diff --git a/education/windows/TOC.md b/education/windows/TOC.md index ca73e87080..5cfd544fe5 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -4,6 +4,9 @@ ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) ## [Set up Windows devices for education](set-up-windows-10.md) ### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) +#### [Azure AD Join for school PCs](set-up-school-pcs-azure-ad-join.md) +#### [Shared PC mode for school devices](set-up-school-pcs-shared-pc-mode.md) +#### [Provisioning package settings](set-up-school-pcs-provisioning-package.md) ### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) ### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) ### [Provision student PCs with apps](set-up-students-pcs-with-apps.md) diff --git a/education/windows/images/suspc-add-recommended-apps-1807.png b/education/windows/images/suspc-add-recommended-apps-1807.png new file mode 100644 index 0000000000..e579c8f99d Binary files /dev/null and b/education/windows/images/suspc-add-recommended-apps-1807.png differ diff --git a/education/windows/images/suspc-admin-token-delete-1807.png b/education/windows/images/suspc-admin-token-delete-1807.png new file mode 100644 index 0000000000..0656dbb899 Binary files /dev/null and b/education/windows/images/suspc-admin-token-delete-1807.png differ diff --git a/education/windows/images/suspc-assessment-url-1807.png b/education/windows/images/suspc-assessment-url-1807.png new file mode 100644 index 0000000000..c799e26271 Binary files /dev/null and b/education/windows/images/suspc-assessment-url-1807.png differ diff --git a/education/windows/images/suspc-configure-student-settings-1807.png b/education/windows/images/suspc-configure-student-settings-1807.png new file mode 100644 index 0000000000..92d6ae184a Binary files /dev/null and b/education/windows/images/suspc-configure-student-settings-1807.png differ diff --git a/education/windows/images/suspc-device-names-1807.png b/education/windows/images/suspc-device-names-1807.png new file mode 100644 index 0000000000..886ff13413 Binary files /dev/null and b/education/windows/images/suspc-device-names-1807.png differ diff --git a/education/windows/images/suspc-enable-shared-pc-1807.png b/education/windows/images/suspc-enable-shared-pc-1807.png new file mode 100644 index 0000000000..52fb68f830 Binary files /dev/null and b/education/windows/images/suspc-enable-shared-pc-1807.png differ diff --git a/education/windows/images/suspc-select-wifi-1807.png b/education/windows/images/suspc-select-wifi-1807.png new file mode 100644 index 0000000000..c8b94d6aad Binary files /dev/null and b/education/windows/images/suspc-select-wifi-1807.png differ diff --git a/education/windows/images/suspc-select-wifi-network-1807.png b/education/windows/images/suspc-select-wifi-network-1807.png new file mode 100644 index 0000000000..6c7240db39 Binary files /dev/null and b/education/windows/images/suspc-select-wifi-network-1807.png differ diff --git a/education/windows/images/suspc-sign-in-select-1807.png b/education/windows/images/suspc-sign-in-select-1807.png new file mode 100644 index 0000000000..abffbec690 Binary files /dev/null and b/education/windows/images/suspc-sign-in-select-1807.png differ diff --git a/education/windows/images/suspc-take-a-test-app-1807.png b/education/windows/images/suspc-take-a-test-app-1807.png new file mode 100644 index 0000000000..9d6c503f3c Binary files /dev/null and b/education/windows/images/suspc-take-a-test-app-1807.png differ diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md new file mode 100644 index 0000000000..18a76b197a --- /dev/null +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -0,0 +1,96 @@ +--- +title: Azure AD Join with Setup School PCs app +description: Describes how Azure AD Join is configured in the Set up School PCs app. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 07/13/2018 +--- + +# Azure AD Join for school PCs + +> [!NOTE] +> Set up School PCs app uses Azure AD Join to configure PCs. The app is helpful if you use the cloud based directory, Azure Active Directory (AD). If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration +> Designer](set-up-students-pcs-to-join-domain.md) to +> join your PCs to your school's domain. + +Set up School PCs lets you create a provisioning package that automates Azure AD +Join on your devices. This feature eliminates the need to manually: + +- Connect to your school’s network. + +- Join your organization's domain. + +## Automated connection to school domain + +During initial device setup, Azure AD Join automatically connects your PCs to your school's Azure AD domain. You can skip all of the Windows setup experience that is typically a part of the out-of-the-box-experience (OOBE). Devices that are managed by a mobile device manager, such as Intune, are automatically enrolled with the provider upon initial device startup. + +Students who sign in to their PCs with their Azure AD credentials get access to on-premises apps and the following cloud apps: +* Office 365 +* OneDrive +* OneNote. + +## Enable Azure AD Join + +Learn how to enable Azure AD Join for your school. After you configure this setting, you'll be able to request an automated Azure AD bulk token, which you need to create a provisioning package. + +1. Sign in to the Azure portal with your organization's credentials. +2. Go to **Azure +Active Directory** \> **Devices** \> **Device settings**. +3. Enable the setting +for Azure AD by selecting **All** or **Selected**. If you choose the latter +option, select the teachers and IT staff to allow them to connect to Azure AD. + +![Select the users you want to let join devices to Azure AD](images/suspc-enable-shared-pc-1807.png) + +You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff. + +## All Device Settings + +The following table describes each setting within **Device Settings**. + +| Setting | Description | +|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Users may join devices to Azure AD | Choose the scope of people in your organization that are allowed to join devices to Azure AD. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Azure AD. | +| Additional local administrators on Azure AD joined devices | Only applicable to Azure AD Premium tenants. Grant additional local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. | +| Users may register their devices with Azure AD | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you are enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you. | +| Require Multi-Factor Authentication to join devices | Recommended when adding devices to Azure AD. When set to **Yes**, users that are setting up devices must enter a second method of authentication. | +| Maximum number of devices per user | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before additional ones are added. | +| Users may sync settings and enterprise app data | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Azure AD Premium are permitted to select specific users to allow. | + +## Clear Azure AD tokens +--------------------- + +Your Intune tenant can only have 500 active Azure AD tokens, or packages, at a time. You'll receive a notification in the Intune portal when you reach 500 active tokens. + +To reduce your inventory, clear out all unnecessary and inactive tokens. +1. Go to **Azure Active Directory** \> **Users** \> **All users** +2. In the **User Name** column, select and delete all accounts with a **package\_** +prefix. These accounts are created at a 1:1 ratio for every token and are safe +to delete. +3. Select and delete inactive and expired user accounts. + +### How do I know if my package expired? +Automated Azure AD tokens expire after 30 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts. + +![Screenshot of the Azure portal, Azure Active Directory, All Users page. Highlights all accounts that start with the prefix package_ and can be deleted.](images/suspc-admin-token-delete-1807.png) + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) +* [Shared PC mode for schools](set-up-school-pc-shared-mode.md) +* [Set up School PCs technical reference](set-up-school-pcs-technical.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md new file mode 100644 index 0000000000..1b47ef885f --- /dev/null +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -0,0 +1,121 @@ +--- +title: What's in Set up School PCs provisioning package +description: Lists the provisioning package settings that are configured in the Set up School PCs app. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 07/13/2018 +--- + +# What's in my provisioning package? +The Set up School PCs app builds a specialized provisioning package with school-optimized settings. + +A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx) article. + +## Shared PC Mode policies +This table outlines the policies applied to devices in shared PC mode. If you [selected to optimize a device for use by a single student](set-up-school-pcs-shared-pc-mode.md#optimize-device-for-use-by-a-single-student), the table notes the differences. Specifically, you'll see differences in the following policies: +* Disk level deletion +* Inactive threshold +* Restrict local storage + +In the table, *True* means that the setting is enabled, allowed, or applied. Use the **Description** column to help you understand the context for each setting. + +For a more detailed look at the policies, see the Windows article [Set up shared or guest PC](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc#policies-set-by-shared-pc-mode). + +|Policy name |Default value |Description | +|---------|---------|---------|, +|Enable Shared PC mode|True| Configures the PCs so they are in shared PC mode.