deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-20 17:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Added scenario docs, reworked structure and TOC

Browse Source
This commit is contained in:
Michael Niehaus 2018-07-03 16:04:25 -07:00
parent 1c51679973
commit ede24ba34f
15 changed files with 418 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
windows/deployment/windows-autopilot/TOC.md
View File

@ -1,15 +1,15 @@
# [Windows Autopilot](windows-autopilot.md) # [Windows Autopilot](windows-autopilot.md)
## [Requirements](windows-autopilot-requirements.md) ## [Requirements](windows-autopilot-requirements.md)
### [Configuration requirements](windows-autopilot-requirements-configuration.md)
### [Network requirements](windows-autopilot-requirements-network.md)
### [Licensing requirements](windows-autopilot-requirements-licensing.md)
## [Scenarios and Capabilities](windows-autopilot-scenarios.md) ## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
### [Self-service mode](self-service.md) ### [User-driven mode](user-driven.md)
#### [Azure AD Join](self-service-aad.md)
#### [Hybrid Azure AD Join](self-service-hybrid.md)
### [Self-deploying mode](self-deploying.md) ### [Self-deploying mode](self-deploying.md)
### [Rip and Replace](rip-and-replace.md)
### [Enrollment status page](enrollment-status.md) ### [Enrollment status page](enrollment-status.md)
### [Autopilot Reset](autopilot-reset.md) ### [Windows Autopilot Reset](windows-autopilot-reset.md)
#### [Local Autopilot Reset](local-autopilot-reset.md) #### [Remote reset](windows-autopilot-reset-remote.md)
#### [Remote Autopilot Reset](remote-autopilot-reset.md) #### [Local reset](windows-autopilot-reset-local.md)
## Administering Autopilot ## Administering Autopilot
### [Configuring](configure-autopilot.md) ### [Configuring](configure-autopilot.md)
#### [Adding devices](add-devices.md) #### [Adding devices](add-devices.md)
@ -20,3 +20,4 @@
### [Administering Autopilot via Partner Center](https://msdn.microsoft.com/partner-center/autopilot) ### [Administering Autopilot via Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
## Getting started ## Getting started
### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md) ### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md)
## [Troubleshooting](troubleshooting.md)

2
windows/deployment/windows-autopilot/rip-and-replace.md
View File

@ -15,3 +15,5 @@ ms.date: 06/01/2018
# Rip and replace # Rip and replace
**Applies to: Windows 10** **Applies to: Windows 10**
DO NOT PUBLISH. Just a placeholder for now, coming with 1809.

