Provision PCs with common settings for initial deployment (desktop wizard)

Applies to

  • Windows 10

This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.

You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.

Advantages

  • You can configure new devices without reimaging.

  • Works on both mobile and desktop devices.

  • No network connectivity required.

  • Simple to apply.

Learn more about the benefits and uses of provisioning packages.

What does the desktop wizard do?

The desktop wizard helps you configure the following settings in a provisioning package:

  • Set device name
  • Upgrade product edition
  • Configure the device for shared use
  • Remove pre-installed software
  • Configure Wi-Fi network
  • Enroll device in Active Directory or Azure Active Directory
  • Create local administrator account
  • Add applications and certificates
Warning

You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.

Tip

Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.

open advanced editor

Create the provisioning package

Use the Windows Configuration Designer tool to create a provisioning package. Learn how to install Windows Configuration Designer.

  1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).

  2. Click Provision desktop devices.

    ICD start options

  3. Name your project and click Finish. The pages for desktop provisioning will walk you through the following steps.

    ICD desktop provisioning

Important

When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.

Configure settings

step oneset up device
Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.

Toggle Yes or No to Configure devices for shared use. This setting optimizes Windows 10 for shared use scenarios. Learn more about shared PC configuration.

You can also select to remove pre-installed software from the device.
device name, upgrade to enterprise, shared use, remove pre-installed software
step two set up network
Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
Enter network SSID and type
step three account management
Enable account management if you want to configure settings on this page.

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.
join Active Directory, Azure AD, or create a local admin account
step four add applications
You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps.
add an application
step five add certificates
To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.
add a certificate
finish
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
Protect your package

After you're done, click Create. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.

Next step: How to apply a provisioning package

Learn more