security book removal

2025-05-12 21:37:22 +00:00 · 2024-05-03 08:17:19 -04:00 · 2024-05-03 08:17:19 -04:00 · 75f045593d
commit 75f045593d
parent 6aaf8a9017
48 changed files with 0 additions and 1208 deletions
--- a/education/windows/toc.yml
+++ b/education/windows/toc.yml
@ -4,8 +4,6 @@ items:
 - name: Tutorials
  expanded: true
  items:
  - name: Deploy and manage Windows devices in a school
    href: tutorial-school-deployment/toc.yml
  - name: Deploy applications to Windows 11 SE
    href: tutorial-deploy-apps-winse/toc.yml
 - name: Concepts
--- a/education/windows/tutorial-school-deployment/configure-device-apps.md
+++ b/education/windows/tutorial-school-deployment/configure-device-apps.md
@ -1,77 +0,0 @@
 ---
 title: Configure applications with Microsoft Intune
 description: Learn how to configure applications with Microsoft Intune in preparation for device deployment.
 ms.date: 01/16/2024
 ms.topic: tutorial
 ---
 # Configure applications with Microsoft Intune
 With Intune for Education, school IT administrators have access to diverse applications to help students unlock their learning potential. This section discusses tools and resources for adding apps to Intune for Education.
 Applications can be assigned to groups:
 - If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into
 - If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in
 > [!div class="checklist"]
 >In this section you will:
 >
 > - Add apps to Intune for Education
 > - Assign apps to groups
 > - Review some considerations for Windows 11 SE devices
 ## Add apps to Intune for Education
 Intune for Education supports the deployment of two types of Windows applications: **web apps** and **desktop apps**.
 :::image type="content" source="./images/intune-education-apps.png" alt-text="Intune for Education - Apps" lightbox="./images/intune-education-apps.png" border="true":::
 ### Desktop apps
 The addition of desktop applications to Intune should be carried out by repackaging the apps, and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
 ### Web apps
 To create web applications in Intune for Education:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Apps**
 1. Select **New app** > **New web app**
 1. Provide a URL for the web app, a name and, optionally, an icon and description
 1. Select **Save**
 For more information, see [Add web apps][INT-2].
 ## Assign apps to groups
 To assign applications to a group of users or devices:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Groups** > Pick a group to manage
 1. Select **Apps**
 1. Select either **Web apps** or **Windows apps**
 1. Select the apps you want to assign to the group > Save
 ## Considerations for Windows 11 SE
 Windows 11 SE prevents the installation and execution of third party applications with a technology called **Windows Defender Application Control** (WDAC).
 WDAC applies an *allowlist* policy, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E Mode policy.
 To learn more about which apps are supported in Windows 11 SE, and how to deploy them, see the tutorial [Deploy applications to Windows 11 SE with Intune][EDU-1].
 ## Next steps
 With the applications configured, you can now deploy students' and teachers' devices.
 > [!div class="nextstepaction"]
 > [Next: Deploy devices >](enroll-overview.md)
 <!-- Reference links in article -->
 [EDU-1]: ../tutorial-deploy-apps-winse/index.md
 [MEM-1]: /mem/intune/apps/apps-win32-add
 [INT-1]: /intune-education/express-configuration-intune-edu
 [INT-2]: /intune-education/add-web-apps-edu
--- a/education/windows/tutorial-school-deployment/configure-device-settings.md
+++ b/education/windows/tutorial-school-deployment/configure-device-settings.md
@ -1,133 +0,0 @@
 ---
 title: Configure and secure devices with Microsoft Intune
 description: Learn how to configure policies with Microsoft Intune in preparation for device deployment.
 ms.date: 01/16/2024
 ms.topic: tutorial
 ms.collection: essentials-manage
 ---
 # Configure and secure devices with Microsoft Intune
 With Intune for Education, you can configure settings for devices in the school, to ensure that they comply with specific policies.
 For example, you may need to secure your devices, ensuring that they are kept up to date. Or you may need to configure all the devices with the same look and feel.
 Settings can be assigned to groups:
 - If you target settings to a **group of users**, those settings will apply, regardless of what managed devices the targeted users sign in to
 - If you target settings to a **group of devices**, those settings will apply regardless of who is using the devices
 There are two ways to manage settings in Intune for Education:
 - **Express Configuration.** This option is used to configure a selection of settings that are commonly used in school environments
 - **Group settings.** This option is used to configure all settings that are offered by Intune for Education
 > [!NOTE]
 > Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices.
 > [!div class="checklist"]
 >In this section you will:
 >
 > - Configure settings with Express Configuration
 > - Configure group settings
 > - Create Windows Update policies
 > - Configure security policies
 ## Configure settings with Express Configuration
 With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools.
 > [!TIP]
 > To learn more, and practice step-by-step Express Configuration in Intune for Education, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/deploy-apps-and-policies" target="_blank"><u>this interactive demo</u></a>.
 ## Configure group settings
 Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Groups** > Pick a group to manage
 1. Select **Windows device settings**
 1. Expand the different categories and review information about individual settings
 Settings that are commonly configured for student devices include:
 - Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7]
 - Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8]
 - Enablement of the integrated testing and assessment solution *Take a Test*. See: [Add Take a Test profile][INT-9]
 For more information, see [Windows device settings in Intune for Education][INT-3].
 ## Create Windows Update policies
 It is important to keep Windows devices up to date with the latest security updates. You can create Windows Update policies using Intune for Education.
 To create a Windows Update policy:
 1. Select **Groups** > Pick a group to manage
 1. Select **Windows device settings**
 1. Expand the category **Update and upgrade**
 1. Configure the required settings as needed
 For more information, see [Updates and upgrade][INT-6].
 > [!NOTE]
 > If you require a more complex Windows Update policy, you can create it in Microsoft Intune. For more information:
 > - [<u>What is Windows Update for Business?</u>][WIN-1]
 > - [<u>Manage Windows software updates in Intune</u>][MEM-1]
 ## Configure security policies
 It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows.
 Intune for Education provides different settings to secure devices.
 To create a security policy:
 1. Select **Groups** > Pick a group to manage
 1. Select **Windows device settings**
 1. Expand the category **Security**
 1. Configure the required settings as needed, including
    - Windows Defender
    - Windows Encryption
    - Windows SmartScreen
 For more information, see [Security][INT-4].