60
windows/deployment/windows-autopilot/self-deploying.md
View File

@ -17,28 +17,58 @@ ms.date: 06/01/2018
**Applies to: Windows 10 build 17672 or later** **Applies to: Windows 10 build 17672 or later**
Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot do its magic. When a user powers on a device configured with Windows Autopilot self-deploying mode, the only screen theyll see is a branded page welcoming them to their device and, if they have it configured in Microsoft Intune, the enrollment status page letting them know the details of the provisioning process. Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required.
![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) ![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png)
Figure 2. The user experience with Windows Autopilot self-deploying mode >[!NOTE]
>While today there is a “Next” button that must be clicked to continue the deployment process, and an Activities opt-in page in OOBE, both of these will be removed in future Insider Preview builds to enable a completely automated deployment process no user authentication or user interaction will be required.
While today there is a “Next” button that must be clicked to continue the deployment process, and an Activities opt-in page in OOBE, both of these will be removed in future Insider Preview builds to enable a completely automated deployment process no user authentication or user interaction will be required. Self-deploying mode can register the device into an organizations Azure Active Directory tenant, enroll the device in the organizations mobile device management (MDM) provider (leveraging Azure AD for automatic MDM enrollment), and ensure that all policies, applications, certificates, and networking profiles are provisioned on the device before the user ever logs on (levering the enrollment status page to prevent access to the desktop until the device is fully provisioned).
Self-deploying mode can register the device into an organizations Azure Active Directory (Azure AD) tenant, enroll the device in the organizations mobile device management (MDM) provider (leveraging Azure AD for automatic MDM enrollment), and ensure that all policies, applications, certificates, and networking profiles are provisioned on the device before the user ever logs on (levering the enrollment status page to prevent access to the desktop until the device is fully provisioned). >[!NOTE]
>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.
With Windows Autopilot self-deploying mode, you can: Because self-deploying mode uses a devices TPM 2.0 hardware to authenticate the device into an organizations Azure AD tenant, devices without TPM 2.0 cannot be used with this mode.
Configure language, region, and keyboard settings for the device. >[!NOTE]
Skip the “Who owns this device?” page. >If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error.
Auto-accept the Windows EULA.
Skip the Privacy page.
Skip OEM-added pages.
Configure user administrator rights.
Because self-deploying mode uses a devices TPM 2.0 hardware to authenticate the device into an organizations Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. Self-deploying mode also does not support Hybrid Azure AD Join or Active Directory Join.
Windows Autopilot self-deploying mode enables you to effortlessly deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10.
Windows Autopilot self-deploying mode enables you to effortlessly deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details.
Windows Autopilot self-deploying mode is available on Windows 10 build 17672 or higher. When configuring an Autopilot profile in Microsoft Intune, youll see a new drop-down menu that asks for the deployment mode. In that menu, select Self-deploying (preview) and apply that profile to the devices youd like to validate. Windows Autopilot self-deploying mode is available on Windows 10 build 17672 or higher. When configuring an Autopilot profile in Microsoft Intune, youll see a new drop-down menu that asks for the deployment mode. In that menu, select Self-deploying (preview) and apply that profile to the devices youd like to validate.
## Step by step
In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed:
- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.)
- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
For each machine that will be deployed using self-deploying mode, these additional steps are needed:
- Ensure that the device supports TPM 2.0 and device attestation. (Note that virtual machines are not supported.)
- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information.
- Ensure an Autopilot profile has been assigned to the device:
- If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
- If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
- If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
## Validation
When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed:
- Once connected to a network, the Autopilot profile will be downloaded.
- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required:
- If multiple languages are preinstalled in Windows 10, the user must pick a language.
- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
- The device will join Azure Active Directory.
- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
- The [enrollment status page](enrollment-status.md) will be displayed.
- Depending on the device settings deployed, the device will either:
- Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
- Automatically sign in as a local account, for devices configured as a kiosk or digital signage.
In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.

10
windows/deployment/windows-autopilot/self-service-aad.md → windows/deployment/windows-autopilot/troubleshooting.md
View File

@ -1,6 +1,6 @@
--- ---
title: Self-service mode title: Troubleshooting Windows Autopilot
description: Listing of Autopilot scenarios description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -12,8 +12,8 @@ ms.author: coreyp
ms.date: 06/01/2018 ms.date: 06/01/2018
--- ---
# Self-service mode # Troubleshooting Windows Autopilot
**Applies to: Windows 10** **Applies to: Windows 10**
When deploying TODO!

8
windows/deployment/windows-autopilot/self-service.md → windows/deployment/windows-autopilot/user-driven-aad.md
View File

@ -1,5 +1,5 @@
--- ---
title: Canonical title: User-driven mode for AAD
description: Listing of Autopilot scenarios description: Listing of Autopilot scenarios
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10 ms.prod: w10
@ -12,10 +12,8 @@ ms.author: coreyp
ms.date: 06/01/2018 ms.date: 06/01/2018
--- ---
# Canonical # Windows Autopilot user-driven mode for Azure Active Directory
**Applies to: Windows 10** **Applies to: Windows 10**
- [AAD Join](aad-join.md) DO NOT PUBLISH. This eventually will contain the AAD-specific instuctions currently in user-driven.md.
- [Hybrid AAD Join](hybrid-aad-join.md)

5
windows/deployment/windows-autopilot/self-service-hybrid.md → windows/deployment/windows-autopilot/user-driven-hybrid.md
View File

@ -12,6 +12,9 @@ ms.author: coreyp
ms.date: 06/01/2018 ms.date: 06/01/2018
--- ---
# Rip an
# Windows Autopilot user-driven mode for Hybrid Azure Active Directory Join
**Applies to: Windows 10** **Applies to: Windows 10**
DO NOT PUBLISH. This eventually will contain the AD-specific (hybrid) instuctions. This will be in preview at a later point in time.

