Provision the device on startup
August 13, 2015
During device startup, you can use a provisioning XML (Prov.xml) file to provision Windows Embedded 8.1 Handheld-powered devices with organization-specific settings so they are ready for use. Prov.xml can be included in the image for your device when it is built, or you can provide it to the device during startup using an SD card, near field communication (NFC), or other method.
The Prov.xml file is only used during startup. It is not used again unless you wipe the device to return to the startup settings. After you deploy your devices, we strongly recommend that you keep the Prov.xml current with the required device settings. In this way, if you need to wipe a device, the device can be updated with the correct configurations.
To create Prov.xml for your devices, copy the sample XML provided in Create a Prov.xml to a new XML file in a text or XML editor, and then change the values for the sections that you want to define to the appropriate values for your organization's requirements. When provisioning from an SD card, the provisioning file should be encoded as UTF-8 or UTF-16LE, including the byte order mark (BOM). Save the file as Prov.xml to the root directory of an SD card. For information about provisioning from an NFC tag or transferring data between NFC-enabled devices, see Enable near field communication.
Note
If your organization uses System Center 2012 R2 Configuration Manager, you can export a bulk enrollment profile to generate the mobile device management (MDM) enrollment and Wi-Fi connection XML. Devices can be provisioned during startup with the MDM and Wi-Fi configuration and then the lockdown configuration can be pushed to the enrolled devices from Configuration Manager or some other method.
Note
The manufacturer of your device may enable additional data source capabilities. See your manufacturer's documentation for instructions about using additional options that they have provided.
Prov.xml uses configuration service providers provided by Handheld 8.1 and Windows Phone 8.1 that execute configuration requests.
The EnterpriseAssignedAccess configuration service provider contains a HandheldLockdown section that becomes XML embedded in XML, so the provisioning file must use escaped characters for HandheldLockdown (such as < in place of <). Do not replace the escaped characters in the provisioning file. The following example demonstrates the difference between XML examples provided in the document for readability and the same XML when it is in Prov.xml.
<!--example for readability-->
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<!--the same example within Prov.xml-->
<MenuItems>
<DisableMenuItems />
</MenuItems>
Configuration options during startup
A Windows Embedded 8.1 Handheld-powered device in its OEM-built condition, or factory state, can be provisioned with organization-specific settings during startup. This results in a provisioned device that is ready for use.
Some configurations are defined at the device level and apply to all users, while other configurations are defined for each user role. The following table describes the startup configuration options.
Option |
Description |
Level |
For XML examples, see: |
---|---|---|---|
Application installation |
You can install applications on a device from an SD card or from a shared network location. |
User |
|
Application lockdown |
You can configure the specific applications available to each user profile. For example, you can configure Skype to be available to a salesperson, but not a stock clerk using the same device. You can also configure an application to run automatically when a user role is selected. Users will see notifications only for applications that are in their profile's Allow list. |
User |
|
Background |
You can configure the device to use a specific background on the lock screen. |
Device |
|
Button lockdown |
Hardware buttons are always visible; however, you can disable specific buttons for any user role so that they are not functional. To change what a button does, see "Button remapping" in this table. |
User |
|
Button remapping |
You can configure the Search button, and any custom hardware buttons, to open a specific application. For example, you could configure the Search button to open an application for checking prices instead of opening a search engine. A remapped button cannot open an application that is not in the Allow list for the user role in question. |
Device |
|
Language |
You can select a language to use during the initial setup and you can also configure a different language in Prov.xml that the operating system will display for users. The language setting is configured in the Default User profile. |
Default user only |
|
Menu items |
You can disable menu items to restrict users from uninstalling an application. If menu items are not disabled for a user role, a user can tap and hold an application to access the context menu, and then uninstall the application. |
User |
|
Mobile device management enrollment |
You can provide the MDM server and credentials to automatically enroll a device in the MDM service. See the Remarks section below for additional instructions about enrollment. |
Device |
|
Settings |
You can configure the settings that you want users to be able to view and change. |
User |
|
Start screen tile sizes and locations |
When you configure applications to be available on the Start screen, you can also determine the size of the application tile and where it should be located in relation to other tiles. |
User |
|
Theme and color |
You can set a light or dark theme, and an accent color. |
User |
|
Tile manipulation |
You can block the ability for the user to pin, move, or resize tiles when in assigned access mode. |
User |
|
Time zone and region |
Time zone and region are important for data synchronization and device management. You can configure the time zone and region that a device should use, and then lock down the Microsoft.DateTime and Microsoft.Regional settings so that users cannot change that configuration. |
Device |
|
Wireless |
You can configure the device with the information and credentials needed to log in to your WLAN automatically so that users do not need to set up a connection or log in to the WLAN. |
Device |
Configure a device during startup
During startup, the device reads the provisioning XML file from an SD card, near field communication (NFC) tag or device, or other data source. The selected configurations are then applied to the device, and the provisioning file is saved to persistent storage on the device. If the OEM pre-provisioned the device with your organization-specific information, the device is configured before startup and does not require user interaction.
To configure a device during startup
Turn on the device.
On the Select provisioning data source screen, confirm that your preferred data source is listed. Tap one of the following options:
- SD card
Note
When providing the provisioning file by SD card, the file must be named Prov.xml and must be located in the root path. Make sure that the SD card is plugged in.
- **NFC**
- **Manufacturer-specific extensions**
When the data source option that you selected indicates that data is available, tap Next. The device is configured and the Start screen is displayed.
Important note If any errors occur during startup provisioning, a brief description of the problem and the HRESULT error code will be written to a file named provisioningerrors.txt in C:/Data/Users/Public/Documents on the device. If the description and error code do not provide enough information to allow you to troubleshoot the problem, you can use mobile device management (MDM) to get more information (if the device is enrolled to access the log provisioningerrors.xml, which is stored in C:/Data/SharedData/Enterprise/Non-Persistent). You can also get information from this file from your OEM. Access to this file is controlled because the file might contain sensitive information, such as a Wi-Fi password. The file contains the Wireless Application Protocol (WAP) XML results.
Remarks
A certification authority (CA) is responsible for publishing its certification revocation list (CRL). To make sure that certificates are properly trusted, during the MDM enrollment process, administrators must ensure that the certificate used for Internet Information Services (IIS) binding is configured to include both the CRL and the certificate distribution point URL. To do this, perform the steps in the following procedure.
To configure the IIS binding certificate to include the CRL and distribution point URL
On the CA server, open certsrv.msc.
Right-click the root node to open the Properties dialog box.
On the Extensions tab, do the following:
For Select extension, choose CLR Distribution Point (CDP).
For Specify locations from which users can obtain a certificate revocation list (CRL), choose the correct http distribution point URL.
Make sure that the following items are both selected:
Include in CRLs. Clients use this to find Delta CRL location
Include in the CDP extension of issued certificates
Click OK.
To make sure that the device can access the URL to check revocation status, update the hosts file that is on the device with the IP address of the CA.
Re-enroll the certificate that is used on the IIS binding to make sure that it uses the CRL URL that you just chose.
You can now use the certificate for IIS binding.