| +|Set education policies | True | School-optimized settings are applied to the PCs so that they are appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education). | +|Account Model| Only guest, Domain-joined only, or Domain-joined and guest |Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. | +|Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they have not signed in within the number of days specified by inactive threshold policy. | +|Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. | +|Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and does not delete accounts. | +|Enable account manager | True | Enables automatic account management. | +|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account has not signed in, it will be deleted. +|Kiosk Mode AMUID | Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. | +|Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. | +|Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy does not prevent students from saving on the PCs local hard drive. | +|Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. | +|Max page file size in MB| 1024| Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.| +|Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. | +|Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. | +|Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. | + +## MDM and local group policies +This section lists only the local group policies configured uniquely for the Set up School PCs app. + +For a more detailed look of each policy listed, see [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation. + +|Policy name |Default value |Description | +|---------|---------|---------| +|Authority|User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD. +|BPRT|User-defined| Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. | +|WLAN Setting| XML is generated from the Wi-Fi profile in the Set up School PCs app.| Configures settings for wireless connectivity.| +|Hide OOBE for desktop| True | Hides the interactive OOBE flow for Windows 10.| +|Download Mode|1 - HTTP blended with peering behind the same NAT|Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates| +|Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel| Specifies how frequently devices receive preview builds and feature updates.| +|Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user.| +|Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates.| +|Update power policy for cart restarts | 1 - Configured| Skips all restart checks to ensure that the reboot will happen at the scheduled install time. | +|Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days.| +|Allow all trusted apps | Disabled | Prevents untrusted apps from being installed to device | +|Allow developer unlock | Disabled | Students cannot unlock the PC and use it in developer mode | +|Allow Cortana | Disabled | Cortana is not allowed on the device. +|Allow manual MDM unenrollment | Disabled | Students cannot remove the mobile device manager from their device. | +|Settings page visibility|Enabled |Specific pages in the System Settings app are not visible or accessible to students.| +|Allow add provisioning package | Disabled | Students cannot add and upload new provisioning packages to their device. | +|Allow remove provisioning package | Disabled | Students cannot remove packages that you've uploaded to their device, including the Set up School PCs app | +|Start Layout|Enabled |Lets you specify the Start layout for users and prevents them from changing the configuration.| +|Import Edge Assets| Enabled| Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files.) +|Allow pinned folder downloads|1 - The shortcut is visible and disables the setting in the Settings app.|Makes the Downloads shortcut on the Start menu visible to students.| +|Allow pinned folder File Explorer|1 - The shortcut is visible and disables the setting in the Settings app.|Makes the File Explorer shortcut on the Start menu visible to students.| +|Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. | Deploys a jpg, jpeg, or png image to be used as lock screen image on the device. +|Personalization| Lock screen image URL| Image filename| You can specify a jpg, jpeg, or png image to be used as the device lock screen image. This setting can take an http or https URL to a remote image to be downloaded, or a file URLto an existing local image. +|Update|Active hours end | 5 PM | There will be no update reboots before this time. | +|Update|Active hours start | 7 AM | There will be no update reboots after this time. | + | +|Updates Windows | Nightly | Sets Windows to update on a nightly basis. | + +## Apps uninstalled from Windows 10 devices +Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device. The following table lists all apps uninstalled from Windows 10 devices. + +|App name |Application User Model ID | +|---------|---------| +|3D Builder | Microsoft.3DBuilder_8wekyb3d8bbwe | +|Bing Weather | Microsoft.BingWeather_8wekyb3d8bbwe | +|Desktop App Installer|Microsoft.DesktopAppInstaller_8wekyb3d8bbwe| +|Get Started | Microsoft.Getstarted_8wekyb3d8bbw | +|Messaging|Microsoft.Messaging_8wekyb3d8bbwe +|Microsoft Office Hub| Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe | +|Microsoft Solitaire Collection | Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe | +|One Connect|Microsoft.OneConnect_8wekyb3d8bbwe| +|Paid Wi-Fi & Cellular | Microsoft.OneConnect_8wekyb3d8bbwe | +|Feedback Hub | Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe | +|Xbox | Microsoft.XboxApp_8wekyb3d8bbwe | +|Mail/Calendar | microsoft.windowscommunicationsapps_8wekyb3d8bbwe| + +## Apps installed on Windows 10 devices +Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. Apps that are installed include: +* OneDrive +* OneNote +* Sway + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +* [Shared PC mode for schools](set-up-school-pc-shared-mode.md) +* [Set up School PCs technical reference](set-up-school-pcs-technical.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md new file mode 100644 index 0000000000..c12c2b2015 --- /dev/null +++ b/education/windows/set-up-school-pcs-shared-pc-mode.md @@ -0,0 +1,75 @@ +--- +title: Shared PC mode for school devices +description: Describes how shared PC mode is set for devices set up with the Set up School PCs app, +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 07/13/2018 +--- + +# Shared PC mode for school devices + +Shared PC mode optimizes Windows 10 for shared use scenarios, such as classrooms and school libraries. A Windows 10 PC in shared PC mode requires minimal to zero maintenance and management. Update settings are optimized for classroom settings, so that they automatically occur outside of school hours. + +Shared PC mode can be applied to Windows 10 Pro, Pro Education, Education, and Enterprise. For more information about setting up your device in shared PC mode, see [Set up a shared or guest PC with Windows 10](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc). + +## Windows Updates +Shared PC mode configures power and Windows Update settings so that computers update regularly. Computers that are set up through the Set up School PCs app are configured to: + * Wake nightly. + * Check for and install updates. + * Forcibly reboot, when necessary, to complete updates. +These configurations reduce the need to update and reboot computers during daytime work hours. Notifications about needed updates are also blocked from disrupting students. + +## Default admin accounts in Azure Active Directory +By default, the account that joins your computer to Azure AD will be given admin permissions on the computer. Global administrators in the joined Azure AD domain will also have admin permissions when signed in to the joined computer. + +An Azure AD Premium subscription lets you specify the accounts that get admin accounts on a computer. These accounts are configured in Intune in the Azure portal. + +## Account deletion policies +This section describes the deletion behavior for the accounts configured in shared PC mode. A delete policy makes sure that outdated or stale accounts are regularly removed to make room for new accounts. + +### Azure AD accounts + +The default deletion policy is set to automatically cache accounts. Cached accounts are automatically deleted when disk space gets too low, or when there's an extended period of inactivity. Accounts continue to delete until the computer reclaims sufficient disk space. Deletion policies behave the same for Azure AD and Active Directory domain accounts. + +### Guest and Kiosk accounts +Guest accounts and accounts created through Kiosk are deleted after they sign out of their account. + +### Local accounts +Local accounts that you created before enabling shared PC mode aren't deleted. + +Local accounts that you create through **Settings** > **Accounts** > **Other people** > **Add someone else to this PC** after enabling PC mode are not deleted. + +## Create custom Windows images +Shared PC mode is compatible with custom Windows images. + +To create a compatible image, first create your custom Windows image with all software, updates, and drivers. Then use the System Preparation (Sysprep) tool with the `/oobe` flag to create the SharedPC-compatible version. For example, `sysrep/oobe`. + +Teachers can then run the Set up School PCs package on the computer. + +## Optimize device for use by a single student +Shared PC mode is enabled by default. This mode optimizes device settings for schools where PCs are shared by students. The Set up School PCs app also offers the option to configure settings for devices that aren't shared. + +If you select this setting, the app modifies shared PC mode so that it's appropriate for a single device. To see how the settings differ, refer to the Shared PC mode policy table in the article [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) +1. In the app, go to the **Create package** > **Settings** step. +2. Select **Optimize device for a single student, instead of a shared cart or lab**. + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +* [Set up School PCs technical reference](set-up-school-pcs-technical.md) +* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index e53e78ec35..822db43d67 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -1,6 +1,6 @@ --- -title: Set up School PCs app technical reference -description: Describes the changes that the Set up School PCs app makes to a PC. +title: Set up School PCs app technical reference overview +description: Describes the purpose of the Set up School PCs app for Windows 10 devices. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 ms.technology: Windows @@ -8,302 +8,74 @@ ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: CelesteDG -ms.author: celested -ms.date: 04/04/2018 +author: lenewsad +ms.author: lanewsad +ms.date: 07/11/2018 --- -# Technical reference for the Set up School PCs app +What is Set up School PCs? +================================================= + **Applies to:** -- Windows 10 +- Windows 10 + +The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The +app, which is available for Windows 10 version 1703 and later, configures and saves +school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs. + +If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up +School PCs app will create a setup file. This file joins the PC to your Azure Active Directory tenant. The app also helps set up PCs for use with or without Internet connectivity. + + +## Join PC to Azure Active Directory +If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up +School PCs app creates a setup file that joins your PC to your Azure Active +Directory tenant. + +The app also helps set up PCs for use with or without Internet connectivity. + +## List of Set up School PCs features +The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription. + +| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | +|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------| +| **Fast sign-in** | X | X | X | X | +| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | | +| **Custom Start experience** | X | X | X | X | +| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | | +| **Guest account, no sign-in required** | X | X | X | X | +| Set up computers for use by anyone with or without an account. | | | | | +| **School policies** | X | X | X | X | +| Settings create a relevant, useful learning environment and optimal computer performance. | | | | | +| **Azure AD Join** | | X | X | X | +| Computers join with your existing Azure AD or Office 365 subscription for centralized management. | | | | | +| **Single sign-on to Office 365** | | | X | X | +| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | | +| **Take a Test app** | | | | X | +| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | | +| [Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD** | | | | X | +| Synchronize student and application data across devices for a personalized experience. | | | | | + +> [!NOTE] +> If your school uses Active Directory, use [Windows Configuration +> Designer](set-up-students-pcs-to-join-domain.md) +> to configure your PCs to join the domain. You can only use the Set up School +> PCs app to set up PCs that are connected to Azure AD. -The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic. +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +* [Shared PC mode for schools](set-up-school-pc-shared-mode.md) +* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + -If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. - -Here's a list of what you get when using the Set up School PCs app in your school. - -| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | -| --- | :---: | :---: | :---: | :---: | -| **Fast sign-in**
Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X | -| **Custom Start experience**
The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X | -| **Guest account, no sign-in required**
This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X | -| **School policies**
Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X | -| **Azure AD Join**
The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X | -| **Single sign-on to Office 365**
By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps. | | | X | X | -| **Take a Test**
Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. | | | | X | -| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X | - - -> [!NOTE] -> If your school uses Active Directory, use [Windows Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD. - -## Automated Azure AD join -One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated. - -To make this as seamless as possible, in your Azure AD tenant: -- Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and in **Users may join devices to Azure AD**, click **Selected** and choose the members you want to enable to join devices to Azure AD. - - **Figure 1** - Select the users you want to enable to join devices to Azure AD - - ![Select the users you want to enable to join devices to Azure AD](images/azuread_usersandgroups_devicesettings_usersmayjoin.png) - -- Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff. - - When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app. - - If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student. - -- Turn off multifactor authentication. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Require Multi-Factor Auth to join devices** to **No**. - - **Figure 2** - Turn off multi-factor authentication in Azure AD - - ![Turn off multi-factor authentication in Azure AD](images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png) - -- Set the maximum number of devices a user can add to unlimited. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Maximum number of devices per user** to **Unlimited**. - - **Figure 3** - Set maximum number of devices per user to unlimited - - ![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png) - -- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these. - - **Figure 4** - Delete the accounts automatically created for the Azure AD tokens - - ![Delete the accounts automatically created for the Azure AD tokens](images/azuread_usersandgroups_allusers_automaticaccounts.png) - -- Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the **Review package summary** page in Set up School PCs. - - **Figure 5** - Sample summary page showing the expiration date - - ![Sample summary page showing the expiration date](images/suspc_choosesettings_summary.png) - - - - - -## Information about Windows Update - -Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to: -* Wake nightly -* Check and install updates -* Forcibly reboot if necessary to finish applying updates - -The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked. - -## Guidance for accounts on shared PCs - -* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. -* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** or **Kiosk** will also be deleted automatically at sign out. -* On a Windows PC joined to Azure Active Directory: - * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. - * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** or **Kiosk** selection on the sign-in screen, if enabled, will automatically be deleted at sign-out. -* If admin accounts are necessary on the PC - * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or - * Create admin accounts before setting up shared PC mode, or - * Create exempt accounts before signing out. -* The account management service supports accounts that are exempt from deletion. - * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. - * To add the account SID to the registry key using PowerShell: - - ``` - $adminName = "LocalAdmin" - $adminPass = 'Pa$$word123' - iex "net user /add $adminName $adminPass" - $user = New-Object System.Security.Principal.NTAccount($adminName) - $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) - $sid = $sid.Value; - New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force - ``` - -## Custom images -Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the Set up School PCs provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx). - -## Provisioning package details - -The Set up School PCs app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx). - -### Education customizations set by local MDM policy - -- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud. -- A custom Start layout, taskbar layout, and lock screen image are set. -- Prohibits unlocking the PC to developer mode. -- Prohibits untrusted Microsoft Store apps from being installed. -- Prohibits students from removing MDM. -- Prohibits students from adding new provisioning packages. -- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs). -- Sets Windows Update to update nightly. - - -### Uninstalled apps - -- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) -- Weather (Microsoft.BingWeather_8wekyb3d8bbwe) -- Tips (Microsoft.Getstarted_8wekyb3d8bbwe) -- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) -- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) -- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe) -- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) -- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) -- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) - -### Local Group Policies - -> [!IMPORTANT] -> We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy path

