Provisioning packages – What can or cannot be done?


Hi Windows 10 folks!

Today I wanted to talk about a topic that I like: Windows 10 provisioning.

There’s a lot of discussion on Internet if the new Windows 10 deployment method (aka provisioning) was really a doable scenario. And to be honest, from my experience, I don’t see a lot of customer adopting that method. To verify that, I’ve even done an internal survey within Microsoft Japan and gathered Windows 10 deployment method chosen by 60 out of the top 200 companies: 90% of them decided to go with the traditional “Wipe and Load“.


Why? well, there’s many reason for that. The first one I can think about is that customers are used to the traditional deployment method which works great on Windows 10 as well. They might have documented the whole deployment method and might want to limit cost of a complete new deployment design and documentation. In Japan, for instance, most of our customers consider migrating to Windows 10 at the specific time a bulk device replacement is planned. In this particular case, they will most of the time adopt the “Wipe and Load” method.

The second reason which comes to my mind is that the provisioning method has some limitation and challenges:  for instance, it doesn’t offer an easy way to remove bloatware from an Windows 10 device bought in a store (you can script this but this won’t work the same for all the devices available in the market). Another one would be that the edition upgrade only works from Pro (or Edu) to Enterprise, whereas most of consumer devices you can buy comes with Windows 10 Home edition (there’s actually a way to do Home to Pro, then Pro to Ent using PPKG). And lastly, Windows ICD tool which might not be (for now) the most user friendly tool (it lacks some information about settings and some input format).

For me, provisioning should only be used for one scenario: BYOD. It is a solution which can solve some business critical situation where a sales person during a business trip would lose/break/get stolen his device and would need to replace it without the intervention of an IT pro. Provisioning will help him get back to work quickly by upgrading his device to Enterprise edition, installing Office 2016, setting up VPN profile and even domain join if needed.

For any other scenario, you should consider in-place upgrade (from Windows 7, 8, 8.1 devices) or wipe and load for any new devices.

Even though we face some limitations in the provisioning method, I wanted to gather here all the testing results I got from PPKG (what works and what doesn’t) so that you have all the keys in hand while deciding the best deployment method which fit your needs.

  • Register device in the Corporate infra
    • Domain Join –> OK
      • [Runtime Settings]>[Accounts]>[Computer Account]
        • [Account] domain\account (i.e. contoso\admin)
        • [DomainName] domain FQDN (i.e. contoso.com)
        • [Password] domain join account password
    • Azure AD Join –> NO (it’s related to the authentication method of enrollment offered by PPKG which is not compatible with Azure AD Join as well as Intune)
    • Intune enrollment –> NO (same as above)
    • SCCM On-prem MDM enrollment –> OK (not tested personally but found a great article explaining how to do it)
  • Profiles
    • WIFI –> OK
      • [Runtime Settings]>[ConnectivityProfiles]>[WLAN]>[WLANSetting]
        • Add the [SSID] of the WiFi
        • Under [WLANXmlSettings], fill [AutoConnect], [HiddenNetwork], [SecurityKey] and [Security Type]
    • Certificates –> OK
      • For Root CA Certificate, [Runtime Settings]>[Certificates>[RootCertificates]
        • Type a [CertificateName] and click [Add]
        • [CertificatePath] path to the CER root CA certificate file
    • Email profile –> since in a BYOD scenario you don’t know the domain or azure AD account, I don’t think it’s something possible with provisioning
  • OS Customization
    • Start Menu –> OK (note: it doesn’t apply to the current user but to any new users on the computer)
    • Wallpaper –> NO (copy the image file but doesn’t apply it, don’t know yet if it’s an expected behavior. will update you later again on that)
    • Local Account creation –> OK
      • [Runtime Settings]>[Accounts]>[Users]
      • Type a [User Name] and click [Add]
      • [Password: password of the newly created account
      • [UserGroup] add the user to “Administrators” group for instance
    • UWF –> OK
      • [Runtime Settings]>[UnifiedWriteFilter]
      • [FilterEnabled] TRUE
      • [OverlaySize] in MB (i.e. 1024)
      • [OverlayType] select RAM or Disk
      • [Volumes]
        • Type the [DriveLetter] to filter (i.e. “C:”) and click [Add]
        • [Protected] TRUE
    • Bitlocker –> NO (yes using manage-bde command within a script)
    • Edition upgrade –> OK (only from Pro/Edu to Enterprise)
      • [Runtime Settings]>[EditionUpgrade]
      • [UpgradeEditionWithProductKey] type the Enterprise product key
  • Universal Applications
    • Install –> OK (don’t forget to enable sideloading, deploy the certificate, dependencies as well as the app file)
      • To enable sideloading, [Runtime Settings]>[Policies]>[ApplicationManagement]>[AllowAllTrustedApps]>[Yes]
      • To deploy certificate, [Runtime Settings]>[Certificates]>[TrustedPeopleCertificates]
        • Type [CertificateName] and click [Add]
        • [TrustedCertificate] specify the path to the app certificate file
      • To import app with dependencies, [Runtime Settings]>[UniversalAppInstall]
        • Type [PackageFamilyName] and click [Add] (can be any name)
        • [ApplicationFile] specify the “.appxbundle” file
        • [DependencyAppxFiles] add one by one all the dependencies files
    • Uninstall –> OK
      • [Runtime Settings]>[UniversalAppUninstall]
      • On a computer where the app to uninstall is installed, run the PowerShell command get-appxpackage to find the package family name.
      • Type the [PackageFamilyName] found using the above command.
  • Win32 applications installation
    • MSI –> OK
      • [Runtime Settings]>[ProvisioningCommands]>[DeviceContext]
      • [CommandFiles] add the MSI file
      • [CommandLine] type the command line to install the MSI package: “msiexec.exe /i xxx.msi /q”
    • Office –> OK (I will write another article to explain how to do that using WICD).

