links

education/windows/deploy-windows-10-in-a-school.md

@@ -554,7 +554,7 @@ To create and configure your Microsoft Store for Business portal, use the admini
 
 #### To create and configure a Microsoft Store for Business portal
 
-1. In Microsoft Edge or Internet Explorer, go to `https://microsoft.com/business-store`.
+1. In Microsoft Edge or Internet Explorer, go to [https://microsoft.com/business-store](https://microsoft.com/business-store).
 2. On the **Microsoft Store for Business** page, click **Sign in with an organizational account**.
 
     If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
@@ -714,7 +714,7 @@ For a school, there are many ways to manage devices. Table 10 lists the methods
 | Method | Description |
 | --- | --- |
 | **Group Policy** | Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you: <br/><br/>- Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).<br/>- Want more granular control of device and user settings.<br/>- Have an existing AD DS infrastructure.<br/>- Typically manage on-premises devices.<br/>- Can manage a required setting only by using Group Policy.<br/><br/>The advantages of this method include:<br/><br/>- No cost beyond the AD DS infrastructure.<br/>- A larger number of settings.<br/><br/>The disadvantages of this method are:<br/><br/>- Can only manage domain-joined (institution-owned devices).<br/>- Requires an AD DS infrastructure (if the institution does not have AD DS already).<br/>- Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess). | 
-| **Intune** | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br/><br/>Select this method when you:<br/><br/>- Want to manage institution-owned and personal devices (does not require that the device be domain joined).<br/>- Don’t require the level of granular control over device and user settings (compared to Group Policy).<br/>- Don’t have an existing AD DS infrastructure.<br/>- Need to manage devices regardless of where they are (on or off premises).<br/>- Can manage a required setting only by using Intune.<br/><br/>The advantages of this method are:<br/><br/>- You can manage institution-owned and personal devices.<br/>- It doesn’t require that devices be domain joined.<br/>- It doesn’t require any on-premises infrastructure.<br/>- It can manage devices regardless of their location (on or off premises).<br/><br/>The disadvantages of this method are:<br/><br/>- Carries an additional cost for subscription.<br/>- Doesn’t have a granular level control over device and user settings (compared to Group Policy). | 
+| **Intune** | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10 and other operating systems, such as iOS/iPadOS, macOS, and Android. Intune is a subscription-based cloud service that integrates with Microsoft 365 and Azure AD.<br/><br/>Select this method when you:<br/><br/>- Want to manage institution-owned and personal devices (does not require that the device be domain joined).<br/>- Don’t require the level of granular control over device and user settings (compared to Group Policy).<br/>- Don’t have an existing AD DS infrastructure.<br/>- Need to manage devices regardless of where they are (on or off premises).<br/>- Can manage a required setting only by using Intune.<br/><br/>The advantages of this method are:<br/><br/>- You can manage institution-owned and personal devices.<br/>- It doesn’t require that devices be domain joined.<br/>- It doesn’t require any on-premises infrastructure.<br/>- It can manage devices regardless of their location (on or off premises).<br/><br/>The disadvantages of this method are:<br/><br/>- Carries an additional cost for subscription.<br/>- Doesn’t have a granular level control over device and user settings (compared to Group Policy). | 
 
 ---
 
@@ -727,7 +727,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
 ---
 | Recommendation | Description |
 | --- | --- |
-| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br/><br/>Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.<br/><br/>**Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.<br/><br/>**Intune**: Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. |
+| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br/><br/>Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.<br/><br/>**Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.<br/><br/>**Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. |
 | **Restrict local administrator accounts on the devices** | Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br/><br/>**Group Policy**: Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732525(v=ws.11)).<br/><br/>**Intune**: Not available |
 | **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.<br/><br/>**Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).<br/><br/>**Intune**: Not available. |
 | **Control Microsoft Store access** | You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.<br/><br/>**Group Policy**: You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP).<br/><br/>**Intune**: You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. |
@@ -754,7 +754,7 @@ For more information about Group Policy, see [Group Policy Planning and Deployme
 
 ### Configure settings by using Intune
 
-Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+Now, you’re ready to configure settings using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
 
 For more information about Intune, see [Documentation for Microsoft Intune](/mem/intune/).
 
@@ -863,8 +863,8 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour
 ---
 | Task and resources | Monthly | New semester or academic year | As required |
 | --- |  --- |  --- |  --- | 
-| Verify that Windows Update is active and current with operating system and software updates.<br/><br/>For more information about completing this task when you have:<br/><br/>- Intune: See [Keep Windows PCs up to date with software updates in Microsoft Intune](https://www.microsoft.com/insidetrack/keeping-windows-10-devices-up-to-date-with-microsoft-intune-and-windows-update-for-business)<br/>- Group Policy: See [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb)<br/>- Windows Server Update Services (WSUS): See [Windows Server Update Services](/windows/deployment/deploy-whats-new?amp;MSPPError=-2147217396&f=255)<br/>- Neither Intune, Group Policy, or WSUS: See [Update Windows](https://support.microsoft.com/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a). | ✔️ | ✔️ | ✔️ |
+| Verify that Windows Update is active and current with operating system and software updates.<br/><br/>For more information about completing this task, see:<br/><br/>- Intune: See [Keep Windows PCs up to date with software updates in Microsoft Intune](https://www.microsoft.com/en-us/insidetrack/keeping-windows-10-devices-up-to-date-with-microsoft-intune-and-windows-update-for-business)<br/>- Group Policy: See [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb)<br/>- Windows Server Update Services (WSUS): See [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services)<br/>- Neither Intune, Group Policy, or WSUS: See [Update Windows](https://support.microsoft.com/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a). | ✔️ | ✔️ | ✔️ |
-| Verify that Windows Defender is active and current with malware Security intelligence.<br/><br/>For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/windows/turn-windows-security-on-or-off-888b963f-8dde-7952-a2e7-a2301879472d#v1h=tab01) and [Updating Windows Defender](https://windows.microsoft.com/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03). | ✔️ | ✔️ | ✔️ |
+| Verify that Windows Defender is active and current with malware Security intelligence.<br/><br/>For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection) and [Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)). | ✔️ | ✔️ | ✔️ |
 | Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.<br/><br/>For more information about completing this task, see [Protect my PC from viruses](https://support.microsoft.com/windows/protect-my-pc-from-viruses-b2025ed1-02d5-1e87-ba5f-71999008e026). | ✔️ | ✔️ | ✔️ |
 | Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).<br/><br/> For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/). |  | ✔️ | ✔️ |
 | Refresh the operating system and apps on devices.<br/><br/>For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. |  | ✔️ | ✔️ |