Policy name

Value

Admin Templates > Control Panel > Personalization

Prevent enabling lock screen slide show

Enabled

Prevent changing lock screen and logon image

Enabled

Admin Templates > System > Power Management > Button Settings

Select the Power button action (plugged in)

Sleep

Select the Power button action (on battery)

Sleep

Select the Sleep button action (plugged in)

Sleep

Select the lid switch action (plugged in)

Sleep

Select the lid switch action (on battery)

Sleep

Admin Templates > System > Power Management > Sleep Settings

Require a password when a computer wakes (plugged in)

Enabled

Require a password when a computer wakes (on battery)

Enabled

Specify the system sleep timeout (plugged in)

5 minutes

Specify the system sleep timeout (on battery)

5 minutes

Turn off hybrid sleep (plugged in)

Enabled

Turn off hybrid sleep (on battery)

Enabled

Specify the unattended sleep timeout (plugged in)

5 minutes

Specify the unattended sleep timeout (on battery)

5 minutes

Allow standby states (S1-S3) when sleeping (plugged in)

Enabled

Allow standby states (S1-S3) when sleeping (on battery)

Enabled

Specify the system hibernate timeout (plugged in)

Enabled, 0

Specify the system hibernate timeout (on battery)

Enabled, 0

Admin Templates>System>Power Management>Video and Display Settings

Turn off the display (plugged in)

