updates

education/windows/TOC.yml

@@ -61,8 +61,6 @@ items:
           href: take-a-test-single-pc.md
         - name: Configure a Test on multiple PCs
           href: take-a-test-multiple-pcs.md
-        - name: Take a Test app technical reference
-          href: take-a-test-app-technical.md
     - name: Change Windows edition
       items: 
       - name: Windows 10 editions for education customers
@@ -89,11 +87,13 @@ items:
           href: chromebook-migration-guide.md
 - name: Reference
   items:
-    - name: Set up School PCs technical reference
+    - name: Set up School PCs
       items:
-      - name: Technical reference for the Set up School PCs app
+      - name: Set up School PCs app technical reference
         href: set-up-school-pcs-technical.md
       - name: Provisioning package settings
         href: set-up-school-pcs-provisioning-package.md
       - name: What's new in Set up School PCs
-        href: set-up-school-pcs-whats-new.md
+        href: set-up-school-pcs-whats-new.md
+    - name: Take a Test app technical reference
+      href: take-a-test-app-technical.md

education/windows/school-deployment/configure-devices-overview.md

@@ -38,7 +38,6 @@ Two additional groups are pre-created if you use **Microsoft School Data Sync (S
 
 :::image type="content" source="./images/intune-education-groups.png" alt-text="Intune for Education - Groups blade" border="false":::
 
-
 Beyond the defaults, groups can be customized to suit various needs. For example, if you have both Windows and iPad devices in your school, you can create groups, such as *All Windows devices* and *All iPad devices*, to assign policies and applications to.
 
 Two group types can be created:

education/windows/school-deployment/enroll-autopilot.md

@@ -14,6 +14,7 @@ ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
 ---
 
 # Windows Autopilot
@@ -34,9 +35,12 @@ Before setting up Windows Autopilot, consider these prerequisites:
 
 ### Register devices to Windows Autopilot
 
-Before deployment, devices must be registered with the Windows Autopilot deployment service. Each device's unique hardware identity (known as a *hardware hash*) is captured and uploaded to the Autopilot service, and the device is associated with an Azure tenant ID. There are three main ways to register devices to Autopilot:
+Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded, so that the Autopilot service can recognize which tenant devices belong to and which OOBE experience they should present to the users. There are three main ways to register devices to Autopilot:
+
+- **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more inrmation, see [Windows Autopilot customer consent][MEM-2].
+    > [!NOTE]
+    > For **Microsoft Surface registration**, collect the details shown in this [<u>documentation table</u>][SURF-1] and follow the instruction to submit the request form to Microsoft Support.
 
-- **Complete the OEM registration process.** When you purchase devices from an OEM, that company can automatically register them with Windows Autopilot. Before an OEM can register devices, your school must grant permission. The OEM begins this process with approval granted by an Azure AD global administrator from the school. For Microsoft Surface registration, collect the details shown in this [documentation table](/surface/surface-autopilot-registration-support) before submitting the request to Microsoft Support. You can make requests using the [Microsoft Devices Autopilot Support](https://prod.support.services.microsoft.com/supportrequestform/0d8bf192-cab7-6d39-143d-5a17840b9f5f) form.
 - **Manually register devices with Windows Autopilot.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune](/mem/autopilot/add-devices), [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) or [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa).
 
 **NOTE:** Windows 11 SE devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices. For more information, see [Set up devices with Autopilot][EDU-1].
@@ -47,63 +51,35 @@ Before deployment, devices must be registered with the Windows Autopilot deploym
 
 First, you create a dynamic device group, and then you apply a Windows Autopilot deployment profile to each device in this group. Deployment profiles determine the deployment mode and customize the out-of-box experience of your devices.
 
-### Create a dynamic device group
+### Create a group for your Autopilot devices
 
-Dynamic groups reference rules that you create to assign devices to groups. The criteria for a rule are specified during initial group creation and can be edited afterward. A device group is required to assign a Windows Autopilot deployment profile. You can create a group with a dynamic membership rule using Autopilot device attributes. Autopilot devices that meet these rules are automatically added to the group.
+A device group is required to assign a Windows Autopilot deployment profile. You can create a group with a dynamic membership rule using Autopilot device attributes. Autopilot devices that meet these rules are automatically added to the group.
 