62
windows/deployment/windows-autopilot/user-driven.md Normal file
View File

@ -0,0 +1,62 @@
---
title: Windows Autopilot User-Driven Mode
description: Canonical Autopilot scenario
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft
ms.author: coreyp
ms.date: 06/01/2018
---
# Windows Autopilot User-Driven Mode
**Applies to: Windows 10 version 1703 and above**
Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions:
- Unbox the device, plug it in, and turn it on.
- Choose a language, locale and keyboard.
- Connect it to a wireless or wired network with internet access.
- Specify your e-mail address and password for your organization account.
After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available.
Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
## Step by step
In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
For each machine that will be deployed using user-driven deployment, these additional steps are needed:
- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information.
- Ensure an Autopilot profile has been assigned to the device:
- If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
- If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
- If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
## Validation
When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed:
- If multiple languages are preinstalled in Windows 10, the user must pick a language.
- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
- Once connected to a network, the Autopilot profile will be downloaded.
- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text.
- Once correct credentials have been entered, the device will join Azure Active Directory.
- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
- If configured, the [enrollment status page](enrollment-status.md) will be displayed.
- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided.
- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks.
In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.

34
windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md Normal file
View File

@ -0,0 +1,34 @@
---
title: Windows Autopilot configuration requirements
description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft
ms.author: coreyp
ms.date: 06/01/2018
---
# Windows Autopilot configuration requirements
**Applies to: Windows 10**
Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.
- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/en-us/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
- Enable [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
For a walkthrough for some of these and related steps, see this video:
</br>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>

105
windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md Normal file
View File