5 minutes

Turn off the display (on battery)

5 minutes

Admin Templates>System>Power Management>Energy Saver Settings

Energy Saver Battery Threshold (on battery)

70

Admin Templates>System>Logon

Show first sign-in animation

Disabled

Hide entry points for Fast User Switching

Enabled

Turn on convenience PIN sign-in

Disabled

Turn off picture password sign-in

Enabled

Turn off app notification on the lock screen

Enabled

Allow users to select when a password is required when resuming from connected standby

Disabled

Block user from showing account details on sign-in

Enabled

Admin Templates>System>User Profiles

Turn off the advertising ID

Enabled

Admin Templates>Windows Components>Biometrics

Allow the use of biometrics

Disabled

Allow users to log on using biometrics

Disabled

Allow domain users to log on using biometrics

Disabled

Admin Templates>Windows Components>Cloud Content

Do not show Windows Tips

Enabled

Turn off Microsoft consumer experiences

Enabled

Admin Templates>Windows Components>Data Collection and Preview Builds

Toggle user control over Insider builds

Disabled

Disable pre-release features or settings

Disabled

Do not show feedback notifications

Enabled

Allow Telemetry

Basic, 0

Admin Templates > Windows Components > File Explorer

Show lock in the user tile menu

Disabled

Admin Templates > Windows Components > Maintenance Scheduler

Automatic Maintenance Activation Boundary

*MaintenanceStartTime*

Automatic Maintenance Random Delay

Enabled, 2 hours

Automatic Maintenance WakeUp Policy

Enabled

Admin Templates > Windows Components > OneDrive

Prevent the usage of OneDrive for file storage

Enabled

Admin Templates > Windows Components > Windows Hello for Business

Use phone sign-in

Disabled

Use Windows Hello for Business

Disabled

Use biometrics

Disabled

Windows Settings > Security Settings > Local Policies > Security Options

Accounts: Block Microsoft accounts

**Note** Microsoft accounts can still be used in apps.

Enabled

Interactive logon: Do not display last user name

Enabled

Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

Disabled

User Account Control: Behavior of the elevation prompt for standard users

Auto deny


- -## Use the app -When you're ready to use the app, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). - -## Related topics - -[Set up Windows devices for education](set-up-windows-10.md) diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 5c865392c2..b2be996473 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -1,315 +1,243 @@ --- title: Use Set up School PCs app -description: Learn how the Set up School PCs app works and how to use it. +description: Learn how to use the Set up School PCs app and apply the provisioning package. keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use ms.prod: w10 ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -ms.localizationpriority: medium -author: CelesteDG -ms.author: celested -ms.date: 12/11/2017 +ms.localizationpriority: high +author: lenewsad +ms.author: lanewsad +ms.date: 07/11/2018 --- -# Use the Set up School PCs app +# Use the Set up School PCs app + **Applies to:** - Windows 10 -IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. +IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. Set up School PCs also: +* Joins each student PC to your organization's Office 365 and Azure Active Directory tenant. +* Enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs configures through the MDM. +* Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state. +* Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours. +* Locks down the student PC to prevent activity that isn't beneficial to their education. -## What does this app do? +This article describes how to get started and provide information about your school in the Set up School PCs app. -Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically: -- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant -- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM. -- Removes OEM preinstalled software from each student PC -- Auto-configures and saves a wireless network profile on each student PC -- Gives a friendly and unique name to each student device for future management -- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup -- Enables optional guest account for younger students, lost passwords, or visitors -- Enables optional secure testing account -- Enables optional Autopilot Reset feature to return devices to a fully configured or known IT-approved state -- Locks down the student PC to prevent mischievous activity: - * Prevents students from removing the PC from the school's device management system - * Prevents students from removing the Set up School PCs settings -- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours -- Customizes the Start layout with Office -- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more -- Uninstalls apps not specific to education, such as Solitaire -- Prevents students from adding personal Microsoft accounts to the PC +To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). -You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide.
+## Requirements +Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements. -> [!VIDEO https://www.youtube.com/embed/2ZLup_-PhkA] +* Office 365 and Azure Active Directory +* [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40). +* Permission to buy apps in Microsoft Store for Education +* Set up School PCs app has permission to access the Microsoft Store for Education +* A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office +* Student PCs must either: + * Be within range of the Wi-Fi network that you configured in the app. + * Have a wired Ethernet connection when you set them up. -You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI) +### Configure USB drive for additional space +USB drives are, by default, FAT32-formatted, and are unable to save more than 4 GB of data. If you plan to install several apps, or large apps like Microsoft Office, you'll need more space. To create more space on the USB drive, reformat it to NTFS. +1. Insert the USB drive into your computer. +2. Go to the **Start** > **This PC**. +3. In the **Devices and drives** section, find your USB drive. Right-click to see its options. +4. Select **Format** from the list to bring up the **Format *DRIVE NAME*** window. +5. Set **File system** to **NTFS**. +6. Click **Start** to format the drive. -## Tips for success +### Prepare existing PC account for new setup +Apply new packages to factory reset or new PCs. If you apply it to a PC that's already set up, you may lose the accounts and data. -* **Run the same Windows 10 build on the admin device and the student PCs** +If a PC has already been set up, and you want to apply a new package, reset the PC to a clean state. - It's critical that the IT administrator's or technical teacher's device is running the same Windows 10 build as the student PCs that you're provisioning. +To begin, go to the **Settings** app on the appropriate PC. +1. Click **Update & Security** > **Recovery**. +2. In the **Reset this PC** section, click **Get started**. +3. Click **Remove everything**. -* **Ensure that the student PCs meet the minimum OS requirements for the version of Set up School PCs** +As another option, go to **Start** > **Power** icon. Hold down the Shift key and click **Restart** to load the Windows boot user experience. From there, follow these steps: +1. Click **Troubleshoot** and then choose **Reset this PC**. +2. Select **Remove everything**. +3. If the option appears, select **Only the drive where Windows is installed**. +4. Click **Just remove my files**. +5. Click **Reset**. - Check the minimum OS requirements for the Set up School PCs app in the **System Requirements > OS** section of the app's description on the Microsoft