-The steps for creating a dynamic device group are completed in Microsoft Endpoint Manager:
+Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag:
 
-1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then select **Groups** → **New Group**. 
+1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Configure the following properties:
+1. Select **Groups** > Pick a group to manage
-1. **Group type**: Select **Security**.
+1. Select **Windows device settings**
-1. **Group name/Group description**: Enter a valid name and description for your group.
+1. Expand the different categories and review information about individual settings
-1. **Azure AD roles can be assigned to the group**: Select **Yes**. This allows Azure AD roles to be assigned to the group you are creating. Once set, the group is permanent and always allowed to be assigned Azure AD roles. For more information, see [Use Azure AD groups to manage role assignments](/azure/active-directory/roles/groups-concept).
-1. **Membership type**: Select **Dynamic Device**. This property allows you to choose how devices become members of this group. For more information, see [Add groups to organize users and devices](/mem/intune/fundamentals/groups-add).
-1. **Owners**: Select users who own this group. Owners can also delete the group.
-1. **Dynamic device members**: Select **Add dynamic query** → **Add expression**.
 
-## UPDATE PIC![New Group page in Microsoft Endpoint Manager admin center]
+:::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="false":::
 
-### Create rules using Autopilot device attributes
+More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see []().
-
-Autopilot devices that meet the rules are automatically added to the group. Note that creating an expression using non-Autopilot attributes does not guarantee that devices included in the group are registered to Autopilot. 
-
-The following steps will create a dynamic device group that uses the query expression defined in the rule.
-
-1. Create expressions, as desired:
-1. To create a group that includes all your Autopilot devices, enter **(device.devicePhysicalIDs -any (\_ -contains "[ZTDID]"))**.
-1. The Intune group tag field maps to the OrderID attribute on Azure AD devices. To create a group that includes all Autopilot devices with a specific group tag (the Azure AD device OrderID), enter **(device.devicePhysicalIds -any (\_ -eq "[OrderID]:179887111881"))**.
-1. To create a group that includes all your Autopilot devices with a specific Purchase Order ID, enter **(device.devicePhysicalIds -any (\_ -eq "[PurchaseOrderId]:76222342342"))**.
-
-## UPDATE PIC![Dynamic membership rules page in Microsoft Endpoint Manager admin center]
-
-5. Save your expressions.
-1. Select **Create**. 
 
 ### Create an Autopilot deployment profile
 
-Once the dynamic device group is created, it can be used for assigning Windows Autopilot deployment profiles. These profiles are used to configure Autopilot devices.
+For Autopilot devices to offer a customized OOBE experience, you must create **deployment profiles** and assign them to a group containing the devices.
+A deployment profile is a set of settings that determine the behavior of the device during OOBE.
+
 
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** → **Windows** → **Windows enrollment** → **Deployment Profiles** → **Create Profile** → **Windows PC**.
-1. On the **Basics** page:
-1. Enter a **Name** and optional **Description**. 
-1. If you want all devices in the assigned groups to convert to Autopilot automatically, for **Convert all targeted devices to Autopilot**, select **Yes**.
-1. On the **Out-of-box experience** page, for **Deployment** mode, choose one option:
 1. **User-driven:** Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device.
-1. **Self-deploying:** Devices with this profile are not associated with the user enrolling the device. User credentials are not required to enroll the device. When a device has no user associated with it, user-based compliance policies do not apply. When using self-deploying mode, only compliance policies targeting the device will be applied.
+1. **Self-deploying:** Devices with this profile are not associated with the user enrolling the device. User credentials are not required to enroll the device.
-1. In the **Join to Azure AD** field, choose **Azure AD joined**.
 
-## UPDATE PIC![Windows Autopilot profile creation page in Microsoft Endpoint Manager admin center]
+To learn more about deployment profiles, see [Windows Autopilot deployment profiles](/mem/autopilot/profiles).
 
-9. On the **Assignments** page: 
+To create an Autopilot deployment profile:
-1. Choose **Select groups to include**, and then choose the groups you want to include in this profile.
-1. If a group is not showing in the group list, select **Add groups**, and then select the desired group. In this case, you will select the dynamic device group you created above in [Create a dynamic device group](#).
 
-## UPDATE PIC![Group assignments page for Windows Autopilot deployment profiles]
+More advanced Autopilot deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see []().
-
-12. On the **Review + create** page, select **Create** to generate the profile.
-
-For more information, see [Configure Autopilot profiles](/mem/autopilot/profiles).
 
 ### Configure an Enrollment Status Page
 
@@ -111,12 +87,13 @@ An Enrollment Status Page (ESP) is a greeting page displayed to users while enro
 
 To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager.
 
