deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

redesign TOC

Browse Source
This commit is contained in:
Greg Lindsay
2019-05-31 14:50:01 -07:00
parent f12ea1c39a
commit f782950068
19 changed files with 491 additions and 389 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
windows/deployment/windows-autopilot/TOC.md
View File

@ -1,32 +1,29 @@
# [Windows Autopilot](windows-autopilot.md) # [Windows Autopilot](index.md)
# [Windows Autopilot deployment]
## [Overview](windows-autopilot.md)
## [Requirements](windows-autopilot-requirements.md) ## [Requirements](windows-autopilot-requirements.md)
### [Configuration requirements](windows-autopilot-requirements-configuration.md) ## [What's new](windows-autopilot-whats-new.md)
#### [Intune Connector (preview)](intune-connector.md) ## [Platforms](windows-autopilot-platforms.md)
### [Network requirements](windows-autopilot-requirements-network.md) ## [Capabilities](windows-autopilot-scenarios.md)
### [Licensing requirements](windows-autopilot-requirements-licensing.md) ## [Get started](demonstrate-deployment-on-vm.md)
## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
### [Support for existing devices](existing-devices.md) # [Deployment scenarios]
### [White glove](white-glove.md) ## [User-driven mode](user-driven.md)
### [User-driven mode](user-driven.md) ## [Self-deploying mode](self-deploying.md)
#### [Azure Active Directory joined](user-driven-aad.md) ## [Windows Autopilot Reset](windows-autopilot-reset.md)
#### [Hybrid Azure Active Directory joined](user-driven-hybrid.md) ## [White glove](white-glove.md)
### [Self-deploying mode](self-deploying.md) ## [Support for existing devices](existing-devices.md)
### [Windows Autopilot Reset](windows-autopilot-reset.md)
#### [Remote reset](windows-autopilot-reset-remote.md) # [Administering Autopilot]
#### [Local reset](windows-autopilot-reset-local.md) ## [Registering devices](add-devices.md)
## [Administering Autopilot](administer.md) ## [Configuring device profiles](profiles.md)
### [Configuring](configure-autopilot.md) ## [Enrollment status page](enrollment-status.md)
#### [Adding devices](add-devices.md) ## [BitLocker encryption](bitlocker.md)
#### [Creating profiles](profiles.md)
#### [Enrollment status page](enrollment-status.md)
#### [BitLocker encryption](bitlocker.md)
### [Administering Autopilot via Partner Center](https://docs.microsoft.com/en-us/partner-center/autopilot)
### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
## Getting started
### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md)
## [Customer consent](registration-auth.md)
## [Troubleshooting](troubleshooting.md) ## [Troubleshooting](troubleshooting.md)
## [Known issues](known-issues.md)
# [Support]
## [FAQ](autopilot-faq.md) ## [FAQ](autopilot-faq.md)
## [Support](autopilot-support.md) ## [Contacts](autopilot-support.md)
## [Registration authorization](registration-auth.md)

18
windows/deployment/windows-autopilot/add-devices.md
View File

@ -92,9 +92,21 @@ The commands can also be run remotely, as long as WMI permissions are in place a
Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism: Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism:
- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers. - [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers.
- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers. - [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers.
- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business. - [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business.
- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). - [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles).
<img src="./images/image2.png" width="511" height="249" />
## Summary
When deploying new devices using Windows Autopilot, the following steps are required:
1. [Register devices](#registering-devices). Ideally, this step is performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
2. [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented.
3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience.
## Other configuration settings
- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started.
- [Cortana voiceover and speech recognition](windows-autopilot-scenarios.md): In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.