@ -0,0 +1,105 @@
---
title: Windows Autopilot licensing requirements
description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft
ms.author: coreyp
ms.date: 06/01/2018
---
# Windows Autopilot licesning requirements
**Applies to: Windows 10**
Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
- Windows 10 version 1703 or higher must be used. The Professional, Professional for Education, Business, Enterprise, and Education editions are supported.
- One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality:
- Microsoft 365 Business subscriptions
- Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
- Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features
- Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service)
Additionally, the following are also recommended but not required:
- Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services)
- [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise
### Network requirements
Windows Autopilot depends on a variety of internet-based services; access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:<span id="_Hlk508187707" class="anchor"></span>
- Ensure DNS name resolution for internet DNS names
- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
In environments that have more restrictive internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the needed services. For additional details about each of these services and their specific requirements, review the following details:
- **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service using the same services used for Windows Activation. See the following link for details:
- <https://support.microsoft.com/en-us/help/921471/windows-activation-or-validation-fails-with-error-code-0x8004fe33>
- **Azure Active Directory.**  User credentials are validated by Azure Active Directory, then the device may also be joined to Azure Active Directory. See the following link for more information:
- <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2>
- **Intune.**  Once authenticated, Azure Active Directory will trigger the enrollment of the device into the Intune MDM service. See the following link for details:
- <https://docs.microsoft.com/en-us/intune/network-bandwidth-use> (Network communication requirements section)
- **Windows Update.**  During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates.
- <https://support.microsoft.com/en-us/help/818018/how-to-solve-connection-problems-concerning-windows-update-or-microsof>
- NOTE:  If Windows Update is inaccessible, the AutoPilot process will still continue.
- **Delivery Optimization.**  When downloading Windows Updates and Microsoft Store apps and app updates (with additional content types expected in the future), the Delivery Optimization service is contacted to enable peer-to-peer sharing of content, so that all devices dont need to download it from the internet.
- <https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization>
- NOTE: If Delivery Optimization is inaccessible, the AutoPilot process will still continue.
- **Network Time Protocol (NTP) Sync.**  When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate.
- Ensure that UDP port 123 to time.windows.com is accessible.
- **Domain Name Services (DNS).**  To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names.
- **Diagnostics data.**  To enable Windows Analytics and related diagnostics capabilities, see the following documentation:
- <https://docs.microsoft.com/en-us/windows/configuration/configure-windows-diagnostic-data-in-your-organization>
- NOTE: If diagnostic data cannot be sent, the Autopilot process will still continue.
- **Network Connection Status Indicator (NCSI).**  Windows must be able to tell that the device is able to access the internet.
- <https://docs.microsoft.com/en-us/windows/configuration/manage-windows-endpoints-version-1709> (Network Connection Status Indicator section, [www.msftconnecttest.com](http://www.msftconnecttest.com) must be resolvable via DNS and accessible via HTTP)
- **Windows Notification Services (WNS).**  This service is used to enable Windows to receive notifications from apps and services.
- <https://docs.microsoft.com/en-us/windows/configuration/manage-windows-endpoints-version-1709> (Microsoft store section)
- NOTE: If the WNS services are not available, the Autopilot process will still continue.
- **Microsoft Store, Microsoft Store for Business.**  Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in.
- <https://docs.microsoft.com/en-us/microsoft-store/prerequisites-microsoft-store-for-business> (also includes Azure AD and Windows Notification Services)
- NOTE: If the Microsoft Store is not accessible, the AutoPilot process will still continue.
- **Office 365.**  As part of the Intune device configuration, installation of Office 365 ProPlus may be required.
- <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above)
- **Certificate revocation lists (CRLs).**  Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented in the Office documentation at <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl> and <https://aka.ms/o365chains>.

83
windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Windows Autopilot networking requirements
description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft
ms.author: coreyp
ms.date: 06/01/2018
---
# Windows Autopilot networking requirements
**Applies to: Windows 10**
Windows Autopilot depends on a variety of internet-based services; access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
- Ensure DNS name resolution for internet DNS names
- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
In environments that have more restrictive internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the needed services. For additional details about each of these services and their specific requirements, review the following details:
- **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service using the same services used for Windows Activation. See the following link for details:
- <https://support.microsoft.com/en-us/help/921471/windows-activation-or-validation-fails-with-error-code-0x8004fe33>
- **Azure Active Directory.**  User credentials are validated by Azure Active Directory, then the device may also be joined to Azure Active Directory. See the following link for more information:
- <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2>
- **Intune.**  Once authenticated, Azure Active Directory will trigger the enrollment of the device into the Intune MDM service. See the following link for details:
- <https://docs.microsoft.com/en-us/intune/network-bandwidth-use> (Network communication requirements section)
- **Windows Update.**  During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates.
- <https://support.microsoft.com/en-us/help/818018/how-to-solve-connection-problems-concerning-windows-update-or-microsof>
- NOTE:  If Windows Update is inaccessible, the AutoPilot process will still continue.
- **Delivery Optimization.**  When downloading Windows Updates and Microsoft Store apps and app updates (with additional content types expected in the future), the Delivery Optimization service is contacted to enable peer-to-peer sharing of content, so that all devices dont need to download it from the internet.
- <https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization>
- NOTE: If Delivery Optimization is inaccessible, the AutoPilot process will still continue.
- **Network Time Protocol (NTP) Sync.**  When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate.
- Ensure that UDP port 123 to time.windows.com is accessible.
- **Domain Name Services (DNS).**  To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names.
- **Diagnostics data.**  To enable Windows Analytics and related diagnostics capabilities, see the following documentation:
- <https://docs.microsoft.com/en-us/windows/configuration/configure-windows-diagnostic-data-in-your-organization>
- NOTE: If diagnostic data cannot be sent, the Autopilot process will still continue.
- **Network Connection Status Indicator (NCSI).**  Windows must be able to tell that the device is able to access the internet.
- <https://docs.microsoft.com/en-us/windows/configuration/manage-windows-endpoints-version-1709> (Network Connection Status Indicator section, [www.msftconnecttest.com](http://www.msftconnecttest.com) must be resolvable via DNS and accessible via HTTP)
- **Windows Notification Services (WNS).**  This service is used to enable Windows to receive notifications from apps and services.
- <https://docs.microsoft.com/en-us/windows/configuration/manage-windows-endpoints-version-1709> (Microsoft store section)
- NOTE: If the WNS services are not available, the Autopilot process will still continue.
- **Microsoft Store, Microsoft Store for Business.**  Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in.
- <https://docs.microsoft.com/en-us/microsoft-store/prerequisites-microsoft-store-for-business> (also includes Azure AD and Windows Notification Services)
- NOTE: If the Microsoft Store is not accessible, the AutoPilot process will still continue.
- **Office 365.**  As part of the Intune device configuration, installation of Office 365 ProPlus may be required.
- <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above)
- **Certificate revocation lists (CRLs).**  Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented in the Office documentation at <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl> and <https://aka.ms/o365chains>.