Store. For example, the latest version of Set up School PCs requires Windows 10 versions with build 15063.0 or higher. Do not use the app to provision student PCs with Windows 10, version 1607 (build 14393) images. - - We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs that you're provisioning. +## Recommendations +This section offers recommendations to help you have the best setup experience. +### Run the same Windows 10 build on the admin device and the student PCs +We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs. -* **Run the app at work** +### Student PCs should meet OS requirements for the app +Check the minimum OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs. - For the best results, run the Set up School PCs app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions. +To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**. - > [!NOTE] - > Don't use the **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open Wi-Fi networks that require the user to accept Terms of Use. +### Use app on a PC that is connected to your school's network +We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually. -* **Network tips** - * You cannot use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. You can only connect to an open network, or one with a basic password. - * If you need to set up a lot of devices over Wi-Fi, make sure that your network configuration can support it. - - We recommend configuring your DHCP so at least 200 IP addresses are available for the devices you are setting up. Configure your IP addresses to expire after a short time (about 30 minutes). This ensures that you can set up many devices simultaneously, and IP addresses will free up quickly so you can continue to set up devices without hitting network issues. + > [!NOTE] + > Don't use the **Set up Schools PCs** app for PCs that must connect to: + >* Enterprise networks that require the user to accept Terms of Use. + >* Open Wi-Fi networks that require the user to accept Terms of Use. -* **Apply to new student PCs** - * The provisioning package that the Set up School PCs app creates should be used on new PCs that haven't been set up for accounts yet. If you apply the provisioning package to a student PC that has already been set up, existing accounts and data might be lost. - - > [!WARNING] - > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings. +### Run app on an open network or network that requires a basic password +Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up numerous devices over Wi-Fi, make sure that your network configuration can support it. - * The student PCs must be in range of the Wi-Fi network that you configured in Set up School PCs or have a wired Ethernet connection when you set them up. Otherwise, setup will fail. - * If the PC has already been set up and you want to return to the first-run experience to apply a new package, you can reset the PC to get to a clean state and get it back to the first-run experience and ready to provision again. +We recommend that you: +* Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously. +* Configure your IP addresses to expire after a short time--about 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues. +> [!WARNING] + > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings. - To do this: - - Go to **Settings > Update & security > Recovery**. In the **Reset this PC** section of the **Recovery** page, click **Get started**. - - Or, hit **Shift** + click **Restart** in the **Power** menu to load the Windows boot user experience. From there, follow these steps: - 1. Click **Troubleshoot** and then choose **Reset this PC**. - 2. Select **Remove everything**. - 3. Select **No - remove provisioning packages**. - 4. Select **Only the drive where Windows is installed** (this may not always show up). - 5. Click **Just remove my files**. - 6. Click **Reset**. +### Use an additional USB drive +You can set up PCs at the same time. Just save the provisioning package to an additional USB drive. Then plug them in at the same time during deployment. -* **Use an NTFS-formatted USB key** +### Limit changes to school-optimized settings - If you're planning to install several apps, the Set up School PCs package may exceed 4 GB. Check if your USB drive format is FAT32. If it is, you won't be able to save more than 4 GB of data on the drive. To work around this, reformat the USB drive to use the NTFS format. To do this: +We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and sign-in time. - 1. Insert the USB key into your computer. - 2. Go to the Start menu and type **This PC** and then select the **This PC (Desktop app)** from the search results. - 3. In the **Devices and drivers** section, find the USB drive, select and then right-click to bring up options. - 4. Select **Format** from the list to bring up the **Format ** window. - 5. Set **File system** to **NTFS** and then click **Start** to format the drive. - -* **Use more than one USB key** - - If you are setting up multiple PCs, you can set them up at the same time. Just save the provisioning package to another USB drive. Create two keys and you can run it on two PCs at once, and so on. - -* **Keep it clean** - - We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md). - -* **Get more info** - - Learn more about what Set up School PCs does, including provisioning details, in [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). - -## Prerequisites - -- [Download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40). - - The app supports these languages: Chinese (Simplified), Chinese (Traditional), Danish, Dutch, English (United Kingdom), English (United States), French, German, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Russian, Spanish (Spain), Spanish (Mexico), Swedish, and Turkish. - -- Install the app on your work PC and make sure you're connected to your school's network. -- You must have Office 365 and Azure Active Directory. -- You must have the Microsoft Store for Education configured. -- You must be a global admin in the Microsoft Store for Education. -- It's best if you sign up for and [configure Intune for Education](../get-started/use-intune-for-education.md) before using the Set up School PCs app. -- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office. -- Check the default file system format for your USB drive. You may need to set this to NTFS to save a provisioning package that's 4 GB or larger. - -## Set up School PCs step-by-step - -### Create the provisioning package +## Create the provisioning package The **Set up School PCs** app guides you through the configuration choices for the student PCs. -1. Launch the Set up School PCs app. +1. Open the Set up School PCs app on your PC and click **Get started**. - **Figure 1** - Launch the Set up School PCs app + **Figure 1** - Launch the Set up School PCs app - ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) +### Sign-in +1. Open the Set up School PCs app on your PC and click **Get started**. + + ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) +2. Select how you want to sign in. + a. (Recommended) To enable student PCs to automatically be connect to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. Then go to step 3. + b. To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](use-set-up-school-pcs-app.md#Wireless-network). +3. In the new window, select the account you want to use throughout setup. -2. Click **Get started**. -3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page: + ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspc-sign-in-select-1807.png) - To get the best option for setup and enable student PCs to automatically be connected to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. - - To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. - - If you opt to sign in, follow these steps: - - 1. Choose the account from the list. If you don't see the account, select **Work or school account**, click **Continue**, and enter the account details. - 2. Click **Next** once you've specified the account. - 3. If you added an account, you may be asked to provide the user account and password. You will get a notification to allow the app to access your account. This will give Set up School PCs permission to access Store for Business, read memberships, sign you in and read your profile, and more. - 4. Click **Accept**. - - The account will show up as the account that Set up School PCs will use to connect the school PCs to the cloud. - - **Figure 2** - Verify that the account you selected shows up + To add an account not listed: +a. Click **Work or school account** > **Continue**. + b. Type in the account username and click **Next**. + c. You may be asked to verify the user account and password. +1. Click **Accept** to allow Set up School PCs to access your account throughout setup. +2. When your account name appears on the page, as shown in the image below, click **Next.