Merge branch 'autopilot' of https://github.com/MicrosoftDocs/windows-docs-pr into 19H1

windows/deployment/windows-autopilot/TOC.md

@@ -6,6 +6,7 @@
 ### [Licensing requirements](windows-autopilot-requirements-licensing.md)
 ## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
 ### [Support for existing devices](existing-devices.md)
+### [White glove](white-glove.md)
 ### [User-driven mode](user-driven.md)
 #### [Azure Active Directory joined](user-driven-aad.md)
 #### [Hybrid Azure Active Directory joined](user-driven-hybrid.md)

windows/deployment/windows-autopilot/configure-autopilot.md

@@ -20,17 +20,20 @@ ms.topic: article
 
 -   Windows 10
 
-## Deploying new devices
+<img src="./images/image2.png" width="511" height="249" />
 
-When deploying new devices using Windows Autopilot, a common set of steps are required:
+## Configuring Autopilot to deploy new devices
 
-1.  [Register devices with the Windows Autopilot deployment service](add-devices.md). Ideally, this step would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
-
-2.  [Assign a profile of settings to each device](profiles.md), specifying how the device should be deployed and what user experience should be presented.
+When deploying new devices using Windows Autopilot, the following steps are required:
 
+1.  [Register devices](add-devices.md). Ideally, this step would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
+2.  [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented.
 3.  Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience.
 
-<img src="./images/image2.png" width="511" height="249" />
+## Other configuration settings
+
+- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started.
+- [Cortana voiceover and speech recognition](cortana.md): In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
 
