the package manifest is used to resolve setting conflicts. The pre-defined package owner types are listed below in the order of lowest to highest owner type precedence:
1. Microsoft
2. Silicon Vender
3. OEM
4. System Integrator
5. Mobile Operator
6. IT Admin
The valid value range of package rank level is 0 to 99.
When setting conflicts are encountered, the final values provisioned on the device are determined by the owner type precedence and the rank level of the packages containing the settings. For example, the value of a setting in a package with owner **System Integrator** and rank level **3** takes precedence over the same setting in a package with owner **OEM** and rank level **4**. This is because the System Integrator owner type has the higher precedence over the OEM owner type. For packages with the same owner type, the package rank level determines the package from which the setting values get provisioned on the device.
## Windows provisioning XML
Windows provisioning XML is the framework that allows Microsoft and OEM components to declare end-user configurable settings and the on-device infrastructure for applying the settings with minimal work by the component owner.
Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows Configuration Designer to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows Configuration Designer translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format.
When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the [Windows provisioning CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/provisioning-csp). The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use.
## Provisioning engine
The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10.
The provisioning engine provides the following functionality:
- Provisioning configuration at any time when the device is running including first boot and setup or OOBE. It is also extensible to other points during the run-time of the device.
- Reading and combining settings from multiple sources of configuration that may be added to an image by Microsoft, the OEM, or system integrator, or added by IT/education administrators or users to the device at run-time. Configuration sources may be built into the image or from provisioning packages added to the device.
- Responding to triggers or events and initiating a provisioning stage.
- Authenticating the provisioning packages.
- Selecting a set of configuration based on the stage and a set of keys—such as the SIM, MCC/MNC, IMSI range, and so on—that map to a specific configuration then passing this configuration to the configuration management infrastructure to be applied.
- Working with OOBE and the control panel UI to allow user selection of configuration when a specific match cannot be determined.
## Configuration manager
The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference) to perform the specific management requests and settings.
The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied.
Underneath the configuration manager are the CSPs. Each section of configuration translates to a particular CSP to handle interpreting into an action on the device. Each CSP translates the instructions in the configuration and calls into the appropriate APIs and components to perform the requested provisioning actions.
## Policy and resource manager
The policy, resource, and context manager components manage the enrollment and unenrollment of devices into enterprise environments. The enrollment process into an enterprise is essentially the provisioning of configuration and device management policies that the enterprise wants to enforce on the device. This is usually done through the explicit signing up of the device to an enterprise's device management server over a network connection. This provides the user with the ability to access the enterprise's resources through the device and the enterprise with a means to manage and control access and manage and control the device itself.
The key differences between enterprise enrollment and the configuration performed by the provisioning engine are:
- Enrollment enforces a limited and controlled set of policies on the device that the user may not have full control over. The provisioning engine exposes a larger set of settings that configure more aspects of the device and are generally user adjustable.
- The policy manager manages policy settings from multiple entities and performs a selection of the setting based on priority of the entities. The provisioning engine applies the settings and does not offer a means of prioritizing settings from different sources. The more specific provisioning is the last one applied and the one that is used.
- Individual policy settings applied from different enrollment entities are stored so they can be removed later during unenrollment. This enables the user to remove enterprise policy and return the device to a state without the enterprise restrictions and any sensitive data. The provisioning engine does not maintain individual provisioning settings or a means to roll back all applied settings.
In Windows 10, the application of policy and enrollment through provisioning is required to support cases where an enterprise or educational institution does not have a DM server for full device management. The provisioning engine supports provisioning enrollment and policy through its configuration and integrates with the existing policy and resource manager components directly or through the configuration manager.
## Triggers and stages
Triggers are events during the lifetime of the system that start a provisioning stage. Some examples of triggers are: boot, OOBE, SIM change, user added, administrator added, user login, device update, and various manual triggers (such as deployment over USB or launched from an email attachment or USB flash drive).
When a trigger occurs, provisioning is initiated for a particular provisioning stage. The stages are grouped into sets based on the scope of the settings:
- **Static**: First stage run for provisioning to apply configuration settings to the system to set up OOBE or apply device-wide settings that cannot be done when the image is being created.
- **System**: Run during OOBE and configure system-wide settings.
- **UICC**: UICC stages run for each new UICC in a device to handle configuration and branding based on the identity of the UICC or SIM card. This enables the runtime configuration scenarios where an OEM can maintain one image that can be configured for multiple operators.
- **Update**: Runs after an update to apply potential updated settings changes.
- **User**: runs during a user account first run to configure per-user settings.
## Device provisioning during OOBE
The provisioning engine always applies provisioning packages persisted in the `C:\Recovery\Customizations` folder on the OS partition. When the provisioning engine applies provisioning packages in the `%ProgramData%\Microsoft\Provisioning` folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect.
Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media.
The following table shows how device provisioning can be initiated when a user first boots to OOBE.
| Package delivery | Initiation method | Supported device |
| --- | --- | --- |
| Removable media - USB drive or SD card</br> (Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices |
| From an administrator device through machine-to-machine NFC or NFC tag</br>(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices |
The provisioning engine always copies the acquired provisioning packages to the `%ProgramData%\Microsoft\Provisioning` folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device.
When the provisioning engine applies provisioning packages during OOBE, it applies only the runtime settings from the package to the device. Runtime settings can be system-wide configuration settings, including security policy, Windows app install/uninstall, network configuration, bootstrapping MDM enrollment, provisioning of file assets, account and domain configuration, Windows edition upgrade, and more. The provisioning engine also checks for the configuration settings on the device, such as region/locale or SIM card, and applies the multivariant settings with matching condition(s).
## Device provisioning at runtime
At device runtime, stand-alone provisioning packages can be applied by user initiation. The following table shows when provisioning at device runtime can be initiated.
| Package delivery | Initiation method | Supported device |
| --- | --- | --- |
| Removable media - USB drive or SD card</br>(Packages must be placed at media root) | **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** | All Windows devices |
| Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows 10 for desktop editions devices |
| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows 10 Mobile devices and IoT Core devices |
When applying provisioning packages from a removable media attached to the device, the Settings UI allows viewing contents of a package before selecting the package for provisioning. To minimize the risk of the device being spammed by applying provisioning packages from unknown sources, a provisioning package can be signed and encrypted. Partners can also set policies to limit the application of provisioning packages at device runtime. Applying provisioning packages at device runtime requires administrator privilege. If the package is not signed or trusted, a user must provide consent before the package is applied to the device. If the package is encrypted, a valid password is needed to decrypt the package before it can be applied to the device.
When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device.
After a stand-alone provisioning package is applied to the device, the package is persisted in the `%ProgramData%\Microsoft\Provisioning` folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**.
## Learn more
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
## Related topics
- [Provisioning packages for Windows 10](provisioning-packages.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
- [NFC-based device provisioning](provisioning-nfc.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 
 

