From cfa97c0011078c0f673d1025762e8f329002e6f5 Mon Sep 17 00:00:00 2001 From: Kelly Baker Date: Mon, 3 Aug 2020 08:21:11 -0700 Subject: [PATCH 1/3] Edit pass: provisioning-create-package Changes coming, do not review/merge yet. --- .../provisioning-packages/provisioning-create-package.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 035bdf4010..3c75f63d1f 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -21,12 +21,12 @@ manager: dansimp - Windows 10 - Windows 10 Mobile -You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10 or Windows 10 Mobile. +You can use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings, and then apply the provisioning package to a device running Windows 10 or Windows 10 Mobile. >[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) ->[!TIP] ->We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain. +> [!TIP] +> We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain. ## Start a new project From 44bbb3d9e0004ee0a026b98f25e333b55191fe96 Mon Sep 17 00:00:00 2001 From: Kelly Baker Date: Mon, 17 Aug 2020 10:29:10 -0700 Subject: [PATCH 2/3] Update provisioning-create-package.md --- .../provisioning-create-package.md | 50 ++++++++++--------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 3c75f63d1f..f9816492d7 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -1,6 +1,6 @@ --- title: Create a provisioning package (Windows 10) -description: Learn how to create a provisioning package for Windows 10. Provisioning packages let you quickly configure a device without having to install a new image. +description: Learn how to create a provisioning package for Windows 10, which lets you quickly configure a device without having to install a new image. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -26,39 +26,41 @@ You can use Windows Configuration Designer to create a provisioning package (.pp >[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) > [!TIP] -> We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain. +> We recommend creating a local admin account when you develop and test your provisioning package. We also recommend using a *least privileged* domain user account to join devices to the Active Directory domain. ## Start a new project 1. Open Windows Configuration Designer: - - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, + - From either the Start screen or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut. or - - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then select **ICD.exe**. 2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: ![Configuration Designer wizards](../images/icd-create-options-1703.png) - - The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards). + - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices: - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) + + Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards). - - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. *The rest of this procedure uses advanced provisioning.* + - The **Advanced provisioning** option opens a new project with all the runtime settings available. (The rest of this procedure uses advanced provisioning.) >[!TIP] > You can start a project in the simple wizard editor and then switch the project to the advanced editor. > > ![Switch to advanced editor](../images/icd-switch.png) -3. Enter a name for your project, and then click **Next**. +3. Enter a name for your project, and then select **Next**. -4. Select the settings you want to configure, based on the type of device, and then click **Next**. The following table describes the options. +4. Select the settings you want to configure, based on the type of device, and then select **Next**. The following table describes the options. | Windows edition | Settings available for customization | Provisioning package can apply to | @@ -71,12 +73,12 @@ You can use Windows Configuration Designer to create a provisioning package (.pp | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) | -5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then click **Finish**. +5. On the **Import a provisioning package (optional)** page, you can select **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then select **Finish**. >[!TIP] ->**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly. +>**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages that you create so you don't have to reconfigure those common settings repeatedly. -After you click **Finish**, Windows Configuration Designer will open the **Available customizations** pane and you can then configure settings for the package. +6. In the **Available customizations** pane, you can now configure settings for the package. @@ -94,7 +96,7 @@ The process for configuring settings is similar for all settings. The following - +
step one
Expand a category.		Expand Certificates category
step two
Select a setting.		Select ClientCertificates
step three
Enter a value for the setting. Click Add if the button is displayed.		Enter a name for the certificate
step three
Enter a value for the setting. Select Add if the button is displayed.		Enter a name for the certificate
step four
Some settings, such as this example, require additional information. In Available customizations, select the value you just created, and additional settings are displayed.		Additional settings for client certificate
step five
When the setting is configured, it is displayed in the Selected customizations pane.		Selected customizations pane
@@ -106,39 +108,39 @@ For details on each specific setting, see [Windows Provisioning settings referen ## Build package -1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**. +1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**. ![Export on top bar](../images/icd-export-menu.png) -2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**: +2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**: - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field. - - **Version (in Major.Minor format** - - Optional. You can change the default package version by specifying a new value in the **Version** field. + - **Version (in Major.Minor format** - Optional. You can change the default package version by specifying a new value in the **Version** field. - **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages). - **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0. -3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate. Both selections are optional. Click **Next** after you make your selections. +3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional: - **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen. - - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. + - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package. >[!NOTE] - >You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device. + >You should only configure provisioning package security when the package is used for device provisioning and when the package has content with sensitive security data, such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device. > >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. -4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows Configuration Designer uses the project folder as the output location. +4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then select **Next**. By default, Windows Configuration Designer uses the project folder as the output location. -5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. +5. In the **Build the provisioning package** window, select **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, click Cancel. This cancels the current build process, closes the wizard, and takes you back to the Customizations Page. + If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations** page. -6. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. +6. If your build fails, an error message will appear that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build. -7. When you are done, click **Finish** to close the wizard and go back to the Customizations page. +7. When you are done, select **Finish** to close the wizard and go back to the Customizations page. **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) From a207eb23d463d023f39e1325c8042a565c7ee559 Mon Sep 17 00:00:00 2001 From: Kelly Baker Date: Mon, 17 Aug 2020 10:36:39 -0700 Subject: [PATCH 3/3] Update provisioning-create-package.md --- .../provisioning-packages/provisioning-create-package.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index f9816492d7..5b464073a9 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -140,7 +140,7 @@ For details on each specific setting, see [Windows Provisioning settings referen If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build. -7. When you are done, select **Finish** to close the wizard and go back to the Customizations page. +7. When you are done, select **Finish** to close the wizard and go back to the **Customizations** page. **Next step**: [How to apply a provisioning package](provisioning-apply-package.md)