[Docs] Update setup experience for managed local accounts

articles/setup-experience.md

@@ -38,22 +38,26 @@ You can enforce end user authentication during automatic enrollment (ADE) for Ap
 
 ## Managed local account
 
-Fleet can create a hidden admin account (`_fleetadmin`) with a unique password on each macOS host during Setup Assistant. IT admins can use this account as a break-glass login for troubleshooting.
+Fleet can create a hidden admin account (`_fleetadmin`) with a unique password on each host during setup. IT admins can use this account as a break-glass login for troubleshooting.
 
-This feature is available for macOS hosts that automatically enroll via Apple Business (AB). Manually enrolled hosts are not supported.
+This feature is available for macOS hosts that automatically enroll via Apple Business Manager (AB) and Windows hosts that automatically enroll via Azure AD. Manually enrolled hosts are not supported.
 
 To enable managed local accounts:
 
-1. In Fleet, head to **Controls > Setup experience > Users** and check **Managed local account**. Alternatively, you can enable this using [Fleet's REST API](https://fleetdm.com/docs/rest-api/rest-api#update-setup-experience) or [GitOps workflow](https://github.com/fleetdm/fleet-gitops).
+1. In Fleet, head to **Controls > Setup experience > Users** and select the platform (macOS or Windows) then choose **Managed > Create hidden  admin**. Alternatively, you can enable this using [Fleet's REST API](https://fleetdm.com/docs/rest-api/rest-api#update-setup-experience) or [GitOps workflow](https://github.com/fleetdm/fleet-gitops).
 
-2. Wipe and re-enroll any existing macOS hosts that should receive the account. Hosts enrolled before the feature is turned on won't receive a managed account until they go through Setup Assistant again.
+2. Wipe and re-enroll any existing hosts that should receive the account. Hosts enrolled before the feature is turned on won't receive a managed account until they go through the setup experience again.
 
 To view the password for a host's managed account, head to **Host details > Actions > Show managed account**. The password is unique per host and stored securely in Fleet.
 
+### macOS
 > The managed account is hidden from the macOS login window. To log in as `_fleetadmin`, click **Other** on the login window (or press the username field) and type the username and password manually.
 
 > The managed account does not have a Secure Token. To access a FileVault-encrypted disk, first unlock it using the [escrowed recovery key](https://fleetdm.com/guides/macos-mdm-setup#disk-encryption), then log in as `_fleetadmin` at the login window.
 
+### Windows
+> The managed account is hidden from the Windows sign-in screen. To log in as _fleetadmin, select Other user on the sign-in screen and enter the username and password manually.
+
 ## Platform SSO
 
 Fleet supports configuring Platform SSO (PSSO) for macOS hosts with the option to create a local user account during enrollment. If you use Okta, see [Deploying Okta Platform SSO with Fleet](https://fleetdm.com/guides/deploying-okta-platform-sso-with-fleet) for setup instructions. PSSO can be used with or without [end user authentication](#end-user-authentication) enabled.

articles/windows-linux-setup-experience.md

@@ -51,7 +51,9 @@ If software installs fail, Fleet automatically retries. Learn more in the [setup
 To replace the Fleet logo with your organization's logo:
 
 1. Go to **Settings** > **Organization settings** > **Organization info**
+
 2. Add URLs to your logos in the **Organization avatar URL (for dark backgrounds)** and **Organization avatar URL (for light backgrounds)** fields
+
 3. Press **Save**
 
 > See [configuration documentation](https://fleetdm.com/docs/configuration/yaml-files#org-info) for recommended logo sizes.
@@ -65,9 +67,13 @@ For Windows hosts enrolling through Autopilot or Entra OOBE, you can configure F
 To enable for a team:
 
 1. Select the team you're configuring (or **No team**) from the team dropdown.
+
 2. Go to **Controls** > **Setup experience** > **Install software**.
+
 3. Click the **Windows** tab.
+
 4. Switch on **Cancel setup if software fails**.
+
 5. Press **Save**.
 
 The setting only applies to Autopilot and Entra-join-during-OOBE enrollments. On those paths, when a setup-experience software install fails, Fleet does the following:
@@ -89,12 +95,41 @@ On Autopilot or Entra-OOBE, the device shows "Working on it..." for roughly a mi
 Add setup experience software setup experience:
 
 1. Click on the **Controls** tab in the main navigation bar,  then **Setup experience** > **3. Install software**.
+
 2. Click on the tab corresponding to the operating system (e.g. Linux).
+
 3. Click **Add software**, then select or search for the software you want installed during the setup experience.
+
 4. Press **Save** to save your selection.
 
 Fleet also provides a API endpoints for managing setup experience software programmatically. Learn more in Fleet's [API reference](https://fleetdm.com/docs/rest-api/rest-api#update-software-setup-experience).
 
+## Managed local account
+Fleet can create a hidden admin account (_fleetadmin) with a unique password on each Windows host during setup. IT admins can use this account as a break-glass login for troubleshooting.
+
+This feature is available for Windows hosts that automatically enroll via Azure AD. Manually enrolled hosts are not supported.
+
+> For macOS managed local accounts, see the [macOS MDM setup guide](https://fleetdm.com/guides/macos-mdm-setup).
+
+### Enable managed local accounts
+1. Select the team you're configuring (or No team) from the team dropdown.
+
+2. Go to **Controls > Setup experience > Users** and click the **Windows** tab.
+
+4. Select **Managed > Create hidden admin**.
+
+5. Press **Save**.
+
+Alternatively, you can enable this using Fleet's REST API or a GitOps workflow.
+
+Wipe and re-enroll any existing Windows hosts that should receive the account. Hosts enrolled before the feature is turned on won't receive a managed account until they go through the setup experience again.
+
+### View the managed account password
+To view the password for a host's managed account, go to Host details > Actions > Show managed account. The password is unique per host and stored securely in Fleet.
+
+### Sign in as the managed account
+The managed account is hidden from the Windows sign-in screen. To log in as `_fleetadmin`, select Other user on the sign-in screen and enter the username and password manually. If the sign-in screen does not show Other user, type `.\\_fleetadmin` in the username field to authenticate against the local machine.
+
 ## Recover a Windows host from the setup failure screen
 
 When a Windows host is parked at the Enrollment Status Page failure screen, the on-screen options are limited to **Reset device** (which wipes the host) and a **Collect logs** button that may or may not appear. The procedures below let you log in to the device and reach a desktop without wiping anything.
@@ -134,8 +169,11 @@ Restart-Computer -Force
 To run it:
 
 1. Change `StrongPassword123!` to a password your organization controls.
+
 2. Go to **Controls** > **Scripts** and upload the script, or open the host's detail page and select **Actions** > **Run script** to paste it inline.
+
 3. Run the script against the locked-out host.
+
 4. The host's orbit agent picks up the script within a few seconds and runs it as SYSTEM. The host reboots automatically as the last step.
 
 After the reboot, the device leaves the failure screen on its own and arrives at a Windows sign-in screen.