111
windows/deploy/provisioning-install-icd.md
View File

@ -1,111 +0,0 @@
---
title: Install Windows Configuration Designer (Windows 10)
description: Learn how to install and run Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Install Windows Configuration Designer
**Applies to**
- Windows 10
- Windows 10 Mobile
Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows 10. Windows Configuration Designer is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
## Supported platforms
Windows Configuration Designer can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core, as well as Microsoft Surface Hub and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems:
- Windows 10 - x86 and amd64
- Windows 8.1 Update - x86 and amd64
- Windows 8.1 - x86 and amd64
- Windows 8 - x86 and amd64
- Windows 7 - x86 and amd64
- Windows Server 2016
- Windows Server 2012 R2 Update
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
## Install Windows Configuration Designer
On devices running Windows 10, version 1703, you can install [Windows Configuration Designer from the Windows Store](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on other operating systems, install it from the Windows Assessment and Deployment Kit (ADK) for Windows 10.
>[!NOTE]
>The Windows Configuration Designer App from the Windows Store currently supports only English. For a localized version of the Windows Configuration Designer, install it from the Windows ADK.
1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511 or version 1607).
>[!NOTE]
>The rest of this procedure uses Windows ADK for Windows 10, version 1607 as an example.
2. Save **adksetup.exe** and then run it.
3. On the **Specify Location** page, select an installation path and then click **Next**.
>[!NOTE]
>The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows Configuration Designer, the space requirement is approximately 32 MB.
4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**.
5. Accept the **License Agreement**, and then click **Next**.
6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**.
![Only Configuration Designer selected for installation](images/icd-install.png)
## Current Windows Configuration Designer limitations
- You can only run one instance of Windows Configuration Designer on your computer at a time.
- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process.
- The Windows Configuration Designer UI does not support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
- While you can open multiple projects at the same time within Windows Configuration Designer, you can only build one project at a time.
- In order to enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**.
- If you copy a Windows Configuration Designer project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC.
For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows Configuration Designer. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows Configuration Designer might attempt to resolve the path to the files that point to the original PC.
- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device.
**Next step**: [How to create a provisioning package](provisioning-create-package.md)
## Learn more
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
## Related topics
- [Provisioning packages for Windows 10](provisioning-packages.md)
- [How provisioning works in Windows 10](provisioning-how-it-works.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
- [NFC-based device provisioning](provisioning-nfc.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 
 

