Create a provisioning package for Windows 10 devices to use with Workspace ONE Drop Ship Provisioning (Offline) or as an encrypted PPKG to install on devices yourself. Add the package to devices using the Windows 10 Out of Box Experience (OOBE). This method installs your configurations and applications during the initial device setup. Run the package on any Windows 10 device you want to configure.

Create a Provisioning Package for Windows 10 Devices

Create a provisioning package for Windows 10 devices. This package contains the configuration file and the applications for your Windows 10 devices.

Prerequisites

Meet the Workspace ONE Drop Ship Provisioning (Offline) Requirements.

Procedure

  1. Navigate to Devices > Lifecycle > Staging > Windows and select New.
  2. Enter the general settings including the Provisioning Package Name, Description, and the smart group the package is Managed By.
  3. Select Next.
  4. Select the Onboarding Method. To create a PPKG for Workspace ONE Drop Ship Provisioning (Offline), select Factory Provisioning. To create an encrypted PPKG for your own use, select Encrypted PPKG. Select Next.
  5. Set the Configurations settings. The settings that display depend on the Active Directory Type selected. Consider the following information when configuring the settings.
    Settings Description
    Domain Username Enter the username that has Domain Join privileges. This setting displays when you set the Active Directory Type to On-Prem AD Join.
    Note: This information is saved in plain text in the XML file. Ensure that this file is always secured and not sent over insecure connections.
    Domain Password Enter the password for the Domain Join user. This setting displays when you set the Active Directory type to On-Prem AD Join.
    Note: This information saved in plain text in the XML file. Ensure that this file is always secured and not sent over insecure connections.
    AD Organization Unit (OU) Enter the organization unit for the AD.

    The OU must follow the correct formatting:

    OU=,OU=,DC=Company,DC=com

    This setting displays when you set the Active Directory Type to On-Prem AD Join.

    Workgroup Enter the name of the workgroup you want the client to join.

    The workgroup name must be 15 characters or fewer.

    This setting displays when you set the Active Directory Type to Workgroup.

    Product Key Enter the Windows 10 product key.

    You must follow the correct format:

    12345-54CDE-XYZ78-ONM98-456TY
    Make Administrator? You must make the local user account an administrator to start Workspace ONE enrollment automatically.

    During OOBE, the device prompts the user to enter their enrollment credentials.

    This setting displays when you set the Active Directory Type to Workgroup or Azure AD.

    Computer Name The computer name is randomly generated by default so that every system coming from the factory is unique.

    To create a naming convention, use the Registered Owner and Registered Organization settings. The computer name takes the first 7 characters from Registered Organization or Registered Owner as the prefix and then randomizes the rest of the characters up to the 15 character maximum.

    Remove Windows 10 Consumer Apps Select Yes to prevent consumer apps from appearing in Windows 10.

    This setting is only supported for Windows 10 Enterprise or Education. You must enter a Windows 10 Enterprise or Education key.

    Additional Synchronous Commands Add commands that automatically run at the end of the Windows setup process but before any user logs in.
    First Logon Commands Add commands that automatically run the first time a user logs in.

    This setting requires the user have local admin privileges.

    Enrollment Server Enter your Workspace ONE UEM enrollment server URL.

    Find the enrollment URL by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > System > Advanced > Site URLS.

    This setting displays when you set the Active Directory Type to On-Prem AD Join or Workgroup.

    Staging Account Enter the username for the staging account.

    Find this username by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > Devices & Users > Windows > Windows Desktop > Staging & Provisioning.

    This setting displays when you set the Active Directory Type to On-Prem AD Join or Workgroup.

    Device Services URL Enter your device services URL.

    Find the device services URL by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > System > Advanced > Site URLS.

    This setting only displays when you set the Active Directory Type to Azure AD - No Premium.

  6. Select Next.
  7. Select the apps to include in the provisioning package. The apps that display are those apps available to the smart group set during the General settings step.

    This screen only displays Win32 apps recognized through Software Distribution. User context apps behave differently than device context apps. A provisioning package installs any device context apps in the factory, but user context apps install when a user signs in for the first time. These apps install using Software Distribution.