 > [!NOTE]
 > If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information:
 > - [<u>Antivirus</u>][MEM-2]
 > - [<u>Disk encryption</u>][MEM-3]
 > - [<u>Firewall</u>][MEM-4]
 > - [<u>Endpoint detection and response</u>][MEM-5]
 > - [<u>Attack surface reduction</u>][MEM-6]
 > - [<u>Account protection</u>][MEM-7]
 ---
 ## Next steps
 With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices.
 > [!div class="nextstepaction"]
 > [Next: Configure applications >](configure-device-apps.md)
 <!-- Reference links in article -->
 [EDU-1]: /education/windows/windows-11-se-overview
 [INT-2]: /intune-education/express-configuration-intune-edu
 [INT-3]: /intune-education/all-edu-settings-windows
 [INT-4]: /intune-education/all-edu-settings-windows#security
 [INT-6]: /intune-education/all-edu-settings-windows#updates-and-upgrade
 [INT-7]: /intune-education/all-edu-settings-windows#lock-screen-and-desktop
 [INT-8]: /intune-education/add-wi-fi-profile
 [INT-9]: /intune-education/take-a-test-profiles
 [WIN-1]: /windows/deployment/update/waas-manage-updates-wufb
 [MEM-1]: /mem/intune/protect/windows-update-for-business-configure
 [MEM-2]: /mem/intune/protect/endpoint-security-antivirus-policy
 [MEM-3]: /mem/intune/protect/encrypt-devices
 [MEM-4]: /mem/intune/protect/endpoint-security-firewall-policy
 [MEM-5]: /mem/intune/protect/endpoint-security-edr-policy
 [MEM-6]: /mem/intune/protect/endpoint-security-asr-policy
 [MEM-7]: /mem/intune/protect/endpoint-security-account-protection-policy
--- a/education/windows/tutorial-school-deployment/configure-devices-overview.md
+++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md
@ -1,61 +0,0 @@
 ---
 title: Configure devices with Microsoft Intune
 description: Learn how to configure policies and applications in preparation for device deployment.
 ms.date: 11/09/2023
 ms.topic: tutorial
 ms.collection: essentials-manage
 ---
 # Configure settings and applications with Microsoft Intune
 Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune.
 Microsoft Intune uses Microsoft Entra groups to assign policies and applications to devices.
 With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them.
 > [!div class="checklist"]
 >In this section you will:
 >
 > - Create groups
 > - Create and assign policies to groups
 > - Create and assign applications to groups
 ## Create groups
 By organizing devices, students, classrooms, or learning curricula into groups, you can provide students with the resources and configurations they need.
 By default, Intune for Education creates two default groups: *All devices* and *All users*.
 Two additional groups are pre-created if you use **Microsoft School Data Sync (SDS)**: *All teachers* and *All students*. SDS can also be configured to automatically create and maintain groups of students and teachers for each school.
 :::image type="content" source="./images/intune-education-groups.png" alt-text="Intune for Education - Groups blade" border="true":::
 Beyond the defaults, groups can be customized to suit various needs. For example, if you have both *Windows 10* and *Windows 11 SE* devices in your school, you can create groups, such as *Windows 10 devices* and *Windows 11 SE devices*, to assign different policies and applications to.
 Two group types can be created:
 - **Assigned groups** are used when you want to manually add users or devices to a group
 - **Dynamic groups** reference rules that you create to assign students or devices to groups, which automate the membership's maintenance of those groups
 > [!TIP]
 > If you target applications and policies to a *device dynamic group*, they will be applied to the devices as soon as they are enrolled in Intune, before users signs in. This can be useful in bulk enrollment scenarios, where devices are enrolled without requiring users to sign in. Devices can be configured and prepared in advance, before distribution.
 For more information, see:
 - [Create groups in Intune for Education][EDU-1]
 - [Manually add or remove users and devices to an existing assigned group][EDU-2]
 - [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3]
 ________________________________________________________
 ## Next steps
 With the groups created, you can configure policies and applications to deploy to your groups.
 > [!div class="nextstepaction"]
 > [Next: Configure policies >](configure-device-settings.md)
 <!-- Reference links in article -->
 [EDU-1]: /intune-education/create-groups
 [EDU-2]: /intune-education/edit-groups-intune-for-edu
 [EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules
--- a/education/windows/tutorial-school-deployment/enroll-autopilot.md
+++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md
@ -1,148 +0,0 @@
 ---
 title: Enrollment in Intune with Windows Autopilot
 description: Learn how to join Microsoft Entra ID and enroll in Intune using Windows Autopilot.
 ms.date: 01/16/2024
 ms.topic: tutorial
 ---
 # Windows Autopilot
 Windows Autopilot is designed to simplify all parts of Windows devices lifecycle, from initial deployment through end of life. Using cloud-based services, Windows Autopilot can reduce the overall costs for deploying, managing, and retiring devices.
 Traditionally, IT pros spend a significant amount of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new, simplified approach. Devices don't need to be reimaged, rather they can be deployed with the OEM image, and customized using cloud-based services.
 From the user's perspective, it only takes a few simple operations to make their device ready to use. The only interaction required from the end user is to set their language and regional settings, connect to a network, and verify their credentials. Everything beyond that is automated.
 ## Prerequisites
 Before setting up Windows Autopilot, consider these prerequisites:
 - **Software requirements.** Ensure your school and devices meet the [software, networking, licensing, and configuration requirements][WIN-1] for Windows Autopilot
 - **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. To connect with a partner, you can use the [Microsoft Partner Center][MSFT-1] and work with them to register your devices
 - **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1]
 > [!NOTE]
 > Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [<u>Microsoft Intune</u>][INT-1] and [<u>Microsoft 365</u>][M365-1].
 ## Register devices to Windows Autopilot
 Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded to the Autopilot service. In this way, the Autopilot service can recognize which tenant devices belong to, and which OOBE experience it should present. There are three main ways to register devices to Autopilot:
 - **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more information, see [OEM registration][MEM-2]
    > [!NOTE]
    > For **Microsoft Surface registration**, collect the details shown in this [<u>documentation table</u>][SURF-1] and follow the instruction to submit the request form to Microsoft Support.
 - **Cloud Solution Provider (CSP) registration process.** As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see [Partner registration][MEM-5]
    > [!TIP]
    > Try the <a href="https://cloudpartners.transform.microsoft.com/resources/autopilot-in-edu-setup-english" target="_blank"><u>Microsoft Partner Center clickable demo</u></a>, which provides detailed steps to establish a partner relationship and register devices.