163
windows/deploy/provisioning-packages.md
View File

@ -1,163 +0,0 @@
---
title: Provisioning packages (Windows 10)
description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Provisioning packages for Windows 10
**Applies to**
- Windows 10
- Windows 10 Mobile
Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages. Windows Configuration Designer is also available as an app in the Windows Store.
## New in Windows 10, version 1703
- The tool for creating provisioning packages is renamed Windows Configuration Designer, replacing the Windows Imaging and Configuration Designer (ICD) tool. The components for creating images have been removed from Windows Configuration Designer, which now provides access to runtime settings only.
- Windows Configuration Designer can still be installed from the Windows ADK. You can also install it from the Windows Store.
- Windows Configuration Designer adds more wizards to make it easier to create provisioning packages for specific scenarios. See [What you can configure](#configuration-designer-wizards) for wizard descriptions.
- The wizard **Provision desktop devices** (previously called **Simple provisioning**) now enables joining Azure Active Directory (Azure AD) domains and also allows you to remove non-Microsoft software from Windows desktop devices during provisioning.
- Provisioning packages can be made available [using NFC and barcodes](provisioning-nfc.md).
- When provisioning packages are applied to a device, a status screen indicates successful or failed provisioning.
- Windows 10 includes PowerShell cmdlets that simplify scripted provisioning. Using these cmdlets, you can add provisioning packages, remove provisioning packages and generate log files to investigate provisioning errors.
- The **Provision school devices** wizard is removed from Windows Configuration Designer. Instead, use the **Setup School PCs** app from the Windows Store.
## Benefits of provisioning packages
Provisioning packages let you:
- Quickly configure a new device without going through the process of installing a new image.
- Save time by configuring multiple devices using one provisioning package.
- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
- Set up a device without the device having network connectivity.
Provisioning packages can be:
- Installed using removable media such as an SD card or USB flash drive.
- Attached to an email.
- Downloaded from a network share.
- Deployed in NFC tags or barcodes.
## What you can configure
### Configuration Designer wizards
The following table describes settings that you can configure using the wizards in the Configuration Designer to create provisioning packages.
<table><tr><td align="left">**Step**</td><td align="left">**Description**</td><td>**Desktop</br>wizard**</td><td align="center">**Mobile</br>wizard**</td><td>**Kiosk</br>wizard**</td></tr>
<tr><td valign="top">Set up device</td><td valign="top">Assign device name,</br>enter product key to upgrade Windows,</br>configure shared used,</br>remove pre-installed software</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</br>(Only device name and upgrade key)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fit network</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
<tr><td valign="top">Account management</td><td valign="top">Enroll device in Active Directory,</br>enroll device in Azure Active Directory,</br>or create a local administrator account</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
<tr><td valign="top">Bulk Enrollment in Azure AD</td><td valign="top">Enroll device in Azure Active Directory</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td></tr>
<tr><td valign="top">Add applications</td><td valign="top">?</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
<tr><td valign="top">Add certificates</td><td valign="top">?</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
<tr><td valign="top">Configure kiosk account and app</td><td valign="top">Create local account to run the kiosk mode app,</br>specify the app to run in kiosk mode</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
<tr><td valign="top">Configure kiosk common settings</td><td valign="top">Set tablet mode,</br>configure welcome and shutdown screens,</br>turn off timeout settings</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr></table>
>[!NOTE]
>After you start a project using a Windows Configuration Designer wizard, you can switch to the advanced editor to configure additional settings in the provisioning package.
### Configuration Designer advanced editor
The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages.
| Customization options | Examples |
|--------------------------|-----------------------------------------------------------------------------------------------|
| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
| Applications | Windows apps, line-of-business applications |
| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* |
| Certificates | Root certification authority (CA), client certificates |
| Connectivity profiles | Wi-Fi, proxy settings, Email |
| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
| Data assets | Documents, music, videos, pictures |
| Start menu customization | Start menu layout, application pinning |
| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices.
 