** ![Verify that the account you selected shows up](images/suspc_createpackage_signin.png) - 5. Click **Next**. - -4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page: - 1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network. - 2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network. +### Wireless network +Add and save a wireless network profile to provision on each student PC. Only skip Wi-Fi setup if you have an Ethernet connection. - If you click **Skip**, you will see the following dialog. - * If you select **Got it**, you will go to the next page without Wi-Fi set up. - * If you select **Add Wi-Fi**, you will go back to the Wi-Fi page to add a wireless network. +Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.** - **Figure 3** - Only skip Wi-Fi if you have a wired Ethernet connection + ![Wireless network page with two Wi-Fi networks listed and one selected.](images/suspc-select-wifi-1807.png) - ![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png) +### Device names +Create a short name to add as a prefix to each of the PCs you set up. The name will help you recognize and manage this group of devices in your mobile device manager. The name must be five (5) characters or less. -5. To assign a name to the student PCs, in the **Name these devices** page: - 1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client. - - > [!NOTE] - > The name must be five (5) characters or less. Set up School PCs automatically appends `_%SERIAL%` to the prefix that you specify. `_%SERIAL%` ensures that all device names are unique. + !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspc-device-names-1807.png) - For example, if you add *Math4* as the prefix, the device names will be *Math4* followed by a random string of letters and numbers. +To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers. - 2. Click **Next**. +### Settings +Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs. -6. To specify other settings for the student PC, in the **Configure student PC settings** page: - - Select **Remove apps pre-installed by the device manufacturer** to install only the base Windows image. +![Configure student PC settings page showing 5 settings with checkboxes and 1 setting with browser button](images/suspc-configure-student-settings-1807.png) - > [!NOTE] - > If you select this option, the provisioning process will take longer (about 30 minutes). +Setting selections vary based on the OS version you select. The following table lists all possible settings, descriptions, and important notes to consider. When you're done, click **Next**. - - Select **Allow local storage (not recommended for shared devices)** to let students save files to the **Desktop** and **Documents** folder on the student PC. We don't recommend this option if the device will be part of a shared cart or lab. - - Select **Optimize device for a single student, instead of a shared cart or lab** to optimize the device for use by a single student (1:1). - - Check this option if the device will not be part of a shared cart or lab. - - Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in). - - This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data, or if the student doesn't use the PC over a prolonged period. - - - Select **Let guests sign-in to these PCs** to allow guests to use student PCs without a school account. For example, if the device will be in a library and you want other users (like visiting students or teachers) to be able to use the device, you can select this option. - - If you select this option, this adds a **Guest** account button in the PC's sign-in screen to allow anyone to use the PC. - - - Select **Enable Autopilot Reset** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so they're ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. - - To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background. - - **Figure 4** - Configure student PC settings - - ![Configure student PC settings](images/suspc_createpackage_configurestudentpcsettings_121117.png) - - When you're doing configuring the student PC settings, click **Next**. - -7. If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page. Windows will also lock down the student PC so that students can't access anything else while taking the test. - 1. Specify if you want to create a Take a Test button on the sign-in screens of students' PCs. - 2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. - 3. Enter the assessment URL. - - You can leave the URL blank so that students can enter one later. This enables teachers to use the Take a Test account for daily quizzes or tests by having students manually enter a URL. - - **Figure 5** - Configure the Take a Test app - - ![Configure the Take a Test app](images/suspc_createpackage_takeatestpage_073117.png) - - 3. Click **Next** or **Skip** depending on whether you want to set up Take a Test. - -8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following: - * **Office 365 for Windows 10 S (Education Preview)** - * Office 365 for Windows 10 S will only work on student PCs running Windows 10 S. If you try to install this app on other editions of Windows, setup will fail. - * When adding the Office 365 for Windows 10 S to a package, the device you use to run Set up School PCs does not have to be running Windows 10 S. - * **Minecraft: Education Edition** - Free trial - * Popular **STEM and Makerspace apps** - - 1. Select the apps that you would like to provision and then click **Next** when you're done. Apps that you provision on student PCs will be pinned to the Start menu. - 2. Click **Skip** if you don't want to provision any apps. - - **Figure 6** - Select from a set of recommended apps - - ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_073117.png) - - The set of recommended Microsoft Store for Education apps may vary from what we show here. - -9. In the **Review package summary** page, make sure that all the settings you configured appear correctly. - 1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes. - - **Figure 7** - Review your settings and change them as needed - - ![Review your settings and change them as needed](images/suspc_createpackage_summary_073117.png) - - 2. Click **Accept**. - -10. In the **Insert a USB drive now** page: - 1. Insert a USB drive to save your settings and create a provisioning package on the USB drive. - 2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list. - 3. Click **Save** to save the provisioning package to the USB drive. - - **Figure 8** - Select the USB drive and save the provisioning package - - ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png) - -11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive. - - **Figure 9** - Provisioning package is ready - - ![Provisioning package is ready](images/suspc_savepackage_ppkgisready.png) - -12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs. - - **Figure 10** - Line up the student PCs and get them ready for setup - - ![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png) - -13. Click **Next**. -14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs. - - Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package. - - **Figure 11** - Install the provisioning package on the student PCs - - ![Install the provisioning package on the student PCs](images/suspc_runpackage_installpackage.png) +|Setting |What happens if I select it? |Note| +|---------|---------|---------| +|Remove apps pre-installed by the device manufacturer | Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.