94
windows/deployment/windows-autopilot/windows-autopilot-requirements.md
View File

@ -1,5 +1,5 @@
--- ---
title: Windows Autopilot prerequisite requirements title: Windows Autopilot requirements
description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10 ms.prod: w10
@ -12,94 +12,12 @@ ms.author: coreyp
ms.date: 06/01/2018 ms.date: 06/01/2018
--- ---
# Windows Autopilot prerequisite requirements # Windows Autopilot requirements
**Applies to: Windows 10** **Applies to: Windows 10**
Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met:
- Windows 10 version 1703 or higher must be used. The Professional, Professional for Education, Business, Enterprise, and Education editions are supported. - [Licensing requirements](windows-autopilot-requirements-licensing.md) must be met.
- [Networking requirements](windows-autopilot-requirements-network.md) need to be met.
- One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality: - [Configuration requirements](windows-autopilot-requirements-configuration.md) need to be completed.
- Microsoft 365 Business subscriptions
- Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
- Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features
- Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service)
Additionally, the following are also recommended but not required:
- Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services)
- [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise
### Network requirements
Windows Autopilot depends on a variety of internet-based services; access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:<span id="_Hlk508187707" class="anchor"></span>
- Ensure DNS name resolution for internet DNS names
- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
In environments that have more restrictive internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the needed services. For additional details about each of these services and their specific requirements, review the following details:
- **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service using the same services used for Windows Activation. See the following link for details:
- <https://support.microsoft.com/en-us/help/921471/windows-activation-or-validation-fails-with-error-code-0x8004fe33>
- **Azure Active Directory.**  User credentials are validated by Azure Active Directory, then the device may also be joined to Azure Active Directory. See the following link for more information:
- <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2>
- **Intune.**  Once authenticated, Azure Active Directory will trigger the enrollment of the device into the Intune MDM service. See the following link for details:
- <https://docs.microsoft.com/en-us/intune/network-bandwidth-use> (Network communication requirements section)
- **Windows Update.**  During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates.
- <https://support.microsoft.com/en-us/help/818018/how-to-solve-connection-problems-concerning-windows-update-or-microsof>
- NOTE:  If Windows Update is inaccessible, the AutoPilot process will still continue.
- **Delivery Optimization.**  When downloading Windows Updates and Microsoft Store apps and app updates (with additional content types expected in the future), the Delivery Optimization service is contacted to enable peer-to-peer sharing of content, so that all devices dont need to download it from the internet.
- <https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization>
- NOTE: If Delivery Optimization is inaccessible, the AutoPilot process will still continue.
- **Network Time Protocol (NTP) Sync.**  When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate.
- Ensure that UDP port 123 to time.windows.com is accessible.
- **Domain Name Services (DNS).**  To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names.
- **Diagnostics data.**  To enable Windows Analytics and related diagnostics capabilities, see the following documentation:
- <https://docs.microsoft.com/en-us/windows/configuration/configure-windows-diagnostic-data-in-your-organization>
- NOTE: If diagnostic data cannot be sent, the Autopilot process will still continue.
- **Network Connection Status Indicator (NCSI).**  Windows must be able to tell that the device is able to access the internet.
- <https://docs.microsoft.com/en-us/windows/configuration/manage-windows-endpoints-version-1709> (Network Connection Status Indicator section, [www.msftconnecttest.com](http://www.msftconnecttest.com) must be resolvable via DNS and accessible via HTTP)
- **Windows Notification Services (WNS).**  This service is used to enable Windows to receive notifications from apps and services.
- <https://docs.microsoft.com/en-us/windows/configuration/manage-windows-endpoints-version-1709> (Microsoft store section)
- NOTE: If the WNS services are not available, the Autopilot process will still continue.
- **Microsoft Store, Microsoft Store for Business.**  Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in.
- <https://docs.microsoft.com/en-us/microsoft-store/prerequisites-microsoft-store-for-business> (also includes Azure AD and Windows Notification Services)
- NOTE: If the Microsoft Store is not accessible, the AutoPilot process will still continue.
- **Office 365.**  As part of the Intune device configuration, installation of Office 365 ProPlus may be required.
- <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above)
- **Certificate revocation lists (CRLs).**  Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented in the Office documentation at <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl> and <https://aka.ms/o365chains>.