 - **Manual registration.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune][MEM-6]
    > [!IMPORTANT]
    > **Windows 11 SE** devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices.
 ## Create groups for Autopilot devices
 **Windows Autopilot deployment profiles** determine the Autopilot *deployment mode* and define the out-of-box experience of your devices. A device group is required to assign a Windows Autopilot deployment profile to the devices.
 For this task, it's recommended to create dynamic device groups using Autopilot attributes.
 Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Groups** > **Create group**
 1. Specify a **Group name** and select **Dynamic**
 1. Under **Rules**, select **I want to manage: Devices** and use the clause **Where: Device group tag starts with**, specifying the required tag value
 1. Select **Create group**
    :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true":::
 More advanced dynamic membership rules can be created from Microsoft Intune admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
 > [!TIP]
 > You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings.
 ## Create Autopilot deployment profiles
 For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices.
 A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be:
 1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Microsoft Entra join process during OOBE
 1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Microsoft Entra join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode
 To create an Autopilot deployment profile:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Groups** > Select a group from the list
 1. Select **Windows device settings**
 1. Expand the **Enrolment** category
 1. From **Configure Autopilot deployment profile for device** select **User-driven**
 1. Ensure that **User account type** is configured as **Standard**
 1. Select **Save**
 While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Intune admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
 ### Configure an Enrollment Status Page
 An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status.
 :::image type="content" source="./images/win11-oobe-esp.gif" alt-text="Windows OOBE - enrollment status page animation." border="false":::
 > [!NOTE]
 > Some Windows Autopilot deployment profiles **require** the ESP to be configured.
 To deploy the ESP to devices, you need to create an ESP profile in Microsoft Intune.
 > [!TIP]
 > While testing the deployment process, you can configure the ESP to:
 > - allow the reset of the devices in case the installation fails
 > - allow the use of the  device if installation error occurs
 >
 > This enables you to troubleshoot the installation process in case any issues arise and to easily reset the OS. You can turn these settings off once you are done testing.
 For more information, see [Set up the Enrollment Status Page][MEM-3].
 > [!CAUTION]
 > The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the E Mode policy, devices may not complete the enrollment. For more information, see [Enrollment Status Page][EDU-3].
 ### Autopilot end-user experience
 Once configuration is complete and devices are distributed, students and teachers are able to complete the out-of-box experience with Autopilot. They can set up their devices at home, at school, or wherever there's a reliable Internet connection.
 When a Windows device is turned on for the first time, the end-user experience with Windows Autopilot is as follows:
 1. Identify the language and region
 1. Select the keyboard layout and decide on the option for a second keyboard layout
 1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step
 1. Apply updates: the device will look for and apply required updates
 1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur
 1. The user authenticates to Microsoft Entra ID, using the school account
 1. The device joins Microsoft Entra ID, enrolls in Intune and all the settings and applications are configured
 > [!NOTE]
 > Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection.
 :::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
 ________________________________________________________
 ## Next steps
 With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 > [!div class="nextstepaction"]
 > [Next: Manage devices >](manage-overview.md)
 <!-- Reference links in article -->
 [MEM-1]: /mem/intune/fundamentals/intune-endpoints
 [MEM-2]: /mem/autopilot/oem-registration
 [MEM-3]: /mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune
 [MEM-4]: /mem/autopilot/profiles
 [MEM-5]: /mem/autopilot/partner-registration
 [MEM-6]: /mem/autopilot/add-devices
 [WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements
 [MSFT-1]: https://partner.microsoft.com/
 [INT-1]: /intune/network-bandwidth-use
 [M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
 [EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page
 [SURF-1]: /surface/surface-autopilot-registration-support
--- a/education/windows/tutorial-school-deployment/enroll-entra-join.md
+++ b/education/windows/tutorial-school-deployment/enroll-entra-join.md
@ -1,32 +0,0 @@
 ---
 title: Enrollment in Intune with standard out-of-box experience (OOBE)
 description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune.
 ms.date: 11/09/2023
 ms.topic: tutorial
 ---
 # Automatic Intune enrollment via Microsoft Entra join
 If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune.
 With this process, no advance preparation is needed:
 1. Follow the on-screen prompts for region selection, keyboard selection, and network connection
 1. Wait for updates. If any updates are available, they'll be installed at this time
  :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true":::
 1. When prompted, select **Set up for work or school** and authenticate using your school's Microsoft Entra account
  :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true":::
 1. The device will join Microsoft Entra ID and automatically enroll in Intune. All settings defined in Intune will be applied to the device
 > [!IMPORTANT]
 > If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot.
 :::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
 ---
 ## Next steps
 With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 > [!div class="nextstepaction"]
 > [Next: Manage devices >](manage-overview.md)
--- a/education/windows/tutorial-school-deployment/enroll-overview.md
+++ b/education/windows/tutorial-school-deployment/enroll-overview.md
@ -1,31 +0,0 @@
 ---
 title: Device enrollment overview
 description: Learn about the different options to enroll Windows devices in Microsoft Intune
 ms.date: 11/09/2023
 ms.topic: overview
 ---
 # Device enrollment overview
 There are three main methods for joining Windows devices to Microsoft Entra ID and getting them enrolled and managed by Intune:
 - **Automatic Intune enrollment via Microsoft Entra join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Microsoft Entra ID. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices
 - **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join a Microsoft Entra tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience
 - **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users
 ## Choose the enrollment method
 **Windows Autopilot** and the **Set up School PCs** app are usually the most efficient options for school environments.
 This [table][INT-1] describes the ideal scenarios for using either option. It's recommended to review the table when planning your enrollment and deployment strategies.
 :::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false":::
 Select one of the following options to learn the next steps about the enrollment method you chose:
 > [!div class="op_single_selector"]
 > - [Automatic Intune enrollment via Microsoft Entra join](enroll-entra-join.md)
 > - [Bulk enrollment with provisioning packages](enroll-package.md)
 > - [Enroll devices with Windows Autopilot](enroll-autopilot.md)
 <!-- Reference links in article -->
 [INT-1]: /intune-education/add-devices-windows#when-to-use-set-up-school-pcs-vs-windows-autopilot
--- a/education/windows/tutorial-school-deployment/enroll-package.md
+++ b/education/windows/tutorial-school-deployment/enroll-package.md
@ -1,65 +0,0 @@
 ---
 title: Enrollment of Windows devices with provisioning packages
 description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer.
 ms.date: 11/09/2023
 ms.topic: tutorial
 ---
 # Enrollment with provisioning packages
 Enrolling devices with provisioning packages is an efficient way to deploy a large number of Windows devices. Some of the benefits of provisioning packages are:
 - There are no particular hardware dependencies on the devices to complete the enrollment process
 - Devices don't need to be registered in advance
 - Enrollment is a simple task: just open a provisioning package and the process is automated
 You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications, which are described in the following sections.