54
windows/deployment/windows-autopilot/administer.md
View File

@ -16,56 +16,4 @@ ms.topic: article
--- ---
# Administering Autopilot # this doc needs a redirect
**Applies to: Windows 10**
Several platforms are available to register devices with Windows Autopilot. A summary of each platform's capabilities is provided below.
<table>
<tr>
<td BGCOLOR="#a0e4fa"><B>Platform/Portal</th>
<td BGCOLOR="#a0e4fa"><B>Register devices?</th>
<td BGCOLOR="#a0e4fa"><B>Create/Assign profile</th>
<td BGCOLOR="#a0e4fa"><B>Acceptable DeviceID</th>
</tr>
<tr>
<td>OEM Direct API</td>
<td>YES - 1000 at a time max</td>
<td>NO</td>
<td>Tuple or PKID</td>
</tr>
<tr>
<td><a href="https://docs.microsoft.com/en-us/partner-center/autopilot">Partner Center</a></td>
<td>YES - 1000 at a time max<b>\*</b></td>
<td>YES</td>
<td>Tuple or PKID or 4K HH</td>
</tr>
<tr>
<td><a href="https://docs.microsoft.com/en-us/intune/enrollment-autopilot">Intune</a></td>
<td>YES - 175 at a time max</td>
<td>YES<b>\*</b></td>
<td>4K HH</td>
</tr>
<tr>
<td><a href="https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles">Microsoft Store for Business</a></td>
<td>YES - 1000 at a time max</td>
<td>YES</td>
<td>4K HH</td>
</tr>
<tr>
<td><a href="https://docs.microsoft.com/en-us/microsoft-365/business/create-and-edit-autopilot-profiles?redirectSourcePath=%252farticle%252fCreate-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa">Microsoft Business 365</a></td>
<td>YES - 1000 at a time max</td>
<td>YES</td>
<td>4K HH</td>
</tr>
</table>
><b>*</b>Microsoft recommended platform to use

25
windows/deployment/windows-autopilot/configure-autopilot.md
View File

@ -16,27 +16,4 @@ ms.topic: article
--- ---
# Configure Autopilot deployment # This doc needs a redirect
**Applies to**
- Windows 10
<img src="./images/image2.png" width="511" height="249" />
## Configuring Autopilot to deploy new devices
When deploying new devices using Windows Autopilot, the following steps are required:
1. [Register devices](add-devices.md). Ideally, this step would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
2. [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented.
3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience.
## Other configuration settings
- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started.
- [Cortana voiceover and speech recognition](windows-autopilot-scenarios.md): In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
## Related topics
[Windows Autopilot scenarios](windows-autopilot-scenarios.md)

26
windows/deployment/windows-autopilot/index.md Normal file
View File

@ -0,0 +1,26 @@
---
title: Windows Autopilot
ms.reviewer:
manager: laurawi
description: Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot
**Applies to**
- Windows 10
## Related topics

37
windows/deployment/windows-autopilot/intune-connector.md
View File

@ -17,40 +17,5 @@ ms.topic: article
--- ---
# Intune Connector (preview) language requirements # This topic needs a redirect
**Applies to: Windows 10**
Microsoft has released a [preview for Intune connector for Active Directory](https://docs.microsoft.com/intune/windows-autopilot-hybrid) that enables user-driven [Hybrid Azure Active Directory join](user-driven-hybrid.md) for Windows Autopilot.
In this preview version of the Intune Connector, you might receive an error message indicating a setup failure with the following error code and message:
**0x80070658 - Error applying transforms. Verify that the specified transform paths are valid.**
An [example](#example) of the error message is displayed at the bottom of this topic.
This error can be resolved by ensuring that the member server where Intune Connector is running has one of the following language packs installed and configured to be the default keyboard layout:
| | | | | | | | | | | |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| en-US | cs-CZ | da-DK | de-DE | el-GR | es-ES | fi-FI | fr-FR | hu-HU | it-IT | ja-JP |
| ko-KR | nb-NO | nl-NL | pl-PL | pt-BR | ro-RO | ru-RU | sv-SE | tr-TR | zh-CN | zh-TW |
>[!NOTE]
>After installing the Intune Connector, you can restore the keyboard layout to its previous settings.<br>
>This solution is a workaround and will be fully resolved in a future release of the Intune Connector.
To change the default keyboard layout:
1. Click **Settings > Time & language > Region and language**
2. Select one of the languages listed above and choose **Set as default**.
If the language you need isn't listed, you can add additional languages by selecting **Add a language**.
## Example
The following is an example of the error message that can be displayed if one of the listed languages is not used during setup:
![Connector error](images/connector-fail.png)

26
windows/deployment/windows-autopilot/known-issues.md Normal file
View File

@ -0,0 +1,26 @@
---
title: Windows Autopilot known issues
ms.reviewer:
manager: laurawi
description: Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot - known issues
**Applies to**
- Windows 10
## Related topics

22
windows/deployment/windows-autopilot/user-driven-aad.md
View File

@ -16,24 +16,4 @@ ms.topic: article
--- ---
# Windows Autopilot user-driven mode for Azure Active Directory join # this doc needs to be redirected
**Applies to: Windows 10**
## Procedures
In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
For each device that will be deployed using user-driven deployment, these additional steps are needed:
- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information.
- Ensure an Autopilot profile has been assigned to the device:
- If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
- If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
- If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic.