0
windows/deployment/windows-autopilot/local-autopilot-reset.md → windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
View File

0
windows/deployment/windows-autopilot/remote-autopilot-reset.md → windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
View File

34
windows/deployment/windows-autopilot/windows-autopilot-reset.md Normal file
View File

@ -0,0 +1,34 @@
---
title: Reset devices with Remote Autopilot Reset (Preview)
description: Gives an overview of Remote Autopilot Reset and how to use it.
keywords: Autopilot Reset, Windows 10
ms.prod: w10
ms.technology: Windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype:
ms.localizationpriority: high
author: coreyp-at-msft
ms.author: coreyp
ms.date: 06/01/2018
---
# Reset devices with Remote Autopilot Reset (Preview)
**Applies to: Windows 10**
Windows Autopilot Reset removes personal files, apps, and settings and reapplies a devices original settings, maintaining its identity connection to Azure AD and its management connection to Intune so that the device is once again ready for use. Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and simply.
Once either local or remote Windows Autopilot Reset is complete, the device can automatically:
Set the region, language, and keyboard.
Connect to Wi-Fi.
Apply a new provisioning package (if a provisioning package is inserted via USB when Windows Autopilot Reset is triggered), or reapply the original provisioning package to the device.
Return to a known, good, managed state, connected to Azure AD and MDM.
Block the user from accessing the desktop until all provisioning package policies have been applied. If MDM is set up, Windows Autopilot Reset will block the user from the desktop until a successful MDM sync is complete.
To enable a device for remote Windows Autopilot Reset, the device must be MDM managed, joined to an Azure AD tenant, and configured to use the Enrollment Status Page. Instructions for triggering remote Windows Autopilot Reset via Intune are as follows:
Navigate to **Devices** tab in the Intune console.
In the **All devices** view, select the targeted reset devices and then click **More** to view device actions.
Select **Autopilot Reset** to kick-off the reset task.

6
windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
View File

@ -18,3 +18,9 @@ ms.date: 06/01/2018
Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/en-us/windows/client-management/manage-windows-10-in-your-organization-modern-management). Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/en-us/windows/client-management/manage-windows-10-in-your-organization-modern-management).
For details about these scenarios, see these additional topics:
- [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person.
- [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.
- [Windows Autopilot Reset](windows-autopilot-reset.md),