 ## Set up School PCs
 With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Microsoft Entra join and Intune enrollment process.
 ### Create a provisioning package
 The Set Up School PCs app guides you through configuration choices for school-owned devices.
 :::image type="content" source="./images/supcs-win11se.png" alt-text="Configure device settings in Set Up School PCs app" border="false":::
 > [!CAUTION]
 > If you are creating a provisioning package for **Windows 11 SE** devices, ensure to select the correct *OS version* in the *Configure device settings* page.
 Set Up School PCs will configure many settings, allowing you to optimize devices for shared use and other scenarios.
 For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app][EDU-1].
 > [!TIP]
 > To learn more and practice with Set up School PCs, try the <a href="https://www.microsoft.com/en-us/education/interactive-demos/enroll-devices-at-scale" target="_blank"><u>Set Up School PCs demo</u></a>, which provides detailed steps to create a provisioning package and deploy a device.
 ## Windows Configuration Designer
 Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Differently from Set Up School PCs, Windows Configuration Designer doesn't offer a guided experience, and allows granular customizations, including the possibility to embed scripts in the package.
 :::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false":::
 For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use.
 ## Enroll devices with the provisioning package
 To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Microsoft Entra ID and automatically enroll in Intune.
 All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use.
 :::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
 ---
 ## Next steps
 With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 > [!div class="nextstepaction"]
 > [Next: Manage devices >](manage-overview.md)
 <!-- Reference links in article -->
 [EDU-1]: /education/windows/use-set-up-school-pcs-app
 [WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd
--- a/education/windows/tutorial-school-deployment/images/advanced-support.png
+++ b/education/windows/tutorial-school-deployment/images/advanced-support.png
--- a/education/windows/tutorial-school-deployment/images/device-lifecycle.png
+++ b/education/windows/tutorial-school-deployment/images/device-lifecycle.png
--- a/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png
+++ b/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png
--- a/education/windows/tutorial-school-deployment/images/dfci-profile.png
+++ b/education/windows/tutorial-school-deployment/images/dfci-profile.png
--- a/education/windows/tutorial-school-deployment/images/enroll.png
+++ b/education/windows/tutorial-school-deployment/images/enroll.png
--- a/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png
+++ b/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png
--- a/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png
+++ b/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png
--- a/education/windows/tutorial-school-deployment/images/entra-branding.png
+++ b/education/windows/tutorial-school-deployment/images/entra-branding.png
--- a/education/windows/tutorial-school-deployment/images/entra-device-settings.png
+++ b/education/windows/tutorial-school-deployment/images/entra-device-settings.png
--- a/education/windows/tutorial-school-deployment/images/entra-tenant-name.png
+++ b/education/windows/tutorial-school-deployment/images/entra-tenant-name.png
--- a/education/windows/tutorial-school-deployment/images/intune-diagnostics.png
+++ b/education/windows/tutorial-school-deployment/images/intune-diagnostics.png
--- a/education/windows/tutorial-school-deployment/images/intune-education-apps.png
+++ b/education/windows/tutorial-school-deployment/images/intune-education-apps.png
--- a/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png
+++ b/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png
--- a/education/windows/tutorial-school-deployment/images/intune-education-groups.png
+++ b/education/windows/tutorial-school-deployment/images/intune-education-groups.png
--- a/education/windows/tutorial-school-deployment/images/intune-education-portal.png
+++ b/education/windows/tutorial-school-deployment/images/intune-education-portal.png
--- a/education/windows/tutorial-school-deployment/images/inventory-reporting.png
+++ b/education/windows/tutorial-school-deployment/images/inventory-reporting.png
--- a/education/windows/tutorial-school-deployment/images/m365-admin-center.png
+++ b/education/windows/tutorial-school-deployment/images/m365-admin-center.png
--- a/education/windows/tutorial-school-deployment/images/protect-manage.png
+++ b/education/windows/tutorial-school-deployment/images/protect-manage.png
--- a/education/windows/tutorial-school-deployment/images/remote-actions.png
+++ b/education/windows/tutorial-school-deployment/images/remote-actions.png
--- a/education/windows/tutorial-school-deployment/images/retire.png
+++ b/education/windows/tutorial-school-deployment/images/retire.png
--- a/education/windows/tutorial-school-deployment/images/supcs-win11se.png
+++ b/education/windows/tutorial-school-deployment/images/supcs-win11se.png
--- a/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png
+++ b/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png
--- a/education/windows/tutorial-school-deployment/images/surface-management-portal.png
+++ b/education/windows/tutorial-school-deployment/images/surface-management-portal.png
--- a/education/windows/tutorial-school-deployment/images/wcd.png
+++ b/education/windows/tutorial-school-deployment/images/wcd.png
--- a/education/windows/tutorial-school-deployment/images/whfb-disable.png
+++ b/education/windows/tutorial-school-deployment/images/whfb-disable.png
--- a/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png
+++ b/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png
--- a/education/windows/tutorial-school-deployment/images/win11-login-screen.png
+++ b/education/windows/tutorial-school-deployment/images/win11-login-screen.png
--- a/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png
+++ b/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png
--- a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif
+++ b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif
--- a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif
+++ b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif
--- a/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png
+++ b/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png
--- a/education/windows/tutorial-school-deployment/images/win11-wipe.png
+++ b/education/windows/tutorial-school-deployment/images/win11-wipe.png
--- a/education/windows/tutorial-school-deployment/index.md
+++ b/education/windows/tutorial-school-deployment/index.md
@ -1,81 +0,0 @@
 ---
 title: Introduction to the tutorial deploy and manage Windows devices in a school
 description: Introduction to deployment and management of Windows devices in education environments.
 ms.date: 11/09/2023
 ms.topic: tutorial
 ms.collection: essentials-get-started
 ---
 # Tutorial: deploy and manage Windows devices in a school
 This guide introduces the tools and services available from Microsoft to deploy, configure and manage Windows devices in an education environment.
 ## Audience and user requirements
 This tutorial is intended for education professionals responsible for deploying and managing Windows devices, including:  
 - School leaders
 - IT administrators
 - Teachers
 - Microsoft partners
 This content provides a comprehensive path for schools to deploy and manage new Windows devices with Microsoft Intune. It includes step-by-step information how to manage devices throughout their lifecycle, and specific guidance for **Windows 11 SE** and **Surface devices**.
 > [!NOTE]
 > Depending on your school setup scenario, you may not need to implement all steps.
 ## Device lifecycle management
 Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management.
 Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Intune services. With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
 Microsoft Intune services include:
 - [Microsoft Intune][MEM-1]
 - [Microsoft Intune for Education][INT-1]
 - [Configuration Manager][MEM-2]
 - [Desktop Analytics][MEM-3]
 - [Windows Autopilot][MEM-4]
 - [Surface Management Portal][MEM-5]
 These services are part of the Microsoft 365 stack to help secure access, protect data, and manage risk.
 ## Why Intune for Education?
 Windows devices can be managed with Intune for Education, enabling simplified management of multiple devices from a single point.
 From enrollment, through configuration and protection, to resetting, Intune for Education helps school IT administrators manage and optimize the devices throughout their lifecycle:
 :::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false":::
 - **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Microsoft Entra tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies
 - **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator
 - **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates
 - **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios
 ## Four pillars of modern device management
 In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management:
 - **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Microsoft Entra ID, as the foundation for user identity and authentication
 - **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence  
 - **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
 - **Device reset:** Resetting managed devices with Intune for Education
 ---
 ## Next steps
 Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment.
 > [!div class="nextstepaction"]
 > [Next: Set up Microsoft Entra ID >](set-up-microsoft-entra-id.md)
 <!-- Reference links in article -->
 [MEM-1]: /mem/intune/fundamentals/what-is-intune
 [MEM-2]: /mem/configmgr/core/understand/introduction
 [MEM-3]: /mem/configmgr/desktop-analytics/overview
 [MEM-4]: /mem/autopilot/windows-autopilot
 [MEM-5]: /mem/autopilot/dfci-management
 [INT-1]: /intune-education/what-is-intune-for-education
--- a/education/windows/tutorial-school-deployment/manage-overview.md
+++ b/education/windows/tutorial-school-deployment/manage-overview.md
@ -1,59 +0,0 @@
 ---
 title: Manage devices with Microsoft Intune
 description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting.
 ms.date: 11/09/2023
 ms.topic: tutorial
 ---
 # Manage devices with Microsoft Intune
 Microsoft Intune offers a streamlined remote device management experience throughout the school year. IT administrators can optimize device settings, deploy new applications, updates, ensuring that security and privacy are maintained.
 :::image type="content" source="./images/protect-manage.png" alt-text="The device lifecycle for Intune-managed devices - protect and manage devices" border="false":::
 ## Remote device management
 With Intune for Education, there are several ways to manage students' devices. Groups can be created to organize devices and students, to facilitate remote management. You can determine which applications students have access to, and fine tune device settings and restrictions. You can also monitor which devices students sign in to, and troubleshoot devices remotely.
 ### Remote actions
 Intune fo Education allows you to perform actions on devices without having to sign in to the devices. For example, you can send a command to a device to restart or to turn off, or you can locate a device.
 :::image type="content" source="./images/remote-actions.png" alt-text="Remote actions available in Intune for Education when selecting a Windows device" lightbox="./images/remote-actions.png" border="true":::
 With bulk actions, remote actions can be performed on multiple devices at once.
 To learn more about remote actions in Intune for Education, see [Remote actions][EDU-1].
 ## Remote assistance
 With devices managed by Intune for Education, you can remotely assist students and teachers that are having issues with their devices.
 For more information, see [Remote assistance for managed devices - Intune for Education][EDU-2].
 ## Device inventory and reporting
 With Intune for Education, it's possible view and report on current devices, applications, settings, and overall health. You can also download reports to review or share offline.
 Here are the steps for generating reports in Intune for Education:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Reports**
 1. Select between one of the report types:
    - Device inventory
    - Device actions
    - Application inventory
    - Settings errors
    - Windows Defender
    - Autopilot deployment
 1. If needed, use the search box to find specific devices, applications, and settings
 1. To download a report, select **Download**. The report will download as a comma-separated value (CSV) file, which you can view and modify in a spreadsheet app like Microsoft Excel.
    :::image type="content" source="./images/inventory-reporting.png" alt-text="Reporting options available in Intune for Education when selecting the reports blade" border="true":::
 To learn more about reports in Intune for Education, see [Reports in Intune for Education][EDU-3].
 <!-- Reference links in article -->
 [EDU-1]: /intune-education/edu-device-remote-actions
 [EDU-2]: /intune-education/remote-assist-mobile-devices
 [EDU-3]: /intune-education/what-are-reports
--- a/education/windows/tutorial-school-deployment/manage-surface-devices.md
+++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md
@ -1,44 +0,0 @@
 ---
 title: Management functionalities for Surface devices
 description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal.
 ms.date: 11/09/2023
 ms.topic: tutorial
 appliesto: 
  - ✅ <b>Surface devices</b>
 ---
 # Management functionalities for Surface devices
 Microsoft Surface devices offer advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
 ## Manage device firmware for Surface devices
 Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that allows you to enable or disable built-in hardware components, protect UEFI settings from being changed, and adjust device boot configuration. With [Device Firmware Configuration Interface profiles built into Intune][INT-1], Surface UEFI management extends the modern management capabilities to the hardware level. Windows can pass management commands from Intune to UEFI for Autopilot-deployed devices.
 DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI.
 :::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Intune" lightbox="./images/dfci-profile-expanded.png" border="true":::
 ## Microsoft Surface Management Portal
 Located in the Microsoft Intune admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
 When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities.
 To access and use the Surface Management Portal:
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
 1. Select **All services** > **Surface Management Portal**
    :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true":::
 1. To obtain insights for all your Surface devices, select **Monitor**
    - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
 1. To obtain details on each insights category, select **View report**
    - This dashboard displays diagnostic information that you can customize and export
 1. To obtain the device's warranty information, select **Device warranty and coverage**
 1. To review a list of support requests and their status, select **Support requests**
 <!-- Reference links in article -->
 [INT-1]: /intune/configuration/device-firmware-configuration-interface-windows
 [MEM-1]: /mem/autopilot/dfci-management
 [SURF-1]: /surface/surface-manage-dfci-guide
--- a/education/windows/tutorial-school-deployment/reset-wipe.md
+++ b/education/windows/tutorial-school-deployment/reset-wipe.md
@ -1,111 +0,0 @@
 ---
 title: Reset and wipe Windows devices
 description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices.
 ms.date: 11/09/2023
 ms.topic: tutorial
 ---
 # Device reset options
 There are different scenarios that require a device to be reset, for example:
 - The device isn't responding to commands
 - The device is lost or stolen
 - It's the end of the life of the device
 - It's the end of the school year and you want to prepare the device for a new school year
 - The device has hardware problems and you want to send it to the service center
 :::image type="content" source="./images/retire.png" alt-text="The device lifecycle for Intune-managed devices - retirement" border="false":::
 Intune for Education provides two device reset functionalities that enable IT administrators to remotely execute them:
 - **Factory reset** (also known as **wipe**) is used to wipe all data and settings from the device, returning it to the default factory settings
 - **Autopilot reset** is used to return the device to a fully configured or known IT-approved state
 ## Factory reset (wipe)
 A factory reset, or a wipe, reverts a device to the original settings when it was purchased. All settings, applications and data installed on the device after purchase are removed. The device is also removed from Intune management.
 Once the wipe is completed, the device will be in out-of-box experience.
 Here are the steps to perform a factory reset from Intune for Education: 
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Devices**
 1. Select the device you want to reset > **Factory reset**
 1. Select **Factory reset** to confirm the action
 :::image type="content" source="./images/win11-wipe.png" alt-text="Three screenshots showing the device being wiped, ending up in OOBE" lightbox="./images/win11-wipe.png" border="false":::
 Consider using factory reset in the following example scenarios:
 - The device isn't working properly, and you want to reset it without reimaging it
 - It's the end of school year and you want to prepare the device for a new school year
 - You need to reassign the device to a different student, and you want to reset the device to its original settings
 - You're returning a device to the service center, and you want to remove all data and settings from the device
 > [!TIP]
 > Consider that once the device is wiped, the new user will go through OOBE. This option may be ideal if the device is also registered in Autopilot to make the OOBE experience seamless, or if you plan to use a provisioning package to re-enroll the device.
 ## Autopilot Reset
 Autopilot Reset is ideal when all data on a device needs to be wiped, but the device remains enrolled in your tenant.
 Once the Autopilot reset action is completed, the device will ask to chose region and keyboard layout, then it will display the sign-in screen.
 Here are the steps to perform an Autopilot reset from Intune for Education: 
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Devices**
 1. Select the device you want to reset > **Autopilot reset**
 1. Select **Autopilot reset** to confirm the action
 :::image type="content" source="./images/win11-autopilot-reset.png" alt-text="Three screenshots showing the device being wiped, ending up in the login screen" border="false":::
 Consider using Autopilot reset in the following example scenarios:
 - The device isn't working properly, and you want to reset it without reimaging it
 - It's the end of school year and you want to prepare the device for a new school year
 - You need to reassign the device to a different student, and you want to reset the device to without requiring the student to go through OOBE
 > [!TIP]
 > Consider that the end user will **not** go through OOBE, and the association of the user to  the device in Intune doesn't change. For this reason, this option may be ideal for devices that have been enrolled in Intune as *shared devices* (for example, a device that was enrolled with a provisioning package or using Autopilot self-deploying mode).
 ## Wiping and deleting a device
 There are scenarios that require a device to be deleted from your tenant, for example:
 - The device is lost or stolen
 - It's the end of the life of the device
 - The device has been replaced with a new device or has its motherboard replaced
 > [!IMPORTANT]
 > The following actions should only be performed for devices that are no longer going to be used in your tenant.
 To completely remove a device, you need to perform the following actions:
 1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1]
 1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2]
 1. Delete the device from Microsoft Entra ID using [these steps][MEM-3]
 ## Autopilot considerations for a motherboard replacement scenario
 Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be balanced with Autopilot requirements. If a motherboard replacement is needed on an Autopilot device, it's suggested the following process:
 1. Deregister the device from Autopilot
 1. Replace the motherboard
 1. Capture a new device ID (4K HH)
 1. Re-register the device with Autopilot
    > [!IMPORTANT]
    > For DFCI management, the device must be re-registered by a partner or OEM. Self-registration of devices is not supported with DFCI management.
 1. Reset the device
 1. Return the device
 For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4].
 <!-- Reference links in article -->
 [MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
 [MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
 [MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal
 [MEM-4]: /mem/autopilot/autopilot-mbr
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
@ -1,173 +0,0 @@
 ---
 title: Set up Microsoft Entra ID
 description: Learn how to create and prepare your Microsoft Entra tenant for an education environment.
 ms.date: 01/16/2024
 ms.topic: tutorial
 appliesto:
 ---
 # Set up Microsoft Entra ID
 The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school.
 Microsoft Entra ID, which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Microsoft Entra ID for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
 > [!div class="checklist"]
 >In this section you will:
 >
 > - Set up a Microsoft 365 Education tenant
 > - Add users, create groups, and assign licenses
 > - Configure school branding
 > - Enable bulk enrollment
 ## Create a Microsoft 365 tenant
 If you don't already have a Microsoft 365 tenant, you'll need to create one.
 For more information, see [Create your Office 365 tenant account][M365-1]
 > [!TIP]
 > To learn more, and practice how to configure the Microsoft 365 tenant for your school, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/set-up-Microsoft-365" target="_blank"><u>this interactive demo</u></a>.
 ### Explore the Microsoft 365 admin center
 The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the <a href="https://entra.microsoft.com" target="_blank"><u>Microsoft Entra admin center</u></a>, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
 From the Microsoft 365 admin center, you can access different administrative dashboards: Microsoft Entra ID, Microsoft Intune, Intune for Education, and others:
 :::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
 For more information, see [Overview of the Microsoft 365 admin center][M365-2].
 > [!NOTE]
 > Setting up your school's basic cloud infrastructure does not require you to complete the rest of the Microsoft 365 setup. For this reason, we will skip directly to adding students and teachers as users in the Microsoft 365 tenant.
 ## Add users, create groups, and assign licenses
 With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above.
 > [!NOTE]
 > Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Microsoft Entra Connect Sync](#microsoft-entra-connect-sync) below.
 ### School Data Sync
 School Data Sync (SDS) imports and synchronizes SIS data to create classes in Microsoft 365, such as Microsoft 365 groups and class teams in Microsoft Teams. SDS can be used to create new, cloud-only, identities or to evolve existing identities. Users evolve into *students* or *teachers* and are associated with a *grade*, *school*, and other education-specific attributes.
 For more information, see [Overview of School Data Sync][SDS-1].
 > [!TIP]
 > To learn more and practice with School Data Sync, follow the <a href="https://interactiveguides-schooldatasync.azurewebsites.net/" target="_blank"><u>Microsoft School Data Sync demo</u></a>, which provides detailed steps to access, configure, and deploy School Data Sync in your Microsoft 365 Education tenant.
 > [!NOTE]
 > You can perform a test deployment by cloning or downloading sample SDS CSV school data from the [<u>O365-EDU-Tools GitHub site</u>](https://github.com/OfficeDev/O365-EDU-Tools).
 >
 > Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment.
 ### Microsoft Entra Connect Sync
 To integrate an on-premises directory with Microsoft Entra ID, you can use **Microsoft Entra Connect** to synchronize users, groups, and other objects. Microsoft Entra Connect lets you configure the authentication method appropriate for your school, including:
 - [Password hash synchronization][AAD-1]
 - [Pass-through authentication][AAD-2]
 - [Federated authentication][AAD-3]
 For more information, see [Set up directory synchronization for Microsoft 365][O365-1].
 ### Create users manually
 In addition to the above methods, you can manually add users and groups, and assign licenses through the Microsoft 365 admin center.
 There are two options for adding users manually, either individually or in bulk:
 1. To add students and teachers as users in Microsoft 365 Education *individually*:
    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
    - Select **Microsoft Entra ID** > **Users** > **All users** > **New user** > **Create new user**
    For more information, see [Add users and assign licenses at the same time][M365-3].
 1. To add *multiple* users to Microsoft 365 Education:
    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
    - Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create**
 For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
 ### Create groups
 Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
 1. Select **Microsoft Entra ID** > **Groups** > **All groups** > **New group**
 1. On the **New group** page, select **Group type** > **Security**
 1. Provide a group name and add members, as needed
 1. Select **Next**
 For more information, see [Create a group in the Microsoft 365 admin center][M365-5].
 ### Assign licenses
 The recommended way to assign licenses is through group-based licensing. With this method, Microsoft Entra ID ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.
 To assign a license to a group:
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
 1. Select **Microsoft Entra ID** > **Show More** > **Billing** > **Licenses**
 1. Select the required products that you want to assign licenses for > **Assign**
 1. Add the groups to which the licenses should be assigned
   :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png":::
 For more information, see [Group-based licensing using Microsoft Entra admin center][AAD-4].
 ## Configure school branding
 Configuring your school branding enables a more familiar Autopilot experience to students and teachers. With a custom school branding, you can define a custom logo and a welcome message, which will appear during the Windows out-of-box experience.
 To configure your school's branding:
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
 1. Select **Microsoft Entra ID** > **Show More** > **User experiences** > **Company branding**
 1. You can specify brand settings like background image, logo, username hint and a sign-in page text
    :::image type="content" source="images/entra-branding.png" alt-text="Configure Microsoft Entra ID branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
 1. To adjust the school tenant's name displayed during OOBE, select **Microsoft Entra ID** > **Overview** > **Properties**
 1. In the **Name** field, enter the school district or organization's name > **Save**
    :::image type="content" alt-text="Configure Microsoft Entra tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png":::
 For more information, see [Add branding to your directory][AAD-5].
 ## Enable bulk enrollment
 If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Microsoft Entra tenant.
 To allow provisioning packages to complete the Microsoft Entra join process:
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
 1. Select **Microsoft Entra ID** > **Devices** > **Device Settings**
 1. Under **Users may join devices to Microsoft Entra ID**, select **All**
    > [!NOTE]
    > If it is required that only specific users can join devices to Microsoft Entra ID, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
 1. Select Save
    :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
 ---
 ## Next steps
 With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune.
 > [!div class="nextstepaction"]
 > [Next: Set up Microsoft Intune >](set-up-microsoft-intune.md)
 <!-- Reference links in article -->
 [AAD-1]: /azure/active-directory/hybrid/whatis-phs
 [AAD-2]: /azure/active-directory/hybrid/how-to-connect-pta
 [AAD-3]: /azure/active-directory/hybrid/how-to-connect-fed-whatis
 [AAD-4]: /azure/active-directory/enterprise-users/licensing-groups-assign
 [AAD-5]: /azure/active-directory/fundamentals/customize-branding
 [M365-1]: /microsoft-365/education/deploy/create-your-office-365-tenant
 [M365-2]: /microsoft-365/admin/admin-overview/admin-center-overview
 [M365-3]: /microsoft-365/admin/add-users/add-users
 [M365-4]: /microsoft-365/enterprise/add-several-users-at-the-same-time
 [M365-5]: /microsoft-365/admin/create-groups/create-groups
 [O365-1]: /office365/enterprise/set-up-directory-synchronization
 [SDS-1]: /schooldatasync/overview-of-school-data-sync
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
@ -1,97 +0,0 @@
 ---
 title: Set up device management
 description: Learn how to configure the Intune service and set up the environment for education.
 ms.date: 01/16/2024
 ms.topic: tutorial
 appliesto:
 ---
 # Set up Microsoft Intune
 Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Intune is a collection of services that simplifies the management of devices at scale.
 The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
 :::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true":::
 **Intune for Education** supports the entire device lifecycle, from the enrollment phase through retirement. IT administrators can start managing classroom devices with bulk enrollment options and a streamlined deployment. At the end of the school year, IT admins can reset devices, ensuring they're ready for the next year.
 For more information, see [Intune for Education documentation][INT-1].
 > [!div class="checklist"]
 >In this section you will:
 >
 > - Review Intune's licensing prerequisites
 > - Configure the Intune service for education devices
 ## Prerequisites
 Before configuring settings with Intune for Education, consider the following prerequisites:
 - **Intune subscription.** Microsoft Intune is licensed in three ways:
  - As a standalone service
  - As part of [Enterprise Mobility + Security][MSFT-1]
  - As part of a [Microsoft 365 Education subscription][MSFT-2]
 - **Device platform.** Intune for Education can manage devices running a supported version of Windows 10, Windows 11, Windows 11 SE, iOS, and iPad OS
 For more information, see [Intune licensing][MEM-1] and [this comparison sheet][MSFT-3], which includes a table detailing the *Microsoft Modern Work Plan for Education*.
 ## Configure the Intune service for education devices
 The Intune service can be configured in different ways, depending on the needs of your school. In this section, you'll configure the Intune service using settings commonly implemented by K-12 school districts.
 ### Configure enrollment restrictions
 With enrollment restrictions, you can prevent certain types of devices from being enrolled and therefore managed by Intune. For example, you can prevent the enrollment of devices that are not owned by the school.
 To block personally owned Windows devices from enrolling:
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions**
 1. Select the **Windows restrictions** tab
 1. Select **Create restriction**
 1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next**
 1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next**
    :::image type="content" source="./images/enrollment-restrictions.png" alt-text="This screenshot is of the device enrollment restriction page in Microsoft Intune admin center." lightbox="./images/enrollment-restrictions.png":::
 1. Optionally, on the **Scope tags** page, add scope tags > **Next**
 1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next**
 1. On the **Review + create** page, select **Create** to save the restriction
 For more information, see [Create a device platform restriction][MEM-2].
 ### Disable Windows Hello for Business
 Windows Hello for Business is a biometric authentication feature that allows users to sign in to their devices using a PIN, password, or fingerprint. Windows Hello for Business is enabled by default on Windows devices, and to set it up, users must perform for multi-factor authentication (MFA). As a result, this feature may not be ideal for students, who may not have MFA enabled.
 It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices.
 To disable Windows Hello for Business at the tenant level:
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** > **Windows** > **Windows Enrollment**
 1. Select **Windows Hello for Business**
 1. Ensure that **Configure Windows Hello for Business** is set to **disabled**
 1. Select **Save**
 :::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="./images/whfb-disable.png":::
 For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
 ---
 ## Next steps
 With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices.
 > [!div class="nextstepaction"]
 > [Next: Configure devices >](configure-devices-overview.md)
 <!-- Reference links in article -->
 [MEM-1]: /mem/intune/fundamentals/licenses
 [MEM-2]: /mem/intune/enrollment/enrollment-restrictions-set
 [MEM-4]: /mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy
 [INT-1]: /intune-education/what-is-intune-for-education
 [MSFT-1]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security
 [MSFT-2]: https://www.microsoft.com/licensing/product-licensing/microsoft-365-education
 [MSFT-3]: https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf
--- a/education/windows/tutorial-school-deployment/toc.yml
+++ b/education/windows/tutorial-school-deployment/toc.yml
@ -1,38 +0,0 @@
 items: 
  - name: Introduction
    href: index.md
  - name: 1. Prepare your tenant
    items:
      - name: Set up Microsoft Entra ID
        href: set-up-microsoft-entra-id.md
      - name: Set up Microsoft Intune
        href: set-up-microsoft-intune.md
  - name: 2. Configure settings and applications
    items:
      - name: Overview
        href: configure-devices-overview.md
      - name: Configure policies
        href: configure-device-settings.md
      - name: Configure applications
        href: configure-device-apps.md        
  - name: 3. Deploy devices
    items: 
      - name: Overview
        href: enroll-overview.md
      - name: Enroll devices via Microsoft Entra join
        href: enroll-entra-join.md
      - name: Enroll devices with provisioning packages
        href: enroll-package.md
      - name: Enroll devices with Windows Autopilot
        href: enroll-autopilot.md
  - name: 4. Manage devices
    items: 
      - name: Overview
        href: manage-overview.md
      - name: Management functionalities for Surface devices
        href: manage-surface-devices.md       
      - name: Reset and wipe devices
        href: reset-wipe.md
  - name: 5. Troubleshoot and get help
    href: troubleshoot-overview.md
--- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md
+++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
@ -1,56 +0,0 @@
 ---
 title: Troubleshoot Windows devices
 description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
 ms.date: 11/09/2023
 ms.topic: tutorial
 ---
 # Troubleshoot Windows devices
 Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
 Here's a collection of resources to help you troubleshoot Windows devices managed by Intune:
 - [Troubleshooting device enrollment in Intune][MEM-2]
 - [Troubleshooting Windows Autopilot][MEM-9]
 - [Troubleshoot Windows Wi-Fi profiles][MEM-6]
 - [Troubleshooting policies and profiles in Microsoft Intune][MEM-5]
 - [Troubleshooting BitLocker with the Intune encryption report][MEM-4]
 - [Troubleshooting CSP custom settings][MEM-8]
 - [Troubleshooting Win32 app installations with Intune][MEM-7]
 - [Troubleshooting device actions in Intune][MEM-3]
 - [**Collect diagnostics**][MEM-10] is a remote action that lets you collect and download Windows device logs without interrupting the user
  :::image type="content" source="./images/intune-diagnostics.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-diagnostics.png" border="true":::
 ## How to contact Microsoft Support
 Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
 Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices:
 - Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
 - Select **Troubleshooting + support** > **Help and support**
    :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png":::
 - Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
 - Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests*
 - In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like:
  - Run diagnostics: start automated tests and investigations of your tenant from the console to reveal known issues. When you run a diagnostic, you may receive mitigation steps to help with resolution
  - View insights: find links to documentation that provides context and background specific to the product area or actions you've described
  - Recommended articles: browse suggested troubleshooting topics and other content related to your issue
 - If needed, use the *Contact support* pane to file an online support ticket
  > [!IMPORTANT]
  > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue.
 - To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review
 For more information, see [Microsoft Intune support page][MEM-1]
 <!-- Reference links in article -->
 [MEM-1]: /mem/get-support
 [MEM-2]: /troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune
 [MEM-3]: /troubleshoot/mem/intune/troubleshoot-device-actions
 [MEM-4]: /troubleshoot/mem/intune/troubleshoot-bitlocker-admin-center
 [MEM-5]: /troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune
 [MEM-6]: /troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#troubleshoot-windows-wi-fi-profiles
 [MEM-7]: /troubleshoot/mem/intune/troubleshoot-win32-app-install
 [MEM-8]: /troubleshoot/mem/intune/troubleshoot-csp-custom-settings
 [MEM-9]: /mem/autopilot/troubleshooting
 [MEM-10]: /mem/intune/remote-actions/collect-diagnostics