Note

You should only configure provisioning package security when the package is used for device provisioning and when the package has content with sensitive security data, such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.

If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the TrustedProvisioners setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set RequireProvisioningPackageSignature, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.