28
windows/deployment/windows-autopilot/user-driven-hybrid.md
View File

@ -17,30 +17,4 @@ ms.topic: article
# Windows Autopilot user-driven mode for hybrid Azure Active Directory join # This doc needs a redirect
**Applies to: Windows 10**
Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan).
## Requirements
To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
- A Windows Autopilot profile for user-driven mode must be created and
- **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile.
- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
- The device must be running Windows 10, version 1809 or later.
- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user).
- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements-network.md).
- The Intune Connector for Active Directory must be installed.
- Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf.
- If using Proxy, WPAD Proxy settings option must be enabled and configured.
**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default.
## Step by step instructions
See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).
Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic.

48
windows/deployment/windows-autopilot/user-driven.md
View File

@ -34,8 +34,52 @@ Today, Windows Autopilot user-driven mode supports joining devices to Azure Acti
The following options are available for user-driven deployment: The following options are available for user-driven deployment:
- [Azure Active Directory join](user-driven-aad.md) is available if devices do not need to be joined to an on-prem Active Directory domain. - [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain.
- [Hybrid Azure Active Directory join](user-driven-hybrid.md) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. - [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain.
### User-driven mode for Azure Active Directory join
In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
For each device that will be deployed using user-driven deployment, these additional steps are needed:
- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information.
- Ensure an Autopilot profile has been assigned to the device:
- If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
- If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
- If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
Also see the [Validation](#validation) section below.
### User-driven mode for hybrid Azure Active Directory join
Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan).
#### Requirements
To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
- A Windows Autopilot profile for user-driven mode must be created and
- **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile.
- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
- The device must be running Windows 10, version 1809 or later.
- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user).
- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements-network.md).
- The Intune Connector for Active Directory must be installed.
- Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf.
- If using Proxy, WPAD Proxy settings option must be enabled and configured.
**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default.
#### Step by step instructions
See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).
Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic.
## Validation ## Validation

83
windows/deployment/windows-autopilot/windows-autopilot-platforms.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Windows Autopilot platforms
ms.reviewer:
manager: laurawi
description: Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot platforms
**Applies to**
- Windows 10
- [Administering Autopilot via Partner Center](https://docs.microsoft.com/en-us/partner-center/autopilot)
- [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
- [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
- [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
Several platforms are available to register devices with Windows Autopilot. A summary of each platform's capabilities is provided below.
<table>
<tr>
<td BGCOLOR="#a0e4fa"><B>Platform/Portal</th>
<td BGCOLOR="#a0e4fa"><B>Register devices?</th>
<td BGCOLOR="#a0e4fa"><B>Create/Assign profile</th>
<td BGCOLOR="#a0e4fa"><B>Acceptable DeviceID</th>
</tr>
<tr>
<td>OEM Direct API</td>
<td>YES - 1000 at a time max</td>
<td>NO</td>
<td>Tuple or PKID</td>
</tr>
<tr>
<td><a href="https://docs.microsoft.com/en-us/partner-center/autopilot">Partner Center</a></td>
<td>YES - 1000 at a time max<b>\*</b></td>
<td>YES</td>
<td>Tuple or PKID or 4K HH</td>
</tr>
<tr>
<td><a href="https://docs.microsoft.com/en-us/intune/enrollment-autopilot">Intune</a></td>
<td>YES - 175 at a time max</td>
<td>YES<b>\*</b></td>
<td>4K HH</td>
</tr>
<tr>
<td><a href="https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles">Microsoft Store for Business</a></td>
<td>YES - 1000 at a time max</td>
<td>YES</td>
<td>4K HH</td>
</tr>
<tr>
<td><a href="https://docs.microsoft.com/en-us/microsoft-365/business/create-and-edit-autopilot-profiles?redirectSourcePath=%252farticle%252fCreate-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa">Microsoft Business 365</a></td>
<td>YES - 1000 at a time max</td>
<td>YES</td>
<td>4K HH</td>
</tr>
</table>
><b>*</b>Microsoft recommended platform to use
## Related topics

