-Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
-If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - - - Shared network folder - - - SharePoint site - - - Removable media (USB/SD) - - - Email - - - USB tether (mobile only) - - - NFC (mobile only) - -## Add package to image -**To add a provisioning package to Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)** - -- Follow the steps in the "To build an image for Windows 10 for desktop editions" section in [Use the Windows ICD command-line interface]( http://go.microsoft.com/fwlink/p/?LinkId=617371). - -**To add a provisioning package to a Windows 10 Mobile image** - -- Follow the steps in the "To build an image for Windows 10 Mobile or Windows 10 IoT Core (IoT Core)" section in [Use the Windows ICD command-line interface]( http://go.microsoft.com/fwlink/p/?LinkId=617371).
-The provisioning package is placed in the FFU image and is flashed or sector written to the device. During device setup time, the provisioning engine starts and consumes the packages. - -## Learn more -- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651) - -- [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921) - -- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922) - -## Related topics -- [Configure devices without MDM](../manage/configure-devices-without-mdm.md) \ No newline at end of file diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md index ba4f22b7c5..a970f1b56f 100644 --- a/windows/deploy/windows-deployment-scenarios-and-tools.md +++ b/windows/deploy/windows-deployment-scenarios-and-tools.md @@ -328,7 +328,7 @@ For more information on UEFI, see the [UEFI firmware](http://go.microsoft.com/fw ## Related topics -[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) + [Deploy Windows To Go](deploy-windows-to-go.md) diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md index 82e3420ae6..c429067b94 100644 --- a/windows/manage/configure-devices-without-mdm.md +++ b/windows/manage/configure-devices-without-mdm.md @@ -23,7 +23,7 @@ Sometimes mobile device management (MDM) isn't available to you for setting up a Rather than wiping a device and applying a new system image, in Windows 10 you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. -You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out. You can even send the provisioning package to someone in email. +You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out. Provisioning packages are simple for employees to install. And when they remove a provisioning package, policies that the package applied to their device are removed. @@ -71,74 +71,85 @@ Provisioning packages are simple for employees to install. And when they remove For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012). -## Create package - +## Create a provisioning package Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +When you run Windows ICD, you have several options for creating your package. + +. + +- Choose **Simple provisioning** to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. +- Choose **Provision school devices** to quickly create provisioning packages that configure settings and policies tailored for students. Learn more about using Windows ICD to provision student PCs (link tb added). +- Choose **Advanced provisioning** to create provisioning packages in the advanced settings editor and include classic (Win32) and Universal Windows Platform (UWP) apps for deployment on end-user devices. + +> **Important** +When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +### Using Simple provisioning + +1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +2. Click **Simple provisioning**. +2. Name your project and click **Finish**. +3. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. +4. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. + - Home to Education + - Pro to Education + - Pro to Enterprise + - Enterprise to Education + - Mobile to Mobile Enterprise +5. Click **Set up network**. +6. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. +7. Click **Enroll into Active Directory**. +8. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account. + > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: + - Use a least-privileged domain account to join the device to the domain. + - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. + - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. +9. Click **Finish**. +10. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. +11. Click **Create**. + + + +### Using Advanced provisioning + + + 1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). - -2. Choose **New provisioning package**. - +2. Click **Advanced provisioning**. +3. Choose **New provisioning package**. 3. Name your project, and click **Next**. - -4. Choose **Common to all Windows editions**, **Common to all Windows desktop editions**, or **Common to all Windows mobile editions**, depending on the devices you intend to provision, and click **Next**. - +4. Choose **All Windows editions**, **All Windows desktop editions**, or **All Windows mobile editions**, depending on the devices you intend to provision, and click **Next**. 5. On **New project**, click **Finish**. The workspace for your package opens. - 6. Configure settings. [Learn more about specific settings in provisioning packages.]( http://go.microsoft.com/fwlink/p/?LinkId=615916) - 7. On the **File** menu, select **Save.** - 8. On the **Export** menu, select **Provisioning package**. - 9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - 10. Set a value for **Package Version**. - - **Tip** + > **Tip** You can make changes to existing packages and change the version number to update previously applied packages. - - - + 11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - - **Important** + > **Important** We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. - - - + 12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location. - Optionally, you can click **Browse** to change the default output location. - 13. Click **Next**. - 14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - 15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - 16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - - Shared network folder - - SharePoint site - - Removable media (USB/SD) - - Email - - USB tether (mobile only) Learn more: [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651) @@ -146,11 +157,11 @@ Learn more: [Build and apply a provisioning package](http://go.microsoft.com/fwl ## Apply package -On a desktop computer, the employee goes to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in email, in local storage, on removable media, or at a URL. +On a desktop computer, the employee goes to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in local storage, on removable media, or at a URL.  -On a mobile device, the employee goes to **Settings** > **Accounts** > **Provisioning.** > **Add a package**, and selects the package on removable media to install. The user can also add a provisioning package simply by double-tapping the .ppkg file in email. +On a mobile device, the employee goes to **Settings** > **Accounts** > **Provisioning.** > **Add a package**, and selects the package on removable media to install.  diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 92e212ce20..112af01a62 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -44,9 +44,13 @@ Three features enable Start and taskbar layout control: Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) -1. Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +> **Important** +When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +1. Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +2. Choose **Advanced provisioning**. + -2. Choose **New provisioning package**. 3. Name your project, and click **Next**. diff --git a/windows/manage/images/ICDstart-option.PNG b/windows/manage/images/ICDstart-option.PNG new file mode 100644 index 0000000000..1ba49bb261 Binary files /dev/null and b/windows/manage/images/ICDstart-option.PNG differ diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md index 616e800b95..f870e478e5 100644 --- a/windows/manage/lockdown-xml.md +++ b/windows/manage/lockdown-xml.md @@ -492,7 +492,10 @@ The XML example can be used as a lockdown file that is contained in a provisioni Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) -1. Follow the instructions at [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651) to create a project, selecting **Common to all Windows mobile editions** for your project. +> **Important** +When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +1. Follow the instructions at [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651) to create a project, selecting **All Windows mobile editions** for your project. 2. In **Available customizations**, go to **Runtime settings** > **EmbeddedLockdownProfiles** > **AssignedAccessXml**. diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index 55945ea84b..1a99e88418 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -119,15 +119,19 @@ Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +> **Important** +When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + **Create a provisioning package for a kiosk device** 1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). -2. Choose **New provisioning package**. +2. Choose **Advanced provisioning**. + 3. Name your project, and click **Next**. -4. Choose **Common to all Windows desktop editions** and click **Next**. +4. Choose **All Windows desktop editions** and click **Next**. 5. On **New project**, click **Finish**. The workspace for your package opens. diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index bc918aae23..c6ff919951 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -72,6 +72,9 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r ### Set up assigned access using Windows Imaging and Configuration Designer (ICD) +> **Important** +When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + **To create and apply a provisioning package for a kiosk device** 1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601). @@ -82,12 +85,13 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r 2. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +3. Choose **Advanced provisioning**. + -3. Choose **New provisioning package**. 4. Name your project, and click **Next**. -5. Choose **Common to all Windows mobile editions** and click **Next**. +5. Choose **All Windows mobile editions** and click **Next**. 6. On **New project**, click **Finish**. The workspace for your package opens. diff --git a/windows/whats-new/images/ICD.png b/windows/whats-new/images/ICD.png new file mode 100644 index 0000000000..9cfcb845df Binary files /dev/null and b/windows/whats-new/images/ICD.png differ diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md index 9a0d03ddeb..470f722e83 100644 --- a/windows/whats-new/new-provisioning-packages.md +++ b/windows/whats-new/new-provisioning-packages.md @@ -16,10 +16,37 @@ author: jdeckerMS - Windows 10 - Windows 10 Mobile +Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. + With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. +## New in Windows 10, Version 1607 + +The Windows Assessment and Deployment Kit (ADK) for Windows 10 included the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios. + + + +Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT administrators: + +* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. + + > [Learn how to use simple provisioning to configure Windows 10 computers.](../deploy/provision-pcs-for-initial-deployment.md) + +* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. + + > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](../deploy/provision-pcs-with apps-and-certificates.md) + +* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: + + * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) + * AirWatch (password-string based enrollment) + * Mobile Iron (password-string based enrollment) + * Other MDMs (cert-based enrollment) + +> **Note:** Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see Set up students' PCs to join domain (link to be added). + ## Benefits of provisioning packages @@ -64,7 +91,7 @@ For details about the settings you can customize in provisioning packages, see [ ## Creating a provisioning package -With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must install the Windows Assessment and Deployment Kit (ADK) for Windows 10[from the Windows Insider Program site](http://go.microsoft.com/fwlink/p/?linkid=533700). +With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must install the Windows Assessment and Deployment Kit (ADK) for Windows 10 [from the Windows Insider Program site](http://go.microsoft.com/fwlink/p/?linkid=533700). While running ADKsetup.exe, select the following features from the **Select the features you want to install** dialog box: @@ -93,7 +120,7 @@ Provisioning packages can be applied both during image deployment and during run ## Related topics -[Update Windows 10 images with provisioning packages](../deploy/update-windows-10-images-with-provisioning-packages.md) + [Configure devices without MDM](../manage/configure-devices-without-mdm.md)