  8. Optionally, if the app requires transforms and patches (MST and MSP files), select the Arrow icon An image displaying the Arrow icon to add the necessary transforms and patches. You must add these transforms from the Edit Application modal before creating a provisioning package.
  9. Select Next.
  10. Review the summary and either export the provisioning package or save it as a template.
    1. To export the provisioning package, select Save and Export.
    2. To save the package as a template, select Save. Templates do not create a PPKG file but save the settings for later creation and exporting. A template displays in the Windows list view with the Draft status.

    You can only have one provisioning package PPKG stored at a time.

Workspace ONE UEM exports the package or saves the template.

  • If you created a Workspace ONE Drop Ship Provisioning (Offline) PPKG, send the package to your OEM to provision your Windows 10 devices.
  • If you created an Encrypted PPKG, you must save the PPKG to the root of a USB drive and install the package on the Windows 10 device.

If you want to change any settings in a provisioning package after creating one, you must either edit the existing package or export a template. Repeat the creation process and send the package to your OEM again. Exporting a new PPKG template overwrites any PPKGs currently available for download.

Add an Encrypted PPKG During Out of Box Experience

After creating an encrypted PPKG, you can add the package to devices using the Windows 10 Out of Box Experience (OOBE). This method installs your configurations and applications during the initial device setup.

Prerequisites

  • Create an encrypted PPKG in the Workspace ONE UEM console.
  • You need a USB drive to transfer the PPKG to the Windows 10 device. The USB drive must be formatted NTFS or FAT32.

Procedure

  1. Navigate to Devices > Lifecycle > Staging > Windows.
  2. Find the encrypted package and select Download Encrypted PPKG.
  3. Save the PPKG to the root of a USB drive.If you save the PPKG to a subfolder, OOBE cannot detect the file.
  4. On the Windows 10 device you want to provision, insert the USB drive at the Select your Region screen of the Out of Box Experience. If you save multiple PPKGs on the USB device, Windows prompts you to select the PPKG you want to apply. After selecting the PPKG, Windows automatically detects and begins processing the PPKG.
  5. When prompted, enter the password used to encrypt the PPKG.
  6. If you want to see the progress of the app installation, press Shift + F10 to run a cmd window, press Alt + Tab and select the Provisioning Tool.
The OOBE process runs the PPKG and installs the configuration and applications included in the package. The workflow changes based on the content of your PPKG:
  • If you do not include configurations in your PPKG, the process completes and returns you to the Select your Region to complete the OOBE process.
  • If you include configurations in your PPKG, Windows automatically runs Sysprep and reboots the device. After rebooting the device, Windows completes the device setup based on your configuration. After setup completes, Workspace ONE Intelligent Hub runs and completes device enrollment.

Run an Encrypted PPKG on a Windows 10 Device

After creating an encrypted PPKG, you can run the package on any Windows 10 device you want to configure. This method installs your configurations and applications on any Windows 10 device, even those already configured.

Prerequisites

  • Create an encrypted PPKG in the Workspace ONE UEM console.
  • You need a USB drive to transfer the PPKG to the Windows 10 device. The USB drive must be formatted NTFS or FAT32.
  • Your devices must run Windows 10 1709 or later. They must also be unmanaged devices. If the device is already enrolled, the process does not apply any configurations or install any apps.

Procedure

  1. Navigate to Devices > Lifecycle > Staging > Windows.
  2. Find the encrypted package and select Download Encrypted PPKG.
  3. Save the PPKG to a USB drive.
  4. On the Windows 10 device you want to provision, insert the USB drive, open it, and double-click to run the PPKG.
  5. Enter the password you used to encrypt the PPKG.
  6. Confirm that you trust the source by selecting Yes, Add It.

The Provisioning Tool runs and begins installing the configuration and applications included in the package. If you included configurations in your PPKG, Sysprep runs and automatically reboots the device. After rebooting the device, Windows completes the device setup based on your configuration. After setup, Workspace ONE Intelligent Hub runs and completes device enrollment.