19
windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md
View File

@ -16,23 +16,6 @@ ms.topic: article
--- ---
# Windows Autopilot configuration requirements # This page needs a redirect
**Applies to: Windows 10**
Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.
- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
For a walkthrough for some of these and related steps, see this video:
</br>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>

17
windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
View File

@ -16,21 +16,6 @@ ms.topic: article
--- ---
# Windows Autopilot licensing requirements # This page needs a redirect
**Applies to: Windows 10**
Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
- To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
- [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
- [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
- [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features
- [Intune for Education subscriptions](https://docs.microsoft.com/en-us/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features
- [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/en-us/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service)
Additionally, the following are also recommended (but not required):
- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services)
- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise

75
windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
View File

@ -16,77 +16,4 @@ ms.topic: article
--- ---
# Windows Autopilot networking requirements # This page needs a redirect and can be deleted
**Applies to: Windows 10**
Windows Autopilot depends on a variety of internet-based services; access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
- Ensure DNS name resolution for internet DNS names
- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
In environments that have more restrictive internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the needed services. For additional details about each of these services and their specific requirements, review the following details:
- **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used:
- https://ztd.dds.microsoft.com
- https://cs.dds.microsoft.com
For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See the following link for details:
- <https://support.microsoft.com/help/921471/windows-activation-or-validation-fails-with-error-code-0x8004fe33>
- **Azure Active Directory.**  User credentials are validated by Azure Active Directory, then the device may also be joined to Azure Active Directory. See the following link for more information:
- <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2>
- **Intune.**  Once authenticated, Azure Active Directory will trigger the enrollment of the device into the Intune MDM service. See the following link for details:
- <https://docs.microsoft.com/intune/network-bandwidth-use> (Network communication requirements section)
- **Windows Update.**  During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates.
- <https://support.microsoft.com/help/818018/how-to-solve-connection-problems-concerning-windows-update-or-microsof>
- NOTE:  If Windows Update is inaccessible, the AutoPilot process will still continue.
- **Delivery Optimization.**  When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
- <https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization>
- NOTE: If Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
- **Network Time Protocol (NTP) Sync.**  When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate.
- Ensure that UDP port 123 to time.windows.com is accessible.
- **Domain Name Services (DNS).**  To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names.
- **Diagnostics data.**  To enable Windows Analytics and related diagnostics capabilities, see the following documentation:
- <https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization>
- NOTE: If diagnostic data cannot be sent, the Autopilot process will still continue.
- **Network Connection Status Indicator (NCSI).**  Windows must be able to tell that the device is able to access the internet.
- <https://docs.microsoft.com/windows/configuration/manage-windows-endpoints-version-1709> (Network Connection Status Indicator section, [www.msftconnecttest.com](http://www.msftconnecttest.com) must be resolvable via DNS and accessible via HTTP)
- **Windows Notification Services (WNS).**  This service is used to enable Windows to receive notifications from apps and services.
- <https://docs.microsoft.com/windows/configuration/manage-windows-endpoints-version-1709> (Microsoft store section)
- NOTE: If the WNS services are not available, the Autopilot process will still continue.
- **Microsoft Store, Microsoft Store for Business.**  Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in.
- <https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business> (also includes Azure AD and Windows Notification Services)
- NOTE: If the Microsoft Store is not accessible, the AutoPilot process will still continue.
- **Office 365.**  As part of the Intune device configuration, installation of Office 365 ProPlus may be required.
- <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above)
- **Certificate revocation lists (CRLs).**  Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented in the Office documentation at <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl> and <https://aka.ms/o365chains>.