Hope this list will help you decide what’s possible with provisioning. Obviously, I haven’t covered all the possible settings available in Windows ICD so if you need any other settings, I can only recommend digging through the Windows ICD tool to search for it 🙂

Note: I will be presenting a session at DE:CODE 2016 about that topic, DE:CODE is the TechEd+Build conference in Japan, If you live in Japan (and speak Japanese), I strongly recommend attending my session INF-024 about OS deployment 🙂

Comments (9)

  1. Deployment tools enable packaging, imaging convergence through tooling convergence. Moreover, Windows Provisioning framework exposes the customizable OS settings which can be set to modify the UI for various Windows editions in particular settings to make ot easier to fit the product market. So I believe the method is forcible.

  2. Chandan says:

    Hi, After reading couple of MSDN articles its clear that “If initial .ppkg contains certificate then .ppkg files can be silently deployed” but how to add those certificates, as adding to those cert in ICD does not supress the one time popup.
    The articles said about TrustedProvisioners in WIndows 10 which i am unable to find on Win10 machine.
    After adding the certificates even i am unable to deploy the PPKG silently. One pop is coming to add the cert first. How can we make it complete silent.
    If any article can be provided which describes very clear about TrustedProvisioning then it would be very helpful for IT admin. Lot of people are stuck due to this and this is a big hurdle in Win10 deployment. Once this can be deployed silently then it can be pushed to the online OS using SCCM i guess.
    RIght now PPKG works with offline deployment only.
    Any helpful information would be highly appreciated.

  3. Jesse Ahn says:

    From what I’ve understood, one of the most useful usage of Provisiong Package seems to delivering Driver Package of Surface Pro 4. Against my expectation, Microsoft provides the Driver packages as an INF drivers-only or a MSI installer as below.

    https://www.microsoft.com/en-us/download/details.aspx?id=49498

    Because of this way, all the settings and custom information of Surface Pro 4 will be gone after installing clean OS.
    Is there any limitation to achieve providing the driver package as Provisioning Package?

    1. Hi Jesse, thank you for your comment! I don’t understand correctly what are you trying to do? in what scenario would you like to deploy drivers using PPKG? For the SP4 example, if it’s a fresh install, i strongly recommend using OS deployment software like SCCM or MDT, which automate the deployment of drivers during the OS deployment phase.

      Could you give me more information about what kind of information/setting would be lost whenever you install drivers via PPKG? 🙂

      1. Jesse Ahn says:

        Hi Samir,
        some of the end-users at home might want to install professional edition of Windows using USB stick with ISO file in it. They usually download and installs SP4 driver package without MDT/SCCM. In this way, they don’t see some of the information like in Settings – System – About.
        Surely this can be addressed by adding exe/msi in the driver package. However, if PPKG technology were actively utilized by Microsoft products like SP4, it would look appealing to IT pros and system developers who are hesitating to use PPKG.

        1. The things for Surface Pro 4 drivers is that we provide a MSI executable version of it. This can be run silently without user intervention and is very easy to install for anyone. That (i guess) the reason why we do not provide a PPKG version of SP4 drivers (again PPKG can hardly be run silently).

          I’m very sorry but I still don’t get what the issue you’re trying to solve with PPKG 🙂

  4. Shashank says:

    Hi Samir,

    I am trying to Join windows 10 Ent machine to domain environment using ICD and after even multiple tries its failing.
    Settings Used:
    Account -> Cluster\Administrator , Here= Cluster is Domain
    Domain Name -> Cluster.Local
    ComputerName->*
    AccountOU-> “Not filling up any information here”.

    1. First, I would verify if you use the latest Windows ICD version (included in Windows ADK TH2).
      Then, I would recreate a new project in ICD and set again what you mentioned.

  5. Jarko says:

    Hello Samir(or anyone), can you elaborate on this please?

    “(there’s actually a way to do Home to Pro, then Pro to Ent using PPKG)”

    /Jarko

Skip to main content