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
## Changes to provisioning in Windows 10, version 1607
>[!NOTE]
>This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1703.
Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios.
![Configuration Designer options](images/icd.png)
Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators:
* **Simple provisioning** Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner.
> [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md)
* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices.
> [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md)
* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include:
* System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment)
* AirWatch (password-string based enrollment)
* Mobile Iron (password-string based enrollment)
* Other MDMs (cert-based enrollment)
> [!NOTE]
> Windows ICD in Windows 10, version 1607, also provided a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index).
## Learn more
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
## Related topics
- [How provisioning works in Windows 10](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
- [NFC-based device provisioning](provisioning-nfc.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 
 

71
windows/deploy/provisioning-powershell.md
View File

@ -1,71 +0,0 @@
---
title: provisioning powershell (Windows 10)
description:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# provisioning powershell
**Applies to**
- Windows 10
- Windows 10 Mobile
RS2 ships with Windows Provisioning PowerShell cmdlets in box. These cmdlets make it easy to script the following functions
<table><tr><th>Cmdlet</th><th>Purpose</th><th>Syntax</th></tr>
<tr><td>Add-ProvisioningPackage</td><td> Use this cmdlet to apply a provisioning package</td><td>```Add-ProvisioningPackage [-Path] <string> [-ForceInstall] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]```</td></tr>
<tr><td rowspan="3">Remove-ProvisioningPackage</td><td rowspan="3">Remove a provisioning package</td><td> ```Remove-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]``` </td></tr><tr><td> ```Remove-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]``` </td></tr><tr><td> ```Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]``` </td></tr>
<tr><td rowspan="3">Get-ProvisioningPackage </td><td rowspan="3"> Get information about an installed provisioning package </td><td> ```Get-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]``` </td></tr><tr><td>```Get-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]``` </td></tr><tr><td> ```Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]``` </td></tr>
<tr><td rowspan="2"> Export-ProvisioningPackage</td><td rowspan="2"> Extract the contents of a provisioning package</td><td> ```Export-ProvisioningPackage -PackageId <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]``` </td></tr><tr><td> ```Export-ProvisioningPackage -Path <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]``` </td></tr>
<tr><td> Add-TrustedProvisioningCertificate </td><td> Adds a certificate to the Trusted Certificate store </td><td> TBD </td></tr></table>
>[!NOTE]
> You can use Get-Help to get usage help on any command. For example: `Get-Help Add-ProvisioningPackage`
Trace logs are captured when using cmdlets. The following logs are available in the logs folder after the cmdlet completes:
- ProvTrace.&lt;timestamp&gt;.ETL - ETL trace file, unfiltered
- ProvTrace.&lt;timestamp&gt;.XML - ETL trace file converted into raw trace events, unfiltered
- ProvTrace.&lt;timestamp&gt;.TXT - TEXT file containing trace output formatted for easy reading, filtered to only show events logged by providers in the WPRP file
- ProvLogReport.&lt;timestamp&gt;.XLS - Excel file containing trace output, filtered to only show events logged by providers in WPRP file
>[!NOTE]
>When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts.
## Related topics
- [How provisioning works in Windows 10](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
- [NFC-based device provisioning](provisioning-nfc.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)