| +|Allow local storage (not recommended for shared devices) | Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be part of a shared cart or lab.| +|Optimize device for a single student, instead of a shared cart or lab |Optimizes the device for use by a single student, rather than many students. |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | +|Let guests sign in to these PCs |Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.| +|Enable Windows Autopilot Reset | Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.| +|Lock screen background|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.| -### Apply the provisioning package to the student PCs +### Take a Test app +Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device. +1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs. + ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspc_createpackage_takeatestpage_073117.png) +2. Select from the advanced settings. The following table lists available settings and their descriptions. -The provisioning package on your USB drive is named `Set up School PCs.ppkg`. A provisioning package is a method for applying settings to Windows 10 without needing to reimage the device. When Windows 10 refers to *package*, it means your provisioning package, and when it refers to *provisioning*, it means applying the provisioning package to the student PC. +|Setting |Description | +|---------|---------| +|Allow keyboard auto-suggestions | Allows app to suggest words as the student types on the PC's keyboard. | +|Allow teachers to monitor online tests | Enables screen capture in the Take a Test app. | -> [!NOTE] -> The student PC must contain a new or reset image and the PC must not already have been through first-run setup (OOBE). +3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment. -**To set up the student PC using the Set up School PCs provisioning package** + ![Screenshot of the "Assessment URL (optional)" text field filled in with example text.](images/suspc-assessment-url-1807.png) -1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 Creators Update (version 1703), this first-run setup screen says **Let's start with region. Is this right?**. +4. Click **Next**. - If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +### Add recommended apps +Choose from a list of recommended Microsoft Store apps to install on student PCs. Then click **Next**. After they're assigned, apps are pinned to the student's Start menu. - **Figure 12** - The first screen during first-run setup in Windows 10 Creators Update (version 1703) + ![Add recommended apps screen with 7 icons of recommended apps and selection boxes. Skip button is enabled and Next button is disabled. ](images/suspc-add-recommended-apps-1807.png) - ![The first screen to set up a new PC in Windows 10 Creators Update](images/win10_1703_oobe_firstscreen.png) +The following table lists the recommended apps you'll see. -2. Insert the USB drive. Windows will recognize the drive and automatically install the provisioning package. +|App |Note | +|---------|---------| +|Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode. | +|Minecraft: Education Edition | Free trial| +|Other apps fit for the classroom |Select from WeDo 2.0 LEGO®, Arduino IDE, Ohbot, Sesavis Visual, and EV3 Programming| - **Figure 13** - Windows automatically detects the provisioning package and installs it - ![Windows automatically detects the provisioning package and installs it](images/suspc_studentpcsetup_installingsetupfile.png) +### Summary +1. Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over. +2. To make changes, click any page along the left side of the window. +3. When finished, click **Accept**. -3. You can remove the USB drive when you see the message that you can remove the removable media. You can then use the USB drive to start provisioning another student PC. + ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Take a Test, and Recommended apps. Accept button is active and the page contains three links on the right-hand side to help and support.](images/suspc_createpackage_summary_073117.png) - **Figure 14** - Remove the USB drive when you see the message that the media can be removed +### Insert USB +1. Insert a USB drive. The **Save** button will light up when your computer detects the USB. +2. Choose your USB drive from the list and click **Save**. - ![You can remove the USB drive when you see the message that the media can be removed](images/suspc_setup_removemediamessage.png) + ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspc_savepackage_insertusb.png) + +4. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**. + + ![Your provisioning package is ready screen with package details, active Next button, and grayed-out Add a USB button.](images/suspc_savepackage_ppkgisready.png) + +## Run package - Get PCs ready +Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**. -4. If you set up the package to do Azure AD Join, that's it! You're done, and the PC is now ready for students to use. + ![Your provisioning package is ready! screen with 3 steps to get student PCs ready for setup. Save button is active.](images/suspc_runpackage_getpcsready.png) - If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience. +## Run package - Install package on PC -## Related topics +The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows 10 without reimaging the device. + +When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student PC. This section describes how to apply the settings to a PC in your school. + +> [!IMPORTANT] +> The PC must have a new or reset Windows 10 image and must not already have been through first-run setup (also referred to as OOBE). For instructions about how to reset a computer's image, see [Prepare existing PC account for new setup](set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup). + +1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 version 1803, the first-run setup screen reads, **Let's start with region. Is this right?** + +If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. + + ![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/win10_1703_oobe_firstscreen.png) + +2. Insert the USB drive. Windows automatically recognizes and installs the package. + + ![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspc_studentpcsetup_installingsetupfile.png) +3. When you receive the message that it's okay to remove the USB drive, remove it from the PC. If there are more PCs to set up, insert the USB drive into the next PC. + + ![Screen with message telling user to remove the USB drive.](images/suspc_setup_removemediamessage.png) + +4. If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience. If you did configure the package for Azure AD Join, the computer is ready for use and no further configurations are required. + + If successful, you'll see a setup complete message. The PCs start up on the lock screen with your school's custom background. Upon first use, students and teachers will be able to connect to your school's network and resources. -[Set up Windows devices for education](set-up-windows-10.md)