 ## Related topics
 

windows/deployment/windows-autopilot/white-glove.md

@@ -0,0 +1,105 @@
+---
+title: Windows Autopilot for white glove deployment
+description: Windows Autopilot for white glove deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, pre-provisioning
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greg-lindsay
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Windows Autopilot for white glove deployment
+
+**Applies to: Windows 10, version 1903**
+
+Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready.
+
+ ![OEM](images/wg01.png)
+
+Windows Autopilot can also provide a <I>white glove</I> service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready​. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
+
+With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few neceesary settings and polices and then they can begin using their device.
+
+ ![OEM](images/wg02.png)
+
+Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven [Azure AD join](user-driven-aad.md) and [Hybrid Azure AD](user-driven-hybrid.md) join scenarios.
+
+## Prerequisites
+
+In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following:
+
+- Windows 10, version 1903 or later is required.
+- An Intune subscription with additional flighted features that are not yet available publicly is currently required. Note: This feature will change soon from flighted to preview. Prior to this feature switching to preview status, attempts to perform white glove deployment without t flighted features will fail with an Intune enrollment error.
+- Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported.  The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements.
+- Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
+
+## Preparation
+
+To be ready to try out Windows Autopilot for white glove deployment, ensure that you can first successfully use existing Windows Autopilot user-driven scenarios:
+
+- User-driven Azure AD join.  Devices can be deployed using Windows Autopilot and joined to an Azure Active Directory tenant.
+- User-driven with Hybrid Azure AD join.  Devices can be deployed using Windows Autopilot and joined to an on-premises Active Directory domain, then registered with Azure Active Directory to enable the Hybrid Azure AD join features.
+
+If these scenarios cannot be completed, Windows Autopilot for white glove deployment will also not succeed since it builds on top of these scenarios.
+
+To enable white glove deployment, an additional Autopilot profile setting must be configured:
+
+>[!TIP]
+>To see the white glove deployment Autopilot profile setting, use this URL to access the Intune portal: https://portal.azure.com/?microsoft_intune_enrollment_enableWhiteGlove=true. This is a temporary requirement.
+
+ ![allow white glove](images/allow-white-glove-oobe.png)
+
+The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune.  That includes certificates, security templates, settings, apps, and more – anything targeting the device.  Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed.  **Note**: other user-targeted policies will not apply until the user signs into the device.  To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
+
+## Scenarios
+
+Windows Autopilot for white glove deployment supports two distinct scenarios:
+- User-driven deployments with Azure AD Join.  The device will be joined to an Azure AD tenant.
+- User-driven deployments with Hybrid Azure AD Join.  The device will be joined to an on-premises Active Directory domain, and separately registered with Azure AD.
+Each of these scenarios consists of two parts, a technician flow and a user flow.  At a high level, these parts are the same for Azure AD Join and Hybrid Azure AD join; differences are primarily seen by the end user in the authentication steps.
+
+### Technican flow
+
+The first part of the Windows Autopilot for white glove deployment process is designed to be carried out by a technician; this could be a member of the IT staff, a services partner, or an OEM – each organization can decide who should perform these activities.
+Regardless of the scenario, the process to be performed by the technician is the same:
+- Boot the device (running Windows 10 Pro, Enterprise, or Education SKUs, version 1903 or later).
+- From the first OOBE screen (which could be a language selection or locale selection screen), do not click **Next**.  Instead, press the Windows key five times to view an additional options dialog.  From that screen, choose the **Windows Autopilot provisioning** option and then click **Continue**.
+
+ ![choice](images/choice.png)
+
+- On the **Windows Autopilot Configuration** screen, information will be displayed about the device:
+    - The Autopilot profile assigned to the device.
+    - The organization name for the device.
+    - The user assigned to the device (if there is one).
+    - A QR code containing a unique identifier for the device, useful to look up the device in Intune to make any configuration changes needed (e.g. assigning a user, adding the device to any additional groups needed for app or policy targeting).
+- Validate the information displayed.  If any changes are needed, make these and then click **Refresh** to re-download the updated Autopilot profile details.
+
+ ![landing](images/landing.png)
+
+- Click **Provision** to begin the provisioning process.
+If the pre-provisioning process completes successfully:
+- A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
+- Click **Reseal** to shut the device down.  At that point, the device can be shipped to the end user.
+
+If the pre-provisioning process fails:
+- A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
+- Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again.
+
+ ![white-glove-result](images/white-glove-result.png)
+
+### User flow
+
+If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process.  They will perform a standard set of steps:
+
+- Power on the device.
+- Select the appropriate language, locale, and keyboard layout.
+- Connect to a network (if using Wi-Fi).  If using Hybrid Azure AD Join, there must be connectivity to a domain controller; if using Azure AD Join, internet connectivity is required.
+- On the branded sign-on screen, enter the user’s Azure Active Directory credentials.
+- If using Hybrid Azure AD Join, the device will reboot; after the reboot, enter the user’s Active Directory credentials.
+- Additional policies and apps will be delivered to the device, as tracked by the Enrollment Status Page (ESP).  Once complete, the user will be able to access the desktop.
+

windows/deployment/windows-autopilot/windows-autopilot-scenarios.md

@@ -1,5 +1,5 @@
 ---
-title: Windows Autopilot scenarios
+title: Windows Autopilot scenarios and capabilities
 description: Listing of Autopilot scenarios
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
@@ -14,10 +14,12 @@ ms.topic: article
 ---
 
 
-# Windows Autopilot scenarios
+# Windows Autopilot scenarios and capabilities
 
 **Applies to: Windows 10**
 
+## Scenarios
+
 Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management).
 
 For details about these scenarios, see these additional topics:
@@ -27,6 +29,34 @@ For details about these scenarios, see these additional topics:
 - [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.
 - [Windows Autopilot Reset](windows-autopilot-reset.md), to re-deploy a device in a business-ready state.
 
+## Capabilities
+
+### Windows Autopilot is self-updating during OOBE:
+
+Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly.  Windows will alert the user that the device is checking for, downloading and installing the updates.
+
+### Cortana voiceover and speech recognition during OOBE
+
+In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
+
+If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default.
+
+HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions
+
+The key value is a DWORD with  **0** = disabled and **1** = enabled.
+
+| Value | Description |
+| --- | --- |
+| 0 | Cortana voiceover is disabled |
+| 1 | Cortana voiceover is enabled |
+| No value | Device will fall back to default behavior of the edition |
+
+To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce).
+
+### Bitlocker encryption
+
+With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md)
+
 ## Related topics
 
 [Windows Autopilot Enrollment Status page](enrollment-status.md)