top of page
Writer's pictureairwatchhk

Windows10 Drop Ship Provisioning

Updated: Oct 18, 2022

Unlike Android and iOS, Windows devices are usually staged before rolling out to end users.


One of the reasons of using staging is that the installation of Intelligent HUB requires administrator privileges. In most of the cases, end users don’t have the required admin rights due to security reason. So Windows devices are very often pre-staged or drop shipped before they are ready for production.


What is drop shipping? It is a way to allow IT to get a device ready before rolling out it to production. Usually, it is done after a device is shipped to an enterprise.


The first step of drop ship is to define the configuration and applications to be installed on UEM console.


On WSO UEM console, we can have things like AD type, auto pilot, staging user, UEM URL and a list of applications defined. Once complete, we will end up with two files. An unattended xml file which are the settings on the left hand side of the screen.



A PPKG file which is the collection of the applications to be installed is on the right hand side of the screen. Please note that a HUB app is included in PPKG by default. The applications are selected from the UEM application catalog.


There is a green toggle button to allow you to choose to generate unattended xml or PPKG. You can choose to generate both of them or either one of them.


PPKG helps to install applications beforehand so users do not have to wait for applications to come down the first time they login to a device. This is particular useful when there are many apps to be installed or apps are large in size.


An unattended xml define how a device is provisioned, the auto pilot flow, the AD login type, staging user and the UEM URL and OG.


After you have things defined, an encrypted package will get created. Here is an encrypted package on UEM console. PPKG and unattended xml are included in a encrypted package file.



The “Drop Ship Provisioning - Offline package” is for use in the factory for Dell, HP and Lenovo. The package file will be sent to factory and applied to devices in the factory. A device can be shipped directly to end user without going through IT in this case.


“Encrypted Package” is applicable to all brands and can be used by IT administrator to get a device provisioned manually. A new device must first shipped to IT for preparation before it goes to an end user.



This is a demo on how to create PPKG and unattended xml.


With the PPKG and unattended xml ready, we can now get a Windows10 provisioned. For testing purpose, you can use a VM for testing purpose.


Boot up a VM and put it into audit mode when you are on the region screen by pressing “CTRL +SHIFT+F3”.


After successfully initiated, the machine will reboot into audit mode. The System Preparation Tool (Sysprep) will be running: ignore it.



Now Copy your PPKG and unattended xml to your Windows10. In order to execute the two files, we need WSO provisioning tool. You can get it from



You can have all the files in a USB drive and distribute them around.


The VMware Workspace ONE Provisioning Tool for Windows is a testing tool that's used to simulate what happens at the factory. This tool sets up the VM with the PPKG and runs Sysprep which follows the unattend.xml's parameters.


Install the provisioning tool


msiexec /a VMwareWS1ProvisioningTool.msi /qb TARGETDIR="{target directory}\VMwareWS1ProvisioningTool"

Run the provisioning tool


VMwareWS1ProvisioningTool.exe


and specify your PPKG and unattended xml file path. After processing the files, the device is enrolled with a staging account.



After restart, the machine will read the unattend.xml configuration, setting the device's system configuration and proceeding through enrollment with Workspace ONE UEM.

Drop ship provisioning is now done. A device is now ready for an end user. How user is prompted for login depends on the AD type you specify in the unattended xml.


Workgroup AD type is for use if a device is not assigned to a user. For example, a Windows setup as a kiosk or any other line of business use. All other AD types are to associated with an user. The first login user will become the owner of the device. A device owner cannot be changed unless a device is re-enrolled.


This is a demo on how to run provisioning tool on a device in audit mode.


In the next video, you will see the user experience when booting up a provisioned Windows10 for the first time. We call this an Out-of-Box-Experience (OOBE). You can think of OOBE a car. The auto-pilot specified in the unattended xml is a route and a map to guide the car.


After user first login, he becomes the owner of the device. You will get to see all the pre-installed applications. All other resources such as profiles are coming down momentarily.


The device is now in production mode.




60 views0 comments

Recent Posts

See All

ความคิดเห็น


Post: Blog2_Post
bottom of page