162
windows/deployment/windows-autopilot/windows-autopilot-requirements.md
View File

@ -1,16 +1,16 @@
--- ---
title: Windows Autopilot requirements title: Windows Autopilot requirements
ms.reviewer: ms.reviewer:
manager: dansimp manager: laurawi
description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. description: Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.localizationpriority: high ms.localizationpriority: medium
ms.sitesec: library ms.sitesec: library
ms.pagetype: deploy ms.pagetype: deploy
author: dulcemontemayor author: greg-lindsay
ms.author: dolmont ms.author: greglin
ms.collection: M365-modern-desktop ms.collection: M365-modern-desktop
ms.topic: article ms.topic: article
--- ---
@ -43,13 +43,157 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur
- Surface Studio 2 - Surface Studio 2
- Surface Book 2 - Surface Book 2
See the following topics for details on network and configuration requirements: ## Networking requirements
- [Networking requirements](windows-autopilot-requirements-network.md)
- [Configuration requirements](windows-autopilot-requirements-configuration.md) Windows Autopilot depends on a variety of internet-based services; access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
- For details about specific configuration requirements to enable user-driven Hybrid Azure Active Directory join for Windows Autopilot, see [Intune Connector (preview) language requirements](intune-connector.md). This requirement is a temporary workaround, and will be removed in the next release of Intune Connector.
- Ensure DNS name resolution for internet DNS names
- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
In environments that have more restrictive internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the needed services. For additional details about each of these services and their specific requirements, review the following details:
- **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used:
- https://ztd.dds.microsoft.com
- https://cs.dds.microsoft.com
For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See the following link for details:
- <https://support.microsoft.com/help/921471/windows-activation-or-validation-fails-with-error-code-0x8004fe33>
- **Azure Active Directory.**  User credentials are validated by Azure Active Directory, then the device may also be joined to Azure Active Directory. See the following link for more information:
- <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2>
- **Intune.**  Once authenticated, Azure Active Directory will trigger the enrollment of the device into the Intune MDM service. See the following link for details:
- <https://docs.microsoft.com/intune/network-bandwidth-use> (Network communication requirements section)
- **Windows Update.**  During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates.
- <https://support.microsoft.com/help/818018/how-to-solve-connection-problems-concerning-windows-update-or-microsof>
- NOTE:  If Windows Update is inaccessible, the AutoPilot process will still continue.
- **Delivery Optimization.**  When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
- <https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization>
- NOTE: If Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
- **Network Time Protocol (NTP) Sync.**  When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate.
- Ensure that UDP port 123 to time.windows.com is accessible.
- **Domain Name Services (DNS).**  To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names.
- **Diagnostics data.**  To enable Windows Analytics and related diagnostics capabilities, see the following documentation:
- <https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization>
- NOTE: If diagnostic data cannot be sent, the Autopilot process will still continue.
- **Network Connection Status Indicator (NCSI).**  Windows must be able to tell that the device is able to access the internet.
- <https://docs.microsoft.com/windows/configuration/manage-windows-endpoints-version-1709> (Network Connection Status Indicator section, [www.msftconnecttest.com](http://www.msftconnecttest.com) must be resolvable via DNS and accessible via HTTP)
- **Windows Notification Services (WNS).**  This service is used to enable Windows to receive notifications from apps and services.
- <https://docs.microsoft.com/windows/configuration/manage-windows-endpoints-version-1709> (Microsoft store section)
- NOTE: If the WNS services are not available, the Autopilot process will still continue.
- **Microsoft Store, Microsoft Store for Business.**  Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in.
- <https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business> (also includes Azure AD and Windows Notification Services)
- NOTE: If the Microsoft Store is not accessible, the AutoPilot process will still continue.
- **Office 365.**  As part of the Intune device configuration, installation of Office 365 ProPlus may be required.
- <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above)
- **Certificate revocation lists (CRLs).**  Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented in the Office documentation at <https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl> and <https://aka.ms/o365chains>.
## Licensing requirements
Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
- To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
- [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
- [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
- [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features
- [Intune for Education subscriptions](https://docs.microsoft.com/en-us/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features
- [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/en-us/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service)
Additionally, the following are also recommended (but not required):
- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services)
- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise
## Configuration requirements
Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.
- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
For a walkthrough for some of these and related steps, see this video:
</br>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
- For details about specific configuration requirements to enable user-driven Hybrid Azure Active Directory join for Windows Autopilot, see [Intune Connector (preview) language requirements](intune-connector.md). This requirement is a temporary workaround, and will be removed in the next release of Intune Connector.
There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
## Intune Connector (preview) language requirements
**Applies to: Windows 10**
Microsoft has released a [preview for Intune connector for Active Directory](https://docs.microsoft.com/intune/windows-autopilot-hybrid) that enables user-driven [Hybrid Azure Active Directory join](user-driven-hybrid.md) for Windows Autopilot.
In this preview version of the Intune Connector, you might receive an error message indicating a setup failure with the following error code and message:
**0x80070658 - Error applying transforms. Verify that the specified transform paths are valid.**
An [example](#example) of the error message is displayed at the bottom of this topic.
This error can be resolved by ensuring that the member server where Intune Connector is running has one of the following language packs installed and configured to be the default keyboard layout:
| | | | | | | | | | | |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| en-US | cs-CZ | da-DK | de-DE | el-GR | es-ES | fi-FI | fr-FR | hu-HU | it-IT | ja-JP |
| ko-KR | nb-NO | nl-NL | pl-PL | pt-BR | ro-RO | ru-RU | sv-SE | tr-TR | zh-CN | zh-TW |
>[!NOTE]
>After installing the Intune Connector, you can restore the keyboard layout to its previous settings.<br>
>This solution is a workaround and will be fully resolved in a future release of the Intune Connector.
To change the default keyboard layout:
1. Click **Settings > Time & language > Region and language**
2. Select one of the languages listed above and choose **Set as default**.
If the language you need isn't listed, you can add additional languages by selecting **Add a language**.
### Example
The following is an example of the error message that can be displayed if one of the listed languages is not used during setup:
![Connector error](images/connector-fail.png)
## Related topics ## Related topics
[Configure Autopilot deployment](configure-autopilot.md) [Configure Autopilot deployment](configure-autopilot.md)