+:::image type="content" source="./images/win11-oobe-esp.png" alt-text="Windows OOBE - enrollment status page" border="false":::
+
 For more information, see [Set up the Enrollment Status Page][MEM-3].
 
 > [!CAUTION]
 > When targeting an ESP to **Windows 11 SE devices**, only approved apps should be included as part of the ESP configuration.
 
-### Enrollment Status Page reference here
 ## branding reference here
 ### Autopilot end-user experience
 
@@ -144,6 +121,7 @@ With the devices joined to Azure AD tenant and managed by Intune, you can use In
 
 [MEM-1]: /mem/intune/fundamentals/intune-endpoints
 [MEM-3]: /mem/intune/enrollment/windows-enrollment-status
+[MEM-2]: /mem/autopilot/registration-auth
 
 [WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements
 
@@ -155,4 +133,6 @@ With the devices joined to Azure AD tenant and managed by Intune, you can use In
 [M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
 
 [EDU-1]: /intune-education/windows-autopilot-setup
-[EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
+[EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
+
+[SURF-1]: /surface/surface-autopilot-registration-support

education/windows/school-deployment/enroll-overview.md

@@ -27,7 +27,7 @@ There are three main methods for joining Windows devices to Azure AD and getting
 
 ## Choose the enrollment method
 
-Windows Autopilot and the Set up School PCs app are usually the most efficient options for school environments.
+**Windows Autopilot** and the **Set up School PCs** app are usually the most efficient options for school environments.
 This [table][INT-1] describes the ideal scenarios for using either option. It's recommended to review the table when planning your enrollment and deployment strategies.
 
 :::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false":::

education/windows/school-deployment/enroll-package.md

@@ -29,7 +29,7 @@ You can create provisioning packages using either **Set Up School PCs** or **Win
 
 ## Set up School PCs
 
-With a guided experience, Set up School PCs app helps an IT administrator to create a package containing the most common features and settings that students need, and enroll the devices in Intune. The package is saved on a USB stick, which can then be plugged into devices to complete the enrollment process.
+With a guided experience, Set up School PCs app helps an IT administrator to create a package containing the most common features and settings that students need, and enroll the devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE to complete the enrollment process.
 
 ### Create a provisioning package
 
@@ -40,27 +40,27 @@ The Set Up School PCs app guides you through configuration choices for school-ow
 > [!IMPORTANT]
 > If you are creating a provisioning package for **Windows 11 SE** devices, ensure to select the correct **OS version** in the **Configure device settings** page.
 
-The devices will be joined to Azure Active Directory and automatically enrolled in Intune. Note that the Set Up School PCs app will configure many settings, allowing you to optimize devices for shared use and other scenarios.
+Note that the Set Up School PCs app will configure many settings, allowing you to optimize devices for shared use and other scenarios.
 
 For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app][1].
 
-
 ### Enroll devices with the provisioning package
 
-To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Azure AD and enroll automatically in Intune.
+To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Azure AD and automatically enroll in Intune.
 
-:::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false":::
+:::image type="content" source="./images/win11-oobe-ppkg.png" alt-text="Windows 11 OOBE - enrollment with provisioning package" border="false":::
 
 For more information, see [Run package - Install package on PC][EDU-1].
 
 > [!TIP]
-> To learn more and practice with Set up School PCs, try the <a href="https://www.microsoft.com/en-us/education/interactive-demos/enroll-devices-at-scale" target="_blank"><b>Set Up School PCs demo</b></a>, which provides detailed steps to create a provisioning package and deploy a device.
+> To learn more and practice with Set up School PCs, try the <a href="https://www.microsoft.com/en-us/education/interactive-demos/enroll-devices-at-scale" target="_blank"><u>Set Up School PCs demo</u></a>, which provides detailed steps to create a provisioning package and deploy a device.
 ## Windows Configuration Designer
 
+Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Differently from Set Up School PCs, Windows Configuration Designer doesn't offer a guided experience, and allows granular customizations, including the possibility to embed scripts in the package.
 
-Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Ideal for small-to-medium schools that manage up to a few hundred devices, Windows Configuration Designer lets you configure devices without imaging. For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use. 
+:::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false":::
 
-For more information, see [Provisioning packages][WIN-2].
+For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use.
 
 ________________________________________________________
 ## Next steps
@@ -74,5 +74,4 @@ With the devices joined to Azure AD tenant and managed by Intune, you can use In
 
 [EDU-1]: /education/windows/use-set-up-school-pcs-app
 
-[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd
+[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd
-[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package