deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-28 16:53:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2022-08-23 14:32:24 -04:00
parent e739d602e1
commit abfd4104ff
5 changed files with 82 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
education/windows/school-deployment/configure-device-apps.md
View File

@ -26,6 +26,12 @@ Applications can be assigned to groups:
- If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into - If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into
- If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in - If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in
In this section you will:
> [!div class="checklist"]
> * Add apps to Intune for Education
> * Assign apps to groups
> * Review some considerations for Windows 11 SE devices
## Add apps to Intune for Education ## Add apps to Intune for Education
Intune for Education supports the deployment of two types of Windows applications: **web apps** and **desktop apps**. Intune for Education supports the deployment of two types of Windows applications: **web apps** and **desktop apps**.
@ -74,6 +80,8 @@ The process to add Win32 applications to Intune is described in the article [Add
> - If you submitted a request to add your own app and it was approved, check that the app meets package requirements > - If you submitted a request to add your own app and it was approved, check that the app meets package requirements
> - If the app is not approved, it will not run on Windows 11 SE. In this case, you will have to verify if the app can run in a web browser, such as a web app or PWA > - If the app is not approved, it will not run on Windows 11 SE. In this case, you will have to verify if the app can run in a web browser, such as a web app or PWA
________________________________________________________
## Next steps ## Next steps
With the applications configured, you can now deploy students' and teachers' devices. With the applications configured, you can now deploy students' and teachers' devices.

13
education/windows/school-deployment/configure-device-settings.md
View File

@ -35,12 +35,19 @@ There are two ways to manage settings in Intune for Education:
> [!NOTE] > [!NOTE]
> Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices. > Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices.
In this section you will:
> [!div class="checklist"]
> * Configure settings with Express Configuration
> * Configure group settings
> * Create Windows Update policies
> * Configure security policies
## Configure settings with Express Configuration ## Configure settings with Express Configuration
With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools. With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools.
> [!TIP] > [!TIP]
> To learn more, and practice step-by-step Express Configuration in Intune for Education, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/deploy-apps-and-policies" target="_blank"><b>this interactive demo</b></a>. > To learn more, and practice step-by-step Express Configuration in Intune for Education, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/deploy-apps-and-policies" target="_blank"><u>this interactive demo</u></a>.
## Configure group settings ## Configure group settings
@ -77,7 +84,7 @@ For more information, see [Updates and upgrade][INT-6].
> - [<u>What is Windows Update for Business?</u>][WIN-1] > - [<u>What is Windows Update for Business?</u>][WIN-1]
> - [<u>Manage Windows software updates in Intune</u>][MEM-1] > - [<u>Manage Windows software updates in Intune</u>][MEM-1]
## Endpoint security ## Configure security policies
It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows. It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows.
Intune for Education provides different settings to secure devices. Intune for Education provides different settings to secure devices.
@ -103,6 +110,8 @@ For more information, see [Security][INT-4].
> - [<u>Attack surface reduction</u>][MEM-6] > - [<u>Attack surface reduction</u>][MEM-6]
> - [<u>Account protection</u>][MEM-7] > - [<u>Account protection</u>][MEM-7]
________________________________________________________
## Next steps ## Next steps
With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices. With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices.

2
education/windows/school-deployment/configure-devices-overview.md
View File

@ -51,6 +51,8 @@ For more information, see:
- [Manually add or remove users and devices to an existing assigned group][EDU-2]] - [Manually add or remove users and devices to an existing assigned group][EDU-2]]
- [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3] - [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3]
________________________________________________________
## Next steps ## Next steps
With the groups created, you can configure policies and applications to deploy to your groups. With the groups created, you can configure policies and applications to deploy to your groups.

110
education/windows/school-deployment/enroll-autopilot.md
View File

@ -19,71 +19,79 @@ appliesto:
# Windows Autopilot # Windows Autopilot
Windows Autopilot is especially useful in scenarios where devices are handed out to users without the need to build, maintain, and apply custom operating system images. These devices will be enrolled as school-owned devices. Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users.
A cloud-based provisioning technology, Windows Autopilot can be used to set up and preconfigure devices at the start of the school year. There's no need to wipe devices or use custom OS images. The device must be preregistered, and the enrollment profile created and assigned in Intune for Education. When users sign in with their school account, they are automatically enrolled. Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new, simplified approach. Devices do not need to be re-imaged, rather they can be deployed with the OEM image, and customized using cloud-based services.
From the user's perspective, it only takes a few simple operations to make their device ready to use. The only interaction required from the end user is to set their language and regional settings, connect to a network, and verify their credentials. Everything beyond that is automated.
## Prerequisites ## Prerequisites
Before setting up Windows Autopilot, consider these prerequisites: Before setting up Windows Autopilot, consider these prerequisites:
- **Software requirements. Ensure your school and devices meet the** [**software, networking, licensing, and configuration requirements**][WIN-1]** for Windows Autopilot.** - **Software requirements.** Ensure your school and devices meet the [software, networking, licