Merge branch 'main' into alexbuckgit/docutune-docs-link-absolute-autopr-20220826-145242-5163947

.openpublishing.redirection.json

@@ -1,5 +1,10 @@
 {
   "redirections": [
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md",
+      "redirect_url": "/windows/security/windows/security/identity-protection/hello-for-business/webauthn-apis",
+      "redirect_document_id": false  
+    },
     {
       "source_path": "windows/application-management/manage-windows-mixed-reality.md",
       "redirect_url": "/windows/mixed-reality/enthusiast-guide/manage-windows-mixed-reality",

education/breadcrumb/toc.yml

@@ -1,3 +1,4 @@
+items:
 - name: Docs
   tocHref: /
   topicHref: /
@@ -12,4 +13,7 @@
       - name: Windows
         tocHref: /education/windows
         topicHref: /education/windows/index
-        
+      - name: Windows
+        tocHref: /windows/security/
+        topicHref: /education/windows/index
+        

education/windows/TOC.yml

@@ -1,73 +1,99 @@
-- name: Windows 11 SE for Education
+items:
+- name: Windows for Education Documentation
+  href: index.yml
+- name: Tutorials
+  expanded: true
   items:
-   - name: Overview
-     href: windows-11-se-overview.md
-   - name: Settings and CSP list
-     href: windows-11-se-settings-list.md
-- name: Windows 10 for Education
-  href: index.md
+  - name: Deploy and manage Windows devices in a school
+    href: tutorial-school-deployment/toc.yml
+- name: Concepts
   items: 
+    - name: Windows 11 SE
+      items:
+      - name: Overview
+        href: windows-11-se-overview.md
+      - name: Settings and CSP list
+        href: windows-11-se-settings-list.md
+    - name: Windows in S Mode
+      items:
+      - name: Test Windows 10 in S mode on existing Windows 10 education devices
+        href: test-windows10s-for-edu.md
+      - name: Enable Windows 10 in S mode on Surface Go devices
+        href: enable-s-mode-on-surface-go-devices.md
     - name: Windows 10 editions for education customers
       href: windows-editions-for-education-customers.md
+    - name: Shared PC mode for school devices
+      href: set-up-school-pcs-shared-pc-mode.md
     - name: Windows 10 configuration recommendations for education customers
       href: configure-windows-for-education.md
-    - name: Deployment recommendations for school IT administrators
-      href: edu-deployment-recommendations.md
-    - name: Set up Windows devices for education
-      href: set-up-windows-10.md
+- name: How-to-guides
+  items:
+    - name: Use the Set up School PCs app
+      href: use-set-up-school-pcs-app.md
+    - name: Take tests and assessments in Windows
       items: 
-        - name: What's new in Set up School PCs
-          href: set-up-school-pcs-whats-new.md
-        - name: Technical reference for the Set up School PCs app
-          href: set-up-school-pcs-technical.md
-          items: 
-            - name: Azure AD Join for school PCs
-              href: set-up-school-pcs-azure-ad-join.md
-            - name: Shared PC mode for school devices
-              href: set-up-school-pcs-shared-pc-mode.md
-            - name: Provisioning package settings
-              href: set-up-school-pcs-provisioning-package.md
-        - name: Use the Set up School PCs app
-          href: use-set-up-school-pcs-app.md
-        - name: Set up student PCs to join domain
-          href: set-up-students-pcs-to-join-domain.md
-        - name: Provision student PCs with apps
-          href: set-up-students-pcs-with-apps.md
-    - name: Take tests in Windows 10
-      href: take-tests-in-windows-10.md
-      items: 
-        - name: Set up Take a Test on a single PC
+        - name: Overview
+          href: take-tests-in-windows-10.md
+        - name: Configure Take a Test on a single PC
           href: take-a-test-single-pc.md
-        - name: Set up Take a Test on multiple PCs
+        - name: Configure a Test on multiple PCs
           href: take-a-test-multiple-pcs.md
-        - name: Take a Test app technical reference
-          href: take-a-test-app-technical.md
+    - name: Change Windows edition
+      items: 
+      - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
+        href: s-mode-switch-to-edu.md
+      - name: Change to Windows 10 Pro Education from Windows 10 Pro
+        href: change-to-pro-education.md
+      - name: Upgrade Windows Home to Windows Education on student-owned devices
+        href: change-home-to-edu.md
+    - name: "Get and deploy Minecraft: Education Edition"
+      items: 
+      - name: "Get Minecraft: Education Edition"
+        href: get-minecraft-for-education.md
+      - name: "For IT administrators: get Minecraft Education Edition"
+        href: school-get-minecraft.md
+      - name: "For teachers: get Minecraft Education Edition"
+        href: teacher-get-minecraft.md
+    - name: Work with Microsoft Store for Education
+      href: education-scenarios-store-for-business.md
+    - name: Migrate from Chromebook to Windows
+      items: 
+        - name: Chromebook migration guide
+          href: chromebook-migration-guide.md
+    - name: Deploy Windows 10 devices in a school
+      items: 
+      - name: Overview
+        href: deploy-windows-10-overview.md
+      - name: Deploy Windows 10 in a school
+        href: deploy-windows-10-in-a-school.md
+      - name: Deploy Windows 10 in a school district
+        href: deploy-windows-10-in-a-school-district.md
+      - name: Deployment recommendations for school IT administrators
+        href: edu-deployment-recommendations.md
+      - name: Set up Windows devices for education
+        items: 
+          - name: Overview
+            href: set-up-windows-10.md
+          - name: Azure AD join for school PCs
+            href: set-up-school-pcs-azure-ad-join.md
+          - name: Active Directory join for school PCs
+            href: set-up-students-pcs-to-join-domain.md
+          - name: Provision student PCs with apps
+            href: set-up-students-pcs-with-apps.md
     - name: Reset devices with Autopilot Reset
       href: autopilot-reset.md
-    - name: Working with Microsoft Store for Education
-      href: education-scenarios-store-for-business.md
-    - name: "Get Minecraft: Education Edition"
-      href: get-minecraft-for-education.md
-      items: 
-        - name: "For teachers: get Minecraft Education Edition"
-          href: teacher-get-minecraft.md
-        - name: "For IT administrators: get Minecraft Education Edition"
-          href: school-get-minecraft.md
-    - name: Test Windows 10 in S mode on existing Windows 10 education devices
-      href: test-windows10s-for-edu.md
-    - name: Enable Windows 10 in S mode on Surface Go devices
-      href: enable-s-mode-on-surface-go-devices.md
-    - name: Deploy Windows 10 in a school
-      href: deploy-windows-10-in-a-school.md
-    - name: Deploy Windows 10 in a school district
-      href: deploy-windows-10-in-a-school-district.md
-    - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
-      href: s-mode-switch-to-edu.md
-    - name: Change to Windows 10 Pro Education from Windows 10 Pro
-      href: change-to-pro-education.md
-    - name: Upgrade Windows Home to Windows Education on student-owned devices
-      href: change-home-to-edu.md
-    - name: Chromebook migration guide
-      href: chromebook-migration-guide.md
+- name: Reference
+  items:
+    - name: Set up School PCs
+      items:
+      - name: Set up School PCs app technical reference
+        href: set-up-school-pcs-technical.md
+      - name: Provisioning package settings
+        href: set-up-school-pcs-provisioning-package.md
+      - name: What's new in Set up School PCs
+        href: set-up-school-pcs-whats-new.md
+    - name: Take a Test app technical reference
+      href: take-a-test-app-technical.md
     - name: Change history for Windows 10 for Education
       href: change-history-edu.md
+      

education/windows/change-history-edu.md

@@ -17,7 +17,7 @@ appliesto:
 ---
 # Change history for Windows 10 for Education
 
-This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+This topic lists new and updated topics in the [Windows 10 for Education](index.yml) documentation.
 
 ## May 2019
 

education/windows/deploy-windows-10-in-a-school-district.md

@@ -1278,9 +1278,9 @@ You've now identified the tasks you need to perform monthly, at the end of an ac
 * [Try it out: Windows 10 in the classroom](../index.yml)
 * [Chromebook migration guide](./chromebook-migration-guide.md)
 * [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md)
-* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](./index.md)
-* [Deploy a custom Windows 10 Start menu layout for a school (video)](./index.md)
-* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md)
-* [Reprovision devices at the end of the school year (video)](./index.md)
-* [Use MDT to deploy Windows 10 in a school (video)](./index.md)
-* [Use Microsoft Store for Business in a school environment (video)](./index.md)
+* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](./index.yml)
+* [Deploy a custom Windows 10 Start menu layout for a school (video)](./index.yml)
+* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.yml)
+* [Reprovision devices at the end of the school year (video)](./index.yml)
+* [Use MDT to deploy Windows 10 in a school (video)](./index.yml)
+* [Use Microsoft Store for Business in a school environment (video)](./index.yml)

education/windows/deploy-windows-10-in-a-school.md

@@ -19,11 +19,6 @@ appliesto:
 
 # Deploy Windows 10 in a school
 
-
-**Applies to**
-
-- Windows 10
-
 This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
 
 ## Prepare for school deployment

education/windows/index.yml

@@ -0,0 +1,85 @@
+### YamlMime:Landing
+
+title: Windows for Education documentation
+summary: Evaluate, plan, deploy, and manage Windows devices in an education environment
+
+metadata:
+  title: Windows for Education documentation
+  description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune
+  ms.topic: landing-page
+  ms.prod: windows
+  ms.collection: education
+  author: paolomatarazzo
+  ms.author: paoloma
+  ms.date: 08/10/2022
+  ms.reviewer: 
+  manager: aaroncz
+  ms.localizationpriority: medium
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+  # Card (optional)
+
+landingContent: 
+
+  - title: Get started
+    linkLists:
+      - linkListType: tutorial
+        links:
+        - text: Deploy and manage Windows devices in a school
+          url: tutorial-school-deployment/index.md
+        - text: Prepare your tenant
+          url: tutorial-school-deployment/set-up-azure-ad.md
+        - text: Configure settings and applications with Microsoft Intune
+          url: tutorial-school-deployment/configure-devices-overview.md
+        - text: Manage devices with Microsoft Intune
+          url: tutorial-school-deployment/manage-overview.md
+        - text: Management functionalities for Surface devices
+          url: tutorial-school-deployment/manage-surface-devices.md     
+
+
+  - title: Learn about Windows 11 SE
+    linkLists:
+      - linkListType: concept
+        links:
+        - text: What is Windows 11 SE?
+          url: windows-11-se-overview.md
+        - text: Windows 11 SE settings
+          url: windows-11-se-settings-list.md
+      - linkListType: video
+        links:
+        - text: Deploy Windows 11 SE using Set up School PCs
+          url: https://www.youtube.com/watch?v=Ql2fbiOop7c
+  
+
+  - title: Deploy devices with Set up School PCs
+    linkLists:
+      - linkListType: concept
+        links:
+        - text: What is Set up School PCs?
+          url: set-up-school-pcs-technical.md
+      - linkListType: how-to-guide
+        links:
+        - text: Use the Set up School PCs app
+          url: use-set-up-school-pcs-app.md
+      - linkListType: reference
+        links:
+        - text: Provisioning package settings
+          url: set-up-school-pcs-provisioning-package.md
+      - linkListType: video
+        links:
+        - text: Use the Set up School PCs App
+          url: https://www.youtube.com/watch?v=2ZLup_-PhkA
+
+
+  - title: Configure devices
+    linkLists:
+      - linkListType: concept
+        links:
+        - text: Take tests and assessments
+          url: take-tests-in-windows-10.md
+        - text: Change Windows editions
+          url: change-home-to-edu.md
+        - text: "Deploy Minecraft: Education Edition"
+          url: get-minecraft-for-education.md

education/windows/tutorial-school-deployment/configure-device-apps.md

@@ -0,0 +1,99 @@
+---
+title: Configure applications with Microsoft Intune
+description: Configure applications with Microsoft Intune in preparation to device deployment
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+
+# Configure applications with Microsoft Intune
+
+With Intune for Education, school IT administrators have access to diverse applications to help students unlock their learning potential. This section discusses tools and resources for adding apps to Intune for Education.
+
+Applications can be assigned to groups:
+
+- If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into
+- If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in
+
+In this section you will:
+> [!div class="checklist"]
+> * Add apps to Intune for Education
+> * Assign apps to groups
+> * Review some considerations for Windows 11 SE devices
+
+## Add apps to Intune for Education
+
+Intune for Education supports the deployment of two types of Windows applications: **web apps** and **desktop apps**.
+
+:::image type="content" source="./images/intune-education-apps.png" alt-text="Intune for Education - Apps" lightbox="./images/intune-education-apps.png" border="true":::
+
+### Desktop apps
+
+The addition of desktop applications to Intune should be carried out by repackaging the apps, and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
+
+### Web apps
+
+To create web applications in Intune for Education:
+
+1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
+1. Select **Apps**
+1. Select **New app** > **New web app**
+1. Provide a URL for the web app, a name and, optionally, an icon and description
+1. Select **Save**
+
+For more information, see [Add web apps][INT-2].
+
+## Assign apps to groups
+
+To assign applications to a group of users or devices:
+
+1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
+1. Select **Groups** > Pick a group to manage
+1. Select **Apps**
+1. Select either **Web apps** or **Windows apps**
+1. Select the apps you want to assign to the group > Save
+
+## Considerations for Windows 11 SE
+
+Windows 11 SE supports all web applications and a *curated list* of desktop applications.
+You can prepare and add a desktop app to Microsoft Intune as a Win32 app from the [approved app list][EDU-1].
+
+The process to add Win32 applications to Intune is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
+
+> [!NOTE]
+> If the applications you need aren't included in the list, anyone in your school district can submit an application request at <a href="https://edusupport.microsoft.com/support?product_id=win11se" target="_blank"><u>Microsoft Education Support</u></a>.
+
+> [!CAUTION]
+> If you assign an app to a device running **Windows 11 SE** and receive the **0x87D300D9** error code with a **Failed** state:
+> - Be sure the app is on the [<u>approved app list</u>][EDU-1]
+> - If you submitted a request to add your own app and it was approved, check that the app meets package requirements
+> - If the app is not approved, it will not run on Windows 11 SE. In this case, you will have to verify if the app can run in a web browser, such as a web app or PWA
+
+________________________________________________________
+
+## Next steps
+
+With the applications configured, you can now deploy students' and teachers' devices.
+
+> [!div class="nextstepaction"]
+> [Next: Deploy devices >](enroll-overview.md)
+
+<!-- Reference links in article -->
+
+[EDU-1]: /education/windows/windows-11-se-overview
+
+[MEM-1]: /mem/intune/apps/apps-win32-add
+
+[INT-1]: /intune-education/express-configuration-intune-edu
+[INT-2]: /intune-education/add-web-apps-edu

education/windows/tutorial-school-deployment/configure-device-settings.md

@@ -0,0 +1,142 @@
+---
+title: Configure and secure devices with Microsoft Intune
+description: Configure policies with Microsoft Intune in preparation to device deployment
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+
+# Configure and secure devices with Microsoft Intune
+
+With Intune for Education, you can configure settings for devices in the school, to ensure that they comply with specific policies.
+For example, you may need to secure your devices, ensuring that they are kept up to date. Or you may need to configure all the devices with the same look and feel.
+
+Settings can be assigned to groups:
+
+- If you target settings to a **group of users**, those settings will apply, regardless of what managed devices the targeted users sign in to
+- If you target settings to a **group of devices**, those settings will apply regardless of who is using the devices
+
+There are two ways to manage settings in Intune for Education:
+
+- **Express Configuration.** This option is used to configure a selection of settings that are commonly used in school environments
+- **Group settings.** This option is used to configure all settings that are offered by Intune for Education
+
+> [!NOTE]
+> Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices.
+
+In this section you will:
+> [!div class="checklist"]
+> * Configure settings with Express Configuration
+> * Configure group settings
+> * Create Windows Update policies
+> * Configure security policies
+
+## Configure settings with Express Configuration
+
+With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools.
+
+> [!TIP]
+> To learn more, and practice step-by-step Express Configuration in Intune for Education, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/deploy-apps-and-policies" target="_blank"><u>this interactive demo</u></a>.
+
+## Configure group settings
+
+Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings:
+
+1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
+1. Select **Groups** > Pick a group to manage
+1. Select **Windows device settings**
+1. Expand the different categories and review information about individual settings
+
+Settings that are commonly configured for student devices include:
+
+- Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7]
+- Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8]
+- Enablement of the integrated testing and assessment solution *Take a test*. See: [Add Take a Test profile][INT-9]
+
+For more information, see [Windows device settings in Intune for Education][INT-3].
+
+## Create Windows Update policies
+
+It is important to keep Windows devices up to date with the latest security updates. You can create Windows Update policies using Intune for Education.
+
+To create a Windows Update policy:
+
+1. Select **Groups** > Pick a group to manage
+1. Select **Windows device settings**
+1. Expand the category **Update and upgrade**
+1. Configure the required settings as needed
+
+For more information, see [Updates and upgrade][INT-6].
+
+> [!NOTE]
+> If you require a more complex Windows Update policy, you can create it in Microsoft Endpoint Manager. For more information:
+> - [<u>What is Windows Update for Business?</u>][WIN-1]
+> - [<u>Manage Windows software updates in Intune</u>][MEM-1]
+
+## Configure security policies
+
+It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows.
+Intune for Education provides different settings to secure devices.
+
+To create a security policy:
+
+1. Select **Groups** > Pick a group to manage
+1. Select **Windows device settings**
+1. Expand the category **Security**
+1. Configure the required settings as needed, including
+    - Windows Defender
+    - Windows Encryption
+    - Windows SmartScreen
+
+For more information, see [Security][INT-4].
+ 
+> [!NOTE]
+> If you require more sophisticated security policies, you can create them in Microsoft Endpoint Manager. For more information:
+> - [<u>Antivirus</u>][MEM-2]
+> - [<u>Disk encryption</u>][MEM-3]
+> - [<u>Firewall</u>][MEM-4]
+> - [<u>Endpoint detection and response</u>][MEM-5]
+> - [<u>Attack surface reduction</u>][MEM-6]
+> - [<u>Account protection</u>][MEM-7]
+
+________________________________________________________
+
+## Next steps
+
+With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices.
+
+> [!div class="nextstepaction"]
+> [Next: Configure applications >](configure-device-apps.md)
+
+<!-- Reference links in article -->
+
+[EDU-1]: /education/windows/windows-11-se-overview
+
+[INT-2]: /intune-education/express-configuration-intune-edu
+[INT-3]: /intune-education/all-edu-settings-windows
+[INT-4]: /intune-education/all-edu-settings-windows#security
+[INT-6]: /intune-education/all-edu-settings-windows#updates-and-upgrade
+[INT-7]: /intune-education/all-edu-settings-windows#lock-screen-and-desktop
+[INT-8]: /intune-education/add-wi-fi-profile
+[INT-9]: /intune-education/take-a-test-profiles
+
+[WIN-1]: /windows/deployment/update/waas-manage-updates-wufb
+
+[MEM-1]: /mem/intune/protect/windows-update-for-business-configure
+[MEM-2]: /mem/intune/protect/endpoint-security-antivirus-policy
+[MEM-3]: /mem/intune/protect/encrypt-devices
+[MEM-4]: /mem/intune/protect/endpoint-security-firewall-policy
+[MEM-5]: /mem/intune/protect/endpoint-security-edr-policy
+[MEM-6]: /mem/intune/protect/endpoint-security-asr-policy
+[MEM-7]: /mem/intune/protect/endpoint-security-account-protection-policy

education/windows/tutorial-school-deployment/configure-devices-overview.md

@@ -0,0 +1,70 @@
+---
+title: Configure devices with Microsoft Intune
+description: Configure policies and applications in preparation to device deployment
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+
+# Configure settings and applications with Microsoft Intune
+
+Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune.
+Microsoft Intune uses Azure AD groups to assign policies and applications to devices.
+With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them.
+
+In this section you will:
+> [!div class="checklist"]
+> * Create groups
+> * Create and assign policies to groups
+> * Create and assign applications to groups
+
+## Create groups
+
+By organizing devices, students, classrooms, or learning curricula into groups, you can provide students with the resources and configurations they need.
+
+By default, Intune for Education creates two default groups: *All devices* and *All users*.
+Two additional groups are pre-created if you use **Microsoft School Data Sync (SDS)**: *All teachers* and *All students*. SDS can also be configured to automatically create and maintain groups of students and teachers for each school.
+
+:::image type="content" source="./images/intune-education-groups.png" alt-text="Intune for Education - Groups blade" border="true":::
+
+Beyond the defaults, groups can be customized to suit various needs. For example, if you have both *Windows 10* and *Windows 11 SE* devices in your school, you can create groups, such as *Windows 10 devices* and *Windows 11 SE devices*, to assign different policies and applications to.
+
+Two group types can be created:
+
+- **Assigned groups** are used when you want to manually add users or devices to a group
+- **Dynamic groups** reference rules that you create to assign students or devices to groups, which automate the membership's maintenance of those groups
+
+> [!TIP]
+> If you target applications and policies to a *device dynamic group*, they will be applied to the devices as soon as they are enrolled in Intune, before users signs in. This can be useful in bulk enrollment scenarios, where devices are enrolled without requiring users to sign in. Devices can be configured and prepared in advance, before distribution.
+
+For more information, see:
+
+- [Create groups in Intune for Education][EDU-1]
+- [Manually add or remove users and devices to an existing assigned group][EDU-2]
+- [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3]
+
+________________________________________________________
+
+## Next steps
+
+With the groups created, you can configure policies and applications to deploy to your groups.
+
+> [!div class="nextstepaction"]
+> [Next: Configure policies >](configure-device-settings.md)
+
+<!-- Reference links in article -->
+
+[EDU-1]: /intune-education/create-groups
+[EDU-2]: /intune-education/edit-groups-intune-for-edu
+[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules

education/windows/tutorial-school-deployment/enroll-aadj.md

@@ -0,0 +1,42 @@
+---
+title: Enrollment in Intune with standard out-of-box experience (OOBE)
+description: how to join Azure AD for OOBE and automatically get the device enrolled in Intune
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+# Automatic Intune enrollment via Azure AD join
+
+If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Azure Active Directory tenant, and automatically enroll it in Intune.
+With this process, no advance preparation is needed:
+
+1. Follow the on-screen prompts for region selection, keyboard selection, and network connection
+1. Wait for updates. If any updates are available, they'll be installed at this time
+  :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true":::
+1. When prompted, select **Set up for work or school** and authenticate using your school's Azure Active Directory account
+  :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true":::
+1. The device will join Azure AD and automatically enroll in Intune. All settings defined in Intune will be applied to the device
+
+> [!IMPORTANT]
+> If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot.
+
+:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
+
+________________________________________________________
+## Next steps
+
+With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+
+> [!div class="nextstepaction"]
+> [Next: Manage devices >](manage-overview.md)

education/windows/tutorial-school-deployment/enroll-autopilot.md

@@ -0,0 +1,160 @@
+---
+title: Enrollment in Intune with Windows Autopilot
+description: how to join Azure AD and enroll in Intune using Windows Autopilot
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+
+# Windows Autopilot
+
+Windows Autopilot is designed to simplify all parts of Windows devices lifecycle, from initial deployment through end of life. Using cloud-based services, Windows Autopilot can reduce the overall costs for deploying, managing, and retiring devices.
+
+Traditionally, IT pros spend a significant amount of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new, simplified approach. Devices don't need to be reimaged, rather they can be deployed with the OEM image, and customized using cloud-based services.
+
+From the user's perspective, it only takes a few simple operations to make their device ready to use. The only interaction required from the end user is to set their language and regional settings, connect to a network, and verify their credentials. Everything beyond that is automated.
+
+## Prerequisites
+
+Before setting up Windows Autopilot, consider these prerequisites:
+
+- **Software requirements.** Ensure your school and devices meet the [software, networking, licensing, and configuration requirements][WIN-1] for Windows Autopilot
+- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. To connect with a partner, you can use the [Microsoft Partner Center][MSFT-1] and work with them to register your devices
+- **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1]
+
+> [!NOTE]
+> Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [<u>Microsoft Intune</u>][INT-1] and [<u>Microsoft 365</u>][M365-1].
+
+## Register devices to Windows Autopilot
+
+Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded to the Autopilot service. In this way, the Autopilot service can recognize which tenant devices belong to, and which OOBE experience it should present. There are three main ways to register devices to Autopilot:
+
+- **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more information, see [OEM registration][MEM-2]
+    > [!NOTE]
+    > For **Microsoft Surface registration**, collect the details shown in this [<u>documentation table</u>][SURF-1] and follow the instruction to submit the request form to Microsoft Support.
+- **Cloud Solution Provider (CSP) registration process.** As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see [Partner registration][MEM-5]
+    > [!TIP]
+    > Try the <a href="https://cloudpartners.transform.microsoft.com/resources/autopilot-in-edu-setup-english" target="_blank"><u>Microsoft Partner Center clickable demo</u></a>, which provides detailed steps to establish a partner relationship and register devices.
+- **Manual registration.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune][MEM-6]
+    > [!IMPORTANT]
+    > **Windows 11 SE** devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices.
+
+## Create groups for Autopilot devices
+
+**Windows Autopilot deployment profiles** determine the Autopilot *deployment mode* and define the out-of-box experience of your devices. A device group is required to assign a Windows Autopilot deployment profile to the devices.
+For this task, it's recommended to create dynamic device groups using Autopilot attributes.
+
+Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag:
+
+1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
+1. Select **Groups** > **Create group**
+1. Specify a **Group name** and select **Dynamic**
+1. Under **Rules**, select **I want to manage: Devices** and use the clause **Where: Device group tag starts with**, specifying the required tag value
+1. Select **Create group**
+    :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true":::
+
+More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
+
+> [!TIP]
+> You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings.
+
+## Create Autopilot deployment profiles
+
+For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices.
+A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be:
+1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Azure AD join process during OOBE
+1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Azure AD join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode.
+
+To create an Autopilot deployment profile:
+
+1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
+1. Select **Groups** > Select a group from the list
+1. Select **Windows device settings**
+1. Expand the **Enrolment** category
+1. From **Configure Autopilot deployment profile for device** select **User-driven**
+1. Ensure that **User account type** is configured as **Standard**
+1. Select **Save**
+
+While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
+
+### Configure an Enrollment Status Page
+
+An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status.
+
+:::image type="content" source="./images/win11-oobe-esp.png" alt-text="Windows OOBE - enrollment status page" border="false":::
+
+> [!NOTE]
+> Some Windows Autopilot deployment profiles **require** the ESP to be configured.
+
+To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager.
+
+> [!TIP]
+> While testing the deployment process, you can configure the ESP to:
+> - allow the reset of the devices in case the installation fails
+> - allow the use of the  device if installation error occurs
+>
+> This enables you to troubleshoot the installation process in case any issues arise and to easily reset the OS. You can turn these settings off once you are done testing.
+
+For more information, see [Set up the Enrollment Status Page][MEM-3].
+
+> [!CAUTION]
+> When targeting an ESP to **Windows 11 SE** devices, only applications included in the [<u>approved app list</u>][EDU-1] should part of the ESP configuration.
+
+### Autopilot end-user experience
+
+Once configuration is complete and devices are distributed, students and teachers are able to complete the out-of-box experience with Autopilot. They can set up their devices at home, at school, or wherever there's a reliable Internet connection.
+When a Windows device is turned on for the first time, the end-user experience with Windows Autopilot is as follows:
+
+1. Identify the language and region
+1. Select the keyboard layout and decide on the option for a second keyboard layout
+1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step
+1. Apply updates: the device will look for and apply required updates
+1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur
+1. The user authenticates to Azure AD, using the school account
+1. The device joins Azure AD, enrolls in Intune and all the settings and applications are configured
+
+> [!NOTE]
+> Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection.
+
+:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
+
+________________________________________________________
+## Next steps
+
+With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+
+> [!div class="nextstepaction"]
+> [Next: Manage devices >](manage-overview.md)
+
+<!-- Reference links in article -->
+
+[MEM-1]: /mem/intune/fundamentals/intune-endpoints
+[MEM-2]: /mem/autopilot/oem-registration
+[MEM-3]: /mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune
+[MEM-4]: /mem/autopilot/profiles
+[MEM-5]: /mem/autopilot/partner-registration
+[MEM-6]: /mem/autopilot/add-devices
+
+[WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements
+
+[MSFT-1]: https://partner.microsoft.com/
+
+[INT-1]: /intune/network-bandwidth-use
+
+[M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
+
+[EDU-1]: /education/windows/windows-11-se-overview
+[EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
+
+[SURF-1]: /surface/surface-autopilot-registration-support

education/windows/tutorial-school-deployment/enroll-overview.md

@@ -0,0 +1,48 @@
+---
+title: Device enrollment overview
+description: Options to enroll Windows devices in Microsoft Intune
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: overview
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+
+# Device enrollment overview
+
+There are three main methods for joining Windows devices to Azure AD and getting them enrolled and managed by Intune:
+
+- **Automatic Intune enrollment via Azure AD join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Azure AD. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices
+- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join an Azure AD tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience
+- **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users
+
+## Choose the enrollment method
+
+**Windows Autopilot** and the **Set up School PCs** app are usually the most efficient options for school environments.
+This [table][INT-1] describes the ideal scenarios for using either option. It's recommended to review the table when planning your enrollment and deployment strategies.
+
+:::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false":::
+
+Select one of the following options to learn the next steps about the enrollment method you chose:
+
+> [!div class="nextstepaction"]
+> [Next: Automatic Intune enrollment via Azure AD join >](enroll-aadj.md)
+
+> [!div class="nextstepaction"]
+> [Next: Bulk enrollment with provisioning packages >](enroll-package.md)
+
+> [!div class="nextstepaction"]
+> [Next: Enroll devices with Windows Autopilot >](enroll-autopilot.md)
+
+<!-- Reference links in article -->
+
+[INT-1]: /intune-education/add-devices-windows#when-to-use-set-up-school-pcs-vs-windows-autopilot

education/windows/tutorial-school-deployment/enroll-package.md

@@ -0,0 +1,77 @@
+---
+title: Enrollment of Windows devices with provisioning packages
+description: options how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+
+# Enrollment with provisioning packages
+
+Enrolling devices with provisioning packages is an efficient way to deploy a large number of Windows devices. Some of the benefits of provisioning packages are:
+
+- There are no particular hardware dependencies on the devices to complete the enrollment process
+- Devices don't need to be registered in advance
+- Enrollment is a simple task: just open a provisioning package and the process is automated
+
+You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications, which are described in the following sections.
+
+## Set up School PCs
+
+With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Azure AD join and Intune enrollment process.
+
+### Create a provisioning package
+
+The Set Up School PCs app guides you through configuration choices for school-owned devices.
+
+:::image type="content" source="./images/supcs-win11se.png" alt-text="Configure device settings in Set Up School PCs app" border="false":::
+
+> [!CAUTION]
+> If you are creating a provisioning package for **Windows 11 SE** devices, ensure to select the correct *OS version* in the *Configure device settings* page.
+
+Set Up School PCs will configure many settings, allowing you to optimize devices for shared use and other scenarios.
+
+For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app][EDU-1].
+
+> [!TIP]
+> To learn more and practice with Set up School PCs, try the <a href="https://www.microsoft.com/en-us/education/interactive-demos/enroll-devices-at-scale" target="_blank"><u>Set Up School PCs demo</u></a>, which provides detailed steps to create a provisioning package and deploy a device.
+## Windows Configuration Designer
+
+Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Differently from Set Up School PCs, Windows Configuration Designer doesn't offer a guided experience, and allows granular customizations, including the possibility to embed scripts in the package.
+
+:::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false":::
+
+For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use.
+
+## Enroll devices with the provisioning package
+
+To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Azure AD and automatically enroll in Intune.
+
+:::image type="content" source="./images/win11-oobe-ppkg.png" alt-text="Windows 11 OOBE - enrollment with provisioning package." border="false":::
+
+:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
+
+________________________________________________________
+## Next steps
+
+With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+
+> [!div class="nextstepaction"]
+> [Next: Manage devices >](manage-overview.md)
+
+<!-- Reference links in article -->
+
+[EDU-1]: /education/windows/use-set-up-school-pcs-app
+
+[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd

education/windows/tutorial-school-deployment/index.md

@@ -0,0 +1,87 @@
+---
+title: Introduction
+description: Introduction to deployment and management of Windows devices in education environments
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+---
+
+# Tutorial: deploy and manage Windows devices in a school
+
+This guide introduces the tools and services available from Microsoft to deploy, configure and manage Windows devices in an education environment.
+
+## Audience and user requirements
+
+This tutorial is intended for education professionals responsible for deploying and managing Windows devices, including:  
+
+- School leaders
+- IT administrators
+- Teachers
+- Microsoft partners
+
+This content provides a comprehensive path for schools to deploy and manage new Windows devices with Microsoft Intune. It includes step-by-step information how to manage devices throughout their lifecycle, and specific guidance for **Windows 11 SE** and **Surface devices**.
+
+> [!NOTE]
+> Depending on your school setup scenario, you may not need to implement all steps.
+
+## Device lifecycle management
+
+Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management.
+
+Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Endpoint Manager (MEM). With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
+Microsoft Endpoint Manager services include:
+
+- [Microsoft Intune][MEM-1]
+- [Microsoft Intune for Education][INT-1]
+- [Configuration Manager][MEM-2]
+- [Desktop Analytics][MEM-3]
+- [Windows Autopilot][MEM-4]
+- [Surface Management Portal][MEM-5]
+
+These services are part of the Microsoft 365 stack to help secure access, protect data, and manage risk.
+
+## Why Intune for Education?
+
+Windows devices can be managed with Intune for Education, enabling simplified management of multiple devices from a single point.
+From enrollment, through configuration and protection, to resetting, Intune for Education helps school IT administrators manage and optimize the devices throughout their lifecycle:
+
+:::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false":::
+
+- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Azure AD tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies
+- **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator
+- **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates
+- **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios
+
+## Four pillars of modern device management
+
+In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management:
+
+- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Azure Active Directory, as the foundation for user identity and authentication
+- **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence  
+- **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
+- **Device reset:** Resetting managed devices with Intune for Education
+
+________________________________________________________
+## Next steps
+
+Let's begin with the creation and configuration of your Azure AD tenant and Intune environment.
+
+> [!div class="nextstepaction"]
+> [Next: Set up Azure Active Directory >](set-up-azure-ad.md)
+
+<!-- Reference links in article -->
+
+[MEM-1]: /mem/intune/fundamentals/what-is-intune
+[MEM-2]: /mem/configmgr/core/understand/introduction
+[MEM-3]: /mem/configmgr/desktop-analytics/overview
+[MEM-4]: /mem/autopilot/windows-autopilot
+[MEM-5]: /mem/autopilot/dfci-management
+
+[INT-1]: /intune-education/what-is-intune-for-education

education/windows/tutorial-school-deployment/manage-overview.md

@@ -0,0 +1,71 @@
+---
+title: Manage devices with Microsoft Intune
+description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting. 
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+
+# Manage devices with Microsoft Intune
+
+Microsoft Intune offers a streamlined remote device management experience throughout the school year. IT administrators can optimize device settings, deploy new applications, updates, ensuring that security and privacy are maintained.
+
+:::image type="content" source="./images/protect-manage.png" alt-text="The device lifecycle for Intune-managed devices - protect and manage devices" border="false":::
+
+## Remote device management
+
+With Intune for Education, there are several ways to manage students' devices. Groups can be created to organize devices and students, to facilitate remote management. You can determine which applications students have access to, and fine tune device settings and restrictions. You can also monitor which devices students sign in to, and troubleshoot devices remotely.
+
+### Remote actions
+
+Intune fo Education allows you to perform actions on devices without having to sign in to the devices. For example, you can send a command to a device to restart or to turn off, or you can locate a device.
+
+:::image type="content" source="./images/remote-actions.png" alt-text="Remote actions available in Intune for Education when selecting a Windows device" lightbox="./images/remote-actions.png" border="true":::
+
+With bulk actions, remote actions can be performed on multiple devices at once.
+
+To learn more about remote actions in Intune for Education, see [Remote actions][EDU-1].
+
+## Remote assistance
+
+With devices managed by Intune for Education, you can remotely assist students and teachers that are having issues with their devices.
+
+For more information, see [Remote assistance for managed devices - Intune for Education][EDU-2].
+
+## Device inventory and reporting
+
+With Intune for Education, it's possible view and report on current devices, applications, settings, and overall health. You can also download reports to review or share offline.
+
+Here are the steps for generating reports in Intune for Education:
+
+1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
+1. Select **Reports**
+1. Select between one of the report types:
+    - Device inventory
+    - Device actions
+    - Application inventory
+    - Settings errors
+    - Windows Defender
+    - Autopilot deployment
+1. If needed, use the search box to find specific devices, applications, and settings
+1. To download a report, select **Download**. The report will download as a comma-separated value (CSV) file, which you can view and modify in a spreadsheet app like Microsoft Excel.
+    :::image type="content" source="./images/inventory-reporting.png" alt-text="Reporting options available in Intune for Education when selecting the reports blade" border="true":::
+
+To learn more about reports in Intune for Education, see [Reports in Intune for Education][EDU-3].
+
+<!-- Reference links in article -->
+
+[EDU-1]: /intune-education/edu-device-remote-actions
+[EDU-2]: /intune-education/remote-assist-mobile-devices
+[EDU-3]: /intune-education/what-are-reports

education/windows/tutorial-school-deployment/manage-surface-devices.md

@@ -0,0 +1,54 @@
+---
+title: Management functionalities for Surface devices
+description: Management capabilities offered to Surface devices, including firmware management and the Surface Management Portal
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Surface devices</b>
+---
+
+# Management functionalities for Surface devices
+
+Microsoft Surface devices offer many advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
+
+## Manage device firmware for Surface devices
+
+Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that allows you to enable or disable built-in hardware components, protect UEFI settings from being changed, and adjust device boot configuration. With [Device Firmware Configuration Interface profiles built into Intune][INT-1], Surface UEFI management extends the modern management capabilities to the hardware level. Windows can pass management commands from Intune to UEFI for Autopilot-deployed devices.
+
+DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI.
+
+:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Endpoint Manager" lightbox="./images/dfci-profile-expanded.png" border="true":::
+
+## Microsoft Surface Management Portal
+
+Located in the Microsoft Endpoint Manager admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
+
+When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities.
+
+To access and use the Surface Management Portal:
+
+1. Sign in to <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Select **All services** > **Surface Management Portal**
+    :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Endpoint Manager" lightbox="./images/surface-management-portal-expanded.png" border="true":::
+1. To obtain insights for all your Surface devices, select **Monitor**
+    - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
+1. To obtain details on each insights category, select **View report**
+    - This dashboard displays diagnostic information that you can customize and export
+1. To obtain the device's warranty information, select **Device warranty and coverage**
+1. To review a list of support requests and their status, select **Support requests**
+
+<!-- Reference links in article -->
+
+[INT-1]: /intune/configuration/device-firmware-configuration-interface-windows
+
+[MEM-1]: /mem/autopilot/dfci-management
+
+[SURF-1]: /surface/surface-manage-dfci-guide

education/windows/tutorial-school-deployment/reset-wipe.md

@@ -0,0 +1,122 @@
+---
+title: Reset and wipe Windows devices
+description: Reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+
+# Device reset options
+
+There are different scenarios that require a device to be reset, for example:
+
+- The device isn't responding to commands
+- The device is lost or stolen
+- It's the end of the life of the device
+- It's the end of the school year and you want to prepare the device for a new school year
+- The device has hardware problems and you want to send it to the service center
+
+:::image type="content" source="./images/retire.png" alt-text="The device lifecycle for Intune-managed devices - retirement" border="false":::
+
+Intune for Education provides two device reset functionalities that enable IT administrators to remotely execute them:
+
+- **Factory reset** (also known as **wipe**) is used to wipe all data and settings from the device, returning it to the default factory settings
+- **Autopilot reset** is used to return the device to a fully configured or known IT-approved state
+
+## Factory reset (wipe)
+
+A factory reset, or a wipe, reverts a device to the original settings when it was purchased. All settings, applications and data installed on the device after purchase are removed. The device is also removed from Intune management.
+
+Once the wipe is completed, the device will be in out-of-box experience.
+
+Here are the steps to perform a factory reset from Intune for Education: 
+
+1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
+1. Select **Devices**
+1. Select the device you want to reset > **Factory reset**
+1. Select **Factory reset** to confirm the action
+
+:::image type="content" source="./images/win11-wipe.png" alt-text="Three screenshots showing the device being wiped, ending up in OOBE" lightbox="./images/win11-wipe.png" border="false":::
+
+Consider using factory reset in the following example scenarios:
+
+- The device isn't working properly, and you want to reset it without reimaging it
+- It's the end of school year and you want to prepare the device for a new school year
+- You need to reassign the device to a different student, and you want to reset the device to its original settings
+- You're returning a device to the service center, and you want to remove all data and settings from the device
+
+> [!TIP]
+> Consider that once the device is wiped, the new user will go through OOBE. This option may be ideal if the device is also registered in Autopilot to make the OOBE experience seamless, or if you plan to use a provisioning package to re-enroll the device.
+
+## Autopilot Reset
+
+Autopilot Reset is ideal when all data on a device needs to be wiped, but the device remains enrolled in your tenant.
+
+Once the Autopilot reset action is completed, the device will ask to chose region and keyboard layout, then it will display the sign-in screen.
+
+Here are the steps to perform an Autopilot reset from Intune for Education: 
+
+1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
+1. Select **Devices**
+1. Select the device you want to reset > **Autopilot reset**
+1. Select **Autopilot reset** to confirm the action
+
+:::image type="content" source="./images/win11-autopilot-reset.png" alt-text="Three screenshots showing the device being wiped, ending up in the login screen" border="false":::
+
+Consider using Autopilot reset in the following example scenarios:
+
+- The device isn't working properly, and you want to reset it without reimaging it
+- It's the end of school year and you want to prepare the device for a new school year
+- You need to reassign the device to a different student, and you want to reset the device to without requiring the student to go through OOBE
+
+> [!TIP]
+> Consider that the end user will **not** go through OOBE, and the association of the user to  the device in Intune doesn't change. For this reason, this option may be ideal for devices that have been enrolled in Intune as *shared devices* (for example, a device that was enrolled with a provisioning package or using Autopilot self-deploying mode).
+
+## Wiping and deleting a device
+
+There are scenarios that require a device to be deleted from your tenant, for example:
+
+- The device is lost or stolen
+- It's the end of the life of the device
+- The device has been replaced with a new device or has its motherboard replaced
+
+> [!IMPORTANT]
+> The following actions should only be performed for devices that are no longer going to be used in your tenant.
+
+ To completely remove a device, you need to perform the following actions:
+
+1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1]
+1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2]
+1. Delete the device from Azure Active Directory using [these steps][MEM-3]
+
+## Autopilot considerations for a motherboard replacement scenario
+
+Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be balanced with Autopilot requirements. If a motherboard replacement is needed on an Autopilot device, it's suggested the following process:
+
+1. Deregister the device from Autopilot
+1. Replace the motherboard
+1. Capture a new device ID (4K HH)
+1. Re-register the device with Autopilot
+    > [!IMPORTANT]
+    > For DFCI management, the device must be re-registered by a partner or OEM. Self-registration of devices is not supported with DFCI management.
+1. Reset the device
+1. Return the device
+
+For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4].
+
+<!-- Reference links in article -->
+[MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
+[MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
+[MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal
+[MEM-4]: /mem/autopilot/autopilot-mbr

education/windows/tutorial-school-deployment/set-up-azure-ad.md

@@ -0,0 +1,179 @@
+---
+title: Set up Azure Active Directory
+description: How to create and prepare your Azure AD tenant for an education environment 
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+#appliesto:
+---
+
+# Set up Azure Active Directory
+
+The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school.
+
+Azure Active Directory (Azure AD), which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Azure AD for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
+
+In this section you will:
+> [!div class="checklist"]
+> * Set up a Microsoft 365 Education tenant
+> * Add users, create groups, and assign licenses
+> * Configure school branding
+> * Enable bulk enrollment
+
+## Create a Microsoft 365 tenant
+
+If you don't already have a Microsoft 365 tenant, you'll need to create one.
+
+For more information, see [Create your Office 365 tenant account][M365-1]
+
+> [!TIP]
+> To learn more, and practice how to configure the Microsoft 365 tenant for your school, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/set-up-Microsoft-365" target="_blank"><u>this interactive demo</u></a>.
+### Explore the Microsoft 365 admin center
+
+The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the <a href="https://entra.microsoft.com" target="_blank"><u>Microsoft Entra admin center</u></a>, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
+
+From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Endpoint Manager, Intune for Education, and others:
+
+:::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
+
+For more information, see [Overview of the Microsoft 365 admin center][M365-2].
+
+> [!NOTE]
+> Setting up your school's basic cloud infrastructure does not require you to complete the rest of the Microsoft 365 setup. For this reason, we will skip directly to adding students and teachers as users in the Microsoft 365 tenant.
+
+## Add users, create groups, and assign licenses
+
+With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above.
+
+> [!NOTE]
+> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [<u>Azure Active Directory sync</u>](#azure-active-directory-sync) below.
+
+### School Data Sync
+
+School Data Sync (SDS) imports and synchronizes SIS data to create classes in Microsoft 365, such as Microsoft 365 groups and class teams in Microsoft Teams. SDS can be used to create new, cloud-only, identities or to evolve existing identities. Users evolve into *students* or *teachers* and are associated with a *grade*, *school*, and other education-specific attributes.
+
+For more information, see [Overview of School Data Sync][SDS-1].
+
+> [!TIP]
+> To learn more and practice with School Data Sync, follow the <a href="https://interactiveguides-schooldatasync.azurewebsites.net/" target="_blank"><u>Microsoft School Data Sync demo</u></a>, which provides detailed steps to access, configure, and deploy School Data Sync in your Microsoft 365 Education tenant.
+
+> [!NOTE]
+> You can perform a test deployment by cloning or downloading sample SDS CSV school data from the [<u>O365-EDU-Tools GitHub site</u>](https://github.com/OfficeDev/O365-EDU-Tools).
+>
+> Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment.
+
+### Azure Active Directory sync
+
+To integrate an on-premises directory with Azure Active Directory, you can use **Microsoft Azure Active Directory Connect** to synchronize users, groups, and other objects. Azure AD Connect lets you configure the authentication method appropriate for your school, including:
+
+- [Password hash synchronization][AAD-1]
+- [Pass-through authentication][AAD-2]
+- [Federated authentication][AAD-3]
+
+For more information, see [Set up directory synchronization for Microsoft 365][O365-1].
+
+### Create users manually
+
+In addition to the above methods, you can manually add users and groups, and assign licenses through the Microsoft 365 admin center.
+
+There are two options for adding users manually, either individually or in bulk:
+
+1. To add students and teachers as users in Microsoft 365 Education *individually*:
+    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
+    - Select **Azure Active Directory** > **Users** > **All users** > **New user** > **Create new user**
+    For more information, see [Add users and assign licenses at the same time][M365-3].
+1. To add *multiple* users to Microsoft 365 Education:
+    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
+    - Select **Azure Active Directory** > **Users** > **All users** > **Bulk operations** > **Bulk create**
+
+For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
+### Create groups
+
+Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
+
+1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
+1. Select **Azure Active Directory** > **Groups** > **All groups** > **New group**
+1. On the **New group** page, select **Group type** > **Security**
+1. Provide a group name and add members, as needed
+1. Select **Next**
+
+For more information, see [Create a group in the Microsoft 365 admin center][M365-5].
+
+### Assign licenses
+
+The recommended way to assign licenses is through group-based licensing. With this method, Azure AD ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.
+
+To assign a license to a group:
+
+1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
+1. Select **Azure Active Directory** > **Show More** > **Billing** > **Licenses**
+1. Select the required products that you want to assign licenses for > **Assign**
+1. Add the groups to which the licenses should be assigned
+
+   :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png":::
+
+For more information, see [Group-based licensing using Azure AD admin center][AAD-4].
+
+## Configure school branding
+
+Configuring your school branding enables a more familiar Autopilot experience to students and teachers. With a custom school branding, you can define a custom logo and a welcome message, which will appear during the Windows out-of-box experience.
+
+To configure your school's branding:
+
+1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
+1. Select **Azure Active Directory** > **Show More** > **User experiences** > **Company branding**
+1. You can specify brand settings like background image, logo, username hint and a sign-in page text
+    :::image type="content" source="images/entra-branding.png" alt-text="Configure Azure AD branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
+1. To adjust the school tenant's name displayed during OOBE, select **Azure Active Directory** > **Overview** > **Properties**
+1. In the **Name** field, enter the school district or organization's name > **Save**
+    :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png":::
+
+For more information, see [Add branding to your directory][AAD-5].
+
+## Enable bulk enrollment
+
+If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Azure AD tenant.
+
+To allow provisioning packages to complete the Azure AD Join process:
+
+1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
+1. Select **Azure Active Directory** > **Devices** > **Device Settings**
+1. Under **Users may join devices to Azure AD**, select **All**
+    > [!NOTE]
+    > If it is required that only specific users can join devices to Azure AD, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
+1. Select Save
+    :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
+
+________________________________________________________
+
+## Next steps
+
+With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune.
+
+> [!div class="nextstepaction"]
+> [Next: Set up Microsoft Intune >](set-up-microsoft-intune.md)
+
+<!-- Reference links in article -->
+
+[AAD-1]: /azure/active-directory/hybrid/whatis-phs
+[AAD-2]: /azure/active-directory/hybrid/how-to-connect-pta
+[AAD-3]: /azure/active-directory/hybrid/how-to-connect-fed-whatis
+[AAD-4]: /azure/active-directory/enterprise-users/licensing-groups-assign
+[AAD-5]: /azure/active-directory/fundamentals/customize-branding
+
+[M365-1]: /microsoft-365/education/deploy/create-your-office-365-tenant
+[M365-2]: /microsoft-365/admin/admin-overview/admin-center-overview
+[M365-3]: /microsoft-365/admin/add-users/add-users
+[M365-4]: /microsoft-365/enterprise/add-several-users-at-the-same-time
+[M365-5]: /microsoft-365/admin/create-groups/create-groups
+
+[O365-1]: /office365/enterprise/set-up-directory-synchronization
+
+[SDS-1]: /schooldatasync/overview-of-school-data-sync

education/windows/tutorial-school-deployment/set-up-microsoft-intune.md

@@ -0,0 +1,104 @@
+---
+title: Set up device management
+description: How to configure the Intune service and set up the environment for education.
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+#appliesto:
+---
+
+# Set up Microsoft Intune
+
+Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Endpoint Manager provides a collection of services that simplifies the management of devices at scale.
+
+Microsoft Intune is one of the services provided by Microsoft Endpoint Manager. The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
+
+:::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true":::
+
+**Intune for Education** supports the entire device lifecycle, from the enrollment phase through retirement. IT administrators can start managing classroom devices with bulk enrollment options and a streamlined deployment. At the end of the school year, IT admins can reset devices, ensuring they're ready for the next year.
+
+For more information, see [Intune for Education documentation][INT-1].
+
+In this section you will:
+> [!div class="checklist"]
+> * Review Intune's licensing prerequisites
+> * Configure the Intune service for education devices
+
+## Prerequisites
+
+Before configuring settings with Intune for Education, consider the following prerequisites:
+
+- **Intune subscription.** Microsoft Intune is licensed in three ways:
+  - As a standalone service
+  - As part of [Enterprise Mobility + Security][MSFT-1]
+  - As part of a [Microsoft 365 Education subscription][MSFT-2]
+- **Device platform.** Intune for Education can manage devices running a supported version of Windows 10, Windows 11, Windows 11 SE, iOS, and iPad OS
+
+For more information, see [Intune licensing][MEM-1] and [this comparison sheet][MSFT-3], which includes a table detailing the *Microsoft Modern Work Plan for Education*.
+
+## Configure the Intune service for education devices
+
+The Intune service can be configured in different ways, depending on the needs of your school. In this section, you'll configure the Intune service using settings commonly implemented by K-12 school districts.
+
+### Configure enrollment restrictions
+
+With enrollment restrictions, you can prevent certain types of devices from being enrolled and therefore managed by Intune. For example, you can prevent the enrollment of devices that are not owned by the school.
+
+To block personally owned Windows devices from enrolling:
+
+1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions**
+1. Select the **Windows restrictions** tab
+1. Select **Create restriction**
+1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next**
+1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next**
+    :::image type="content" source="./images/enrollment-restrictions.png" alt-text="Device enrollment restriction page in Microsoft Endpoint Manager admin center" lightbox="./images/enrollment-restrictions.png" border="true":::
+1. Optionally, on the **Scope tags** page, add scope tags > **Next**
+1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next**
+1. On the **Review + create** page, select **Create** to save the restriction
+
+For more information, see [Create a device platform restriction][MEM-2].
+
+### Disable Windows Hello for Business
+
+Windows Hello for Business is a biometric authentication feature that allows users to sign in to their devices using a PIN, password, or fingerprint. Windows Hello for Business is enabled by default on Windows devices, and to set it up, users must perform for multi-factor authentication (MFA). As a result, this feature may not be ideal for students, who may not have MFA enabled.
+It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices.
+To disable Windows Hello for Business at the tenant level:
+
+1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Select **Devices** > **Windows** > **Windows Enrollment**
+1. Select **Windows Hello for Business**
+1. Ensure that **Configure Windows Hello for Business** is set to **disabled**
+1. Select **Save**
+
+:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center" border="true":::
+
+For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
+
+________________________________________________________
+
+## Next steps
+
+With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices.
+
+> [!div class="nextstepaction"]
+> [Next: Configure devices >](configure-devices-overview.md)
+
+<!-- Reference links in article -->
+
+[MEM-1]: /mem/intune/fundamentals/licenses
+[MEM-2]: /mem/intune/enrollment/enrollment-restrictions-set
+[MEM-4]: /mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy
+
+[INT-1]: /intune-education/what-is-intune-for-education
+
+[MSFT-1]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security
+[MSFT-2]: https://www.microsoft.com/licensing/product-licensing/microsoft-365-education
+[MSFT-3]: https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf

education/windows/tutorial-school-deployment/toc.yml

@@ -0,0 +1,38 @@
+items: 
+  - name: Introduction
+    href: index.md
+  - name: 1. Prepare your tenant
+    items:
+      - name: Set up Azure Active Directory
+        href: set-up-azure-ad.md
+      - name: Set up Microsoft Intune
+        href: set-up-microsoft-intune.md
+  - name: 2. Configure settings and applications
+    items:
+      - name: Overview
+        href: configure-devices-overview.md
+      - name: Configure policies
+        href: configure-device-settings.md
+      - name: Configure applications
+        href: configure-device-apps.md        
+  - name: 3. Deploy devices
+    items: 
+      - name: Overview
+        href: enroll-overview.md
+      - name: Enroll devices via Azure AD join
+        href: enroll-aadj.md
+      - name: Enroll devices with provisioning packages
+        href: enroll-package.md
+      - name: Enroll devices with Windows Autopilot
+        href: enroll-autopilot.md
+  - name: 4. Manage devices
+    items: 
+      - name: Overview
+        href: manage-overview.md
+      - name: Management functionalities for Surface devices
+        href: manage-surface-devices.md       
+      - name: Reset and wipe devices
+        href: reset-wipe.md
+  - name: 5. Troubleshoot and get help
+    href: troubleshoot-overview.md
+    

education/windows/tutorial-school-deployment/troubleshoot-overview.md

@@ -0,0 +1,68 @@
+---
+title: Troubleshoot Windows devices
+description: How to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other Endpoint Manager services
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer: 
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+- ✅ <b>Windows 11 SE</b>
+---
+
+# Troubleshoot Windows devices
+
+Microsoft Endpoint Manager provides many tools that can help you troubleshoot Windows devices.
+Here's a collection of resources to help you troubleshoot Windows devices managed by Intune:
+
+- [Troubleshooting device enrollment in Intune][MEM-2]
+- [Troubleshooting Windows Autopilot][MEM-9]
+- [Troubleshoot Windows Wi-Fi profiles][MEM-6]
+- [Troubleshooting policies and profiles in Microsoft Intune][MEM-5]
+- [Troubleshooting BitLocker with the Intune encryption report][MEM-4]
+- [Troubleshooting CSP custom settings][MEM-8]
+- [Troubleshooting Win32 app installations with Intune][MEM-7]
+- [Troubleshooting device actions in Intune][MEM-3]
+- [**Collect diagnostics**][MEM-10] is a remote action that lets you collect and download Windows device logs without interrupting the user
+  :::image type="content" source="./images/intune-diagnostics.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-diagnostics.png" border="true":::
+
+## How to contact Microsoft Support
+
+Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
+
+Follow these steps to obtain support in Microsoft Endpoint Manager:
+
+- Sign in to the <a href="https://endpoint.microsoft.com" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+- Select **Troubleshooting + support** > **Help and support**
+    :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Endpoint Manager." lightbox="images/advanced-support.png":::
+- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
+- Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests*
+- In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like:
+  - Run diagnostics: start automated tests and investigations of your tenant from the console to reveal known issues. When you run a diagnostic, you may receive mitigation steps to help with resolution
+  - View insights: find links to documentation that provides context and background specific to the product area or actions you've described
+  - Recommended articles: browse suggested troubleshooting topics and other content related to your issue
+- If needed, use the *Contact support* pane to file an online support ticket
+  > [!IMPORTANT]
+  > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue.
+- To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review
+
+For more information, see [Microsoft Endpoint Manager support page][MEM-1]
+
+<!-- Reference links in article -->
+[MEM-1]: /mem/get-support
+[MEM-2]: /troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune
+[MEM-3]: /troubleshoot/mem/intune/troubleshoot-device-actions
+[MEM-4]: /troubleshoot/mem/intune/troubleshoot-bitlocker-admin-center
+[MEM-5]: /troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune
+[MEM-6]: /troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#troubleshoot-windows-wi-fi-profiles
+[MEM-7]: /troubleshoot/mem/intune/troubleshoot-win32-app-install
+[MEM-8]: /troubleshoot/mem/intune/troubleshoot-csp-custom-settings
+[MEM-9]: /mem/autopilot/troubleshooting
+[MEM-10]: /mem/intune/remote-actions/collect-diagnostics

education/windows/windows-editions-for-education-customers.md

@@ -63,7 +63,7 @@ For any other questions, contact [Microsoft Customer Service and Support](https:
 
 ## Related topics
 - [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)
-- [Windows deployment for education](./index.md)
+- [Windows deployment for education](./index.yml)
 - [Windows 10 upgrade paths](/windows/deployment/upgrade/windows-10-upgrade-paths)
 - [Volume Activation for Windows 10](/windows/deployment/volume-activation/volume-activation-windows-10)
 - [Plan for volume activation](/windows/deployment/volume-activation/plan-for-volume-activation-client)

windows/deployment/TOC.yml

@@ -263,7 +263,7 @@
                 href: update/update-compliance-schema-waasupdatestatus.md
               - name: WaaSInsiderStatus
                 href: update/update-compliance-schema-waasinsiderstatus.md
-              - name: WaaSDepoymentStatus
+              - name: WaaSDeploymentStatus
                 href: update/update-compliance-schema-waasdeploymentstatus.md
               - name: WUDOStatus
                 href: update/update-compliance-schema-wudostatus.md

windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md

@@ -22,7 +22,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on
 |**DeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). |
 |**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there's either no string matching the error or there's no error. |
 |**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there's either no error or there's *no error code*, meaning that the issue raised doesn't correspond to an error, but some inferred issue. |
-|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:<br><li> **Update completed**: Device has completed the update installation.<li> **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.<li> **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.<li> **Canceled**: The update was canceled.<li> **Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.<li> **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.<li> **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update. <li> **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.|
+|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:<br><li> **Update completed**: Device has completed the update installation.<li> **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.<li> **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.<li> **Canceled**: The update was canceled.<li> **Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.<li> **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.<li> **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update. <li> **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.<li> **Progress stalled**: The update is in progress, but has not completed over a period of 7 days.|
 |**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:<br><li> **Not Started**: Update hasn't started because the device isn't targeting the latest 2 builds<li> **Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.<li> **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.<li> **Update offered**: The device has been offered the update, but hasn't begun downloading it.<li> **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.<li> **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and won't resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).<li> **Download started**: The update has begun downloading on the device.<li> **Download Succeeded**: The update has successfully completed downloading. <li> **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.<li> **Install Started**: Installation of the update has begun.<li> **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.<li> **Reboot Pending**: The device has a scheduled reboot to apply the update.<li> **Reboot Initiated**: The scheduled reboot has been initiated.<li> **Commit**: Changes are being committed post-reboot. This is another step of the installation process.<li> **Update Completed**: The update has successfully installed.|
 |**ExpectedInstallDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. |
 |**LastScan** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. |

windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md

@@ -1,42 +0,0 @@
----
-title: WebAuthn APIs 
-description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 02/15/2019
----
-# WebAuthn APIs for password-less authentication on Windows
-
-### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can use password-less authentication.
-
-Microsoft has long been a proponent to do away with passwords.
-While working towards that goal, we'd like to introduce you to the latest Windows 10 (version 1903) W3C/FIDO2 Win32 WebAuthn platform APIs!
-These APIs allow Microsoft developer partners and the developer community to use Windows Hello and FIDO2 security keys
-as a password-less authentication mechanism for their applications on Windows devices.
-
-#### What does this mean?
-
-This opens opportunities for developers or relying parties (RPs') to enable password-less authentication.
-They can now use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md)
-as a password-less multi-factor credential for authentication.  
-<br>
-Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication
- and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs' site!
-<br> <br>
-The native Windows 10 WebAuthn APIs are currently supported by Microsoft Edge on Windows 10 1809 or later
- and latest versions of other browsers.
-<br> <br>
-Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to enable these scenarios in a consistent way for users.
- Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC, and BLE
- without having to deal with the interaction and management overhead. 
-This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO-related messaging.
-
-#### Where can developers learn more?
-
-The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn)

windows/security/identity-protection/hello-for-business/hello-faq.yml

@@ -84,7 +84,7 @@ sections:
 
       - question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera?
         answer: |
-          Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors).
+          Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors).
 
       - question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked?
         answer: |
@@ -155,7 +155,7 @@ sections:
 
       - question: Where is Windows Hello biometrics data stored?
         answer: |
-            When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server.  For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
+            When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server.  For more details see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
       
       - question: What is the format used to store Windows Hello biometrics data on the device?
         answer: |
@@ -261,5 +261,4 @@ sections:
           
       - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients?
         answer: | 
-          No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD.
-
+          No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS.

windows/security/identity-protection/hello-for-business/toc.yml

@@ -21,6 +21,8 @@
       href: hello-how-it-works-provisioning.md
     - name: Authentication
       href: hello-how-it-works-authentication.md
+    - name: WebAuthn APIs
+      href: webauthn-apis.md
 - name: How-to Guides
   items:
   - name: Windows Hello for Business Deployment Overview

windows/security/identity-protection/hello-for-business/webauthn-apis.md

@@ -0,0 +1,122 @@
+---
+title: WebAuthn APIs 
+description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
+ms.prod: m365-security
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
+ms.collection: M365-identity-device-management
+ms.topic: article
+localizationpriority: medium
+ms.date: 08/30/2022
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
+---
+# WebAuthn APIs for passwordless authentication on Windows
+
+Passwords can leave your customers vulnerable to data breaches and security attacks by malicious users.
+
+Microsoft has long been a proponent of passwordless authentication, and introduced the W3C/Fast IDentity Online 2 (FIDO2) Win32 WebAuthn platform APIs in Windows 10 (version 1903).
+
+## What does this mean?
+
+By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md) to implement passwordless multi-factor authentication for their applications on Windows devices.
+
+Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use.
+
+Developers should use the WebAuthn APIs to support FIDO2 authentication keys in a consistent way for users. Additionally, developers can use all the transports that are available per FIDO2 specifications (USB, NFC, and BLE) while avoiding the interaction and management overhead.
+
+> [!NOTE]  
+> When these APIs are in use, Windows 10 browsers or apps don't have direct access to the FIDO2 transports for FIDO-related messaging.
+
+## The big picture
+
+Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. In this ecosystem, any interoperable client (such as a native app or browser) that runs on a given client device uses a standardized method to interact with any interoperable authenticator. Interoperable authenticators include authenticators that are built into the client device (platform authenticators) and authenticators that connect to the client device by using USB, BLE, or NFC connections (roaming authenticators).
+
+The authentication process starts when the user makes a specific user gesture that indicates consent for the operation. At the request of the client, the authenticator securely creates strong cryptographic keys and stores them locally.
+
+After these client-specific keys are created, clients can request attestations for registration and authentication. The type of signature that the private key uses reflects the user gesture that was made.  
+
+The following diagram shows how CTAP and WebAuthn interact. The light blue dotted arrows represent interactions that depend on the specific implementation of the platform APIs.
+
+:::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview.png" alt-text="The diagram shows how the WebAuthn API interacts with the relying parties and the CTAPI2 API.":::
+
+*Relationships of the components that participate in passwordless authentication*
+
+A combined WebAuthn/CTAP2 dance includes the following cast of characters:
+
+- **Client device**. The *client device* is the hardware that hosts a given strong authentication. Laptops and phones are examples of client devices.  
+
+- **Relying parties and clients**. *Relying parties* are web or native applications that consume strong credentials. The relying parties run on client devices.  
+
+  - As a relying party, a native application can also act as a WebAuthn client to make direct WebAuthn calls.
+  
+  - As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser.  
+  
+  > [!NOTE]  
+  > The preceding diagram doesn't depict single sign-on authentication. Be careful not to confuse FIDO relying parties with federated relying parties.
+
+- **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request that the authenticator create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on.
+
+- **CTAP2 platform/host**. The *platform* (also called the host in the CTAP2 spec) is the part of the client device that negotiates with authenticators. The platform is responsible for securely reporting the origin of the request and for calling the CTAP2 Concise Binary Object Representation (CBOR) APIs. If the platform isn't CTAP2-aware, the clients themselves take on more of the burden. In this case, the components and interactions of the preceding diagram may differ.
+
+- **Platform authenticator**. A *platform authenticator* usually resides on a client device. Examples of platform authenticators include fingerprint recognition technology that uses a built-in laptop fingerprint reader and facial recognition technology that uses a built-in smartphone camera. Cross-platform transport protocols such as USB, NFC or BLE can't access platform authenticators.
+
+- **Roaming authenticator**. A *roaming authenticator* can connect to multiple client devices. Client devices must use a supported transport protocol to negotiate interactions. Examples of roaming authenticators include USB security keys, BLE-enabled smartphone applications, and NFC-enabled proximity cards. Roaming authenticators can support CTAP1, CTAP2, or both protocols.
+
+Many relying parties and clients can interact with many authenticators on a single client device. A user can install multiple browsers that support WebAuthn, and might simultaneously have access to a built-in fingerprint reader, a plugged-in security key, and a BLE-enabled mobile app.
+
+## Interoperability
+
+Before there was WebAuthn and CTAP2, there was U2F and CTAP1. U2F is the FIDO Alliance universal second-factor specification. There are many authenticators that speak CTAP1 and manage U2F credentials. WebAuthn was designed to be interoperable with CTAP1 Authenticators. A relying party that uses WebAuthn can still use U2F credentials if the relying party doesn't require FIDO2-only functionality.
+
+FIDO2 authenticators have already implemented and WebAuthn relying parties might require the following optional features:
+
+- Keys for multiple accounts (keys can be stored per relying party)
+- Client PIN
+- Location (the authenticator returns a location)
+- [Hash-based Message Authentication Code (HMAC)-secret](/dotnet/api/system.security.cryptography.hmac) (enables offline scenarios)
+
+The following options and might be useful in the future, but haven't been observed in the wild yet:
+
+- Transactional approval
+- User verification index (servers can determine whether biometric data that's stored locally has changed over time)
+- User verification method (the authenticator returns the exact method)
+- Biometric performance bounds (the relying party can specify acceptable false acceptance and false rejection rates)
+
+## Microsoft implementation
+
+The Microsoft FIDO2 implementation has been years in the making. Software and services are implemented independently as standards-compliant entities. As of the Windows 10, version 1809 (October 2018) release, all Microsoft components use the latest WebAuthn Candidate Release. It's a stable release that's not expected to normatively change before the specification is finally ratified. Because Microsoft is among the first in the world to deploy FIDO2, some combinations of popular non-Microsoft components won't be interoperable yet.
+
+Here's an approximate layout of where the Microsoft bits go:  
+
+:::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png" alt-text="The diagram shows how the WebAuthn API interacts with the Microsoft relying parties and the CTAPI2 API.":::
+
+*Microsoft's implementation of WebAuthn and CATP2 APIs*
+
+- **WebAuthn relying party: Microsoft Account**. If you aren't familiar with Microsoft Account, it's the sign-in service for Xbox, Outlook, and many other sites. The sign-in experience uses client-side JavaScript to trigger Microsoft Edge to talk to the WebAuthn APIs. Microsoft Account requires that authenticators have the following characteristics:
+
+  - Keys are stored locally on the authenticator and not on a remote server
+  - Offline scenarios work (enabled by using HMAC)
+  - Users can put keys for multiple user accounts on the same authenticator
+  - If it's necessary, authenticators can use a client PIN to unlock a TPM
+  > [!IMPORTANT]  
+  > Because Microsoft Account requires features and extensions that are unique to FIDO2 CTAP2 authenticators, it doesn't accept CTAP1 (U2F) credentials.
+
+- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn.
+
+  > [!NOTE]  
+  > For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication).
+
+- **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs.
+
+- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. That's because there's already a strong ecosystem of products that specialize in strong authentication, and every one of our customers (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. To see the ever-growing list of FIDO2 certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs.
+
+## Developer references
+
+The WebAuthn APIs are documented in the [Microsoft/webauthn](https://github.com/Microsoft/webauthn) GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications:
+
+- [Web Authentication: An API for accessing Public Key Credentials](https://www.w3.org/TR/webauthn/) (available on the W3C site). This document is known as the WebAuthn spec.
+- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication.

windows/security/index.yml

@@ -133,13 +133,13 @@ landingContent:
       - linkListType: concept
         links:
         - text: Mobile device management
-          url: https://docs.microsoft.com/windows/client-management/mdm/
+          url: /windows/client-management/mdm/
         - text: Azure Active Directory
           url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory
         - text: Your Microsoft Account
           url: identity-protection/access-control/microsoft-accounts.md
         - text: OneDrive
-          url: https://docs.microsoft.com/onedrive/onedrive
+          url: /onedrive/onedrive
         - text: Family safety
           url: threat-protection/windows-defender-security-center/wdsc-family-options.md
 # Cards and links should be based on top customer tasks or top subjects
@@ -170,4 +170,3 @@ landingContent:
         links:
         - text: Windows and Privacy Compliance
           url: /windows/privacy/windows-10-and-privacy-compliance
-

windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md

@@ -31,7 +31,7 @@ Application Guard uses both network isolation and application-specific settings.
 These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
 
 > [!NOTE]
-> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge.
+> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge in managed mode.
 
 > [!NOTE]
 > You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the **Domains categorized as both work and personal** policy.
@@ -56,15 +56,15 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
 
 |Name|Supported versions|Description|Options|
 |-----------|------------------|-----------|-------|
-|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
-|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns On the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns On the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
 |Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher<p>Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
-|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
+|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher<p>Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
+|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
 |Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
-|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** event logs aren't collected from your Application Guard container.|
+|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
  
 ## Application Guard support dialog settings
 

windows/whats-new/windows-11-prepare.md

@@ -103,29 +103,31 @@ If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint ana
 
 ## Prepare a pilot deployment
 
-A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization.  
+A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization.
 
-At a high level, the tasks involved are: 
+At a high level, the tasks involved are:
 
-1. Assign a group of users or devices to receive the upgrade. 
-2. Implement baseline updates. 
-3. Implement operational updates. 
-4. Validate the deployment process. 
-5. Deploy the upgrade to devices. 
-6. Test and support the pilot devices. 
-7. Determine broad deployment readiness based on the results of the pilot. 
+1. Assign a group of users or devices to receive the upgrade.
+2. Implement baseline updates.
+3. Implement operational updates.
+4. Validate the deployment process.
+5. Deploy the upgrade to devices.
+6. Test and support the pilot devices.
+7. Determine broad deployment readiness based on the results of the pilot.
 
 ## User readiness
 
-Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: 
-- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes. 
-- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. 
-- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. 
+Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11:
+
+- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes.
+- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options.
+- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices.
 
 ## Learn more
 
-See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. 
-- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11.  
+See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path.
+
+- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11.
 
 ## See also