52
windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
View File

@ -17,54 +17,4 @@ ms.topic: article
--- ---
# Reset devices with local Windows Autopilot Reset # This doc needs a redirect
**Applies to: Windows 10, version 1709 and above
The Intune Service Administrator role is required to perform this task. Learn more about how to [Assign Azure Active Directory roles](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
To enable local Autopilot Reset in Windows 10:
1. [Enable the policy for the feature](#enable-local-windows-autopilot-reset)
2. [Trigger a reset for each device](#trigger-local-windows-autopilot-reset)
## Enable local Windows Autopilot Reset
To enable a local Windows Autopilot Reset, the **DisableAutomaticReDeploymentCredentials** policy must be configured. This policy is documented in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, local Windows Autopilot is disabled. This ensures that a local Autopilot Reset is not triggered by accident.
You can set the policy using one of these methods:
- MDM provider
- When using Intune, you can create a new device configuration profile, specifying "Windows 10 or later" for the platform, "Device restrictions" for the profile type, and "General" for the settings category. The **Automatic Redeployment** setting should be set to **Allow**. Deploy this setting to all devices where a local reset should be permitted.
- If you're using an MDM provider other than Intune, check your MDM provider documentation on how to set this policy.
- Windows Configuration Designer
You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting to 0 and then create a provisioning package.
- Set up School PCs app
The latest release of the Set up School PCs app supports enabling local Windows Autopilot Reset.
## Trigger local Windows Autopilot Reset
Performing a local Windows Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it is done, the device is again ready for use.
**To trigger a local Autopilot Reset**
1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**.
![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png)
This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes:
1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset
2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process.
![Custom login screen for local Autopilot Reset](images/autopilot-reset-customlogin.png)
2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger the local Autopilot Reset.
Once the local Autopilot Reset is triggered, the reset process starts. Once provisioning is complete, the device is again ready for use.

25
windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
View File

@ -17,27 +17,4 @@ ms.topic: article
--- ---
# Reset devices with remote Windows Autopilot Reset (Preview) # This doc needs a redirect
**Applies to: Windows 10, build 17672 or later**
When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process.
To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed and joined to Azure AD. This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md).
## Triggering a remote Windows Autopilot Reset
To trigger a remote Windows Autopilot Reset via Intune, follow these steps:
- Navigate to **Devices** tab in the Intune console.
- In the **All devices** view, select the targeted reset devices and then click **More** to view device actions.
- Select **Autopilot Reset** to kick-off the reset task.
>[!NOTE]
>The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher.
>[!IMPORTANT]
>The feature for Autopilot Reset (preview) will stay grayed out, **unless** you reset the device using Autopilot (either using Fresh Reset or manually sysprep the device).
Once the reset is complete, the device is again ready for use.

82
windows/deployment/windows-autopilot/windows-autopilot-reset.md
View File

@ -42,11 +42,89 @@ Windows Autopilot Reset will block the user from accessing the desktop until thi
Windows Autopilot Reset supports two scenarios: Windows Autopilot Reset supports two scenarios:
- [Local reset](windows-autopilot-reset-local.md), initiated by IT personnel or other administrators from the organization. - [Local reset](#reset-devices-with-local-windows-autopilot-reset) initiated by IT personnel or other administrators from the organization.
- [Remote reset](windows-autopilot-reset-remote.md), initiated remotely by IT personnel via an MDM service such as Microsoft Intune. - [Remote reset](#reset-devices-with-remote-windows-autopilot-reset-preview) initiated remotely by IT personnel via an MDM service such as Microsoft Intune.
Additional requirements and configuration details apply with each scenario; see the detailed links above for more information. Additional requirements and configuration details apply with each scenario; see the detailed links above for more information.
## Reset devices with local Windows Autopilot Reset
**Applies to: Windows 10, version 1709 and above**
The Intune Service Administrator role is required to perform this task. Learn more about how to [Assign Azure Active Directory roles](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
To enable local Autopilot Reset in Windows 10:
1. [Enable the policy for the feature](#enable-local-windows-autopilot-reset)
2. [Trigger a reset for each device](#trigger-local-windows-autopilot-reset)
### Enable local Windows Autopilot Reset
To enable a local Windows Autopilot Reset, the **DisableAutomaticReDeploymentCredentials** policy must be configured. This policy is documented in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, local Windows Autopilot is disabled. This ensures that a local Autopilot Reset is not triggered by accident.
You can set the policy using one of these methods:
- MDM provider
- When using Intune, you can create a new device configuration profile, specifying "Windows 10 or later" for the platform, "Device restrictions" for the profile type, and "General" for the settings category. The **Automatic Redeployment** setting should be set to **Allow**. Deploy this setting to all devices where a local reset should be permitted.
- If you're using an MDM provider other than Intune, check your MDM provider documentation on how to set this policy.
- Windows Configuration Designer
You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting to 0 and then create a provisioning package.
- Set up School PCs app
The latest release of the Set up School PCs app supports enabling local Windows Autopilot Reset.
### Trigger local Windows Autopilot Reset
Performing a local Windows Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it is done, the device is again ready for use.
**To trigger a local Autopilot Reset**
1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**.
![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png)
This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes:
1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset
2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process.
![Custom login screen for local Autopilot Reset](images/autopilot-reset-customlogin.png)
2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger the local Autopilot Reset.
Once the local Autopilot Reset is triggered, the reset process starts. Once provisioning is complete, the device is again ready for use.
## Reset devices with remote Windows Autopilot Reset (Preview)
**Applies to: Windows 10, build 17672 or later**
When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process.
To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed and joined to Azure AD. This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md).
### Triggering a remote Windows Autopilot Reset
To trigger a remote Windows Autopilot Reset via Intune, follow these steps:
- Navigate to **Devices** tab in the Intune console.
- In the **All devices** view, select the targeted reset devices and then click **More** to view device actions.
- Select **Autopilot Reset** to kick-off the reset task.
>[!NOTE]
>The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher.
>[!IMPORTANT]
>The feature for Autopilot Reset (preview) will stay grayed out, **unless** you reset the device using Autopilot (either using Fresh Reset or manually sysprep the device).
Once the reset is complete, the device is again ready for use.
## Troubleshooting ## Troubleshooting
Windows Autopilot Reset requires that the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is correctly configured and enabled on the device. If it is not configured and enabled, an error such as `Error code: ERROR_NOT_SUPPORTED (0x80070032)` will be reported. Windows Autopilot Reset requires that the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is correctly configured and enabled on the device. If it is not configured and enabled, an error such as `Error code: ERROR_NOT_SUPPORTED (0x80070032)` will be reported.

26
windows/deployment/windows-autopilot/windows-autopilot-whats-new.md Normal file
View File

@ -0,0 +1,26 @@
---
title: Windows Autopilot what's new
ms.reviewer:
manager: laurawi
description: Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot: What's new
**Applies to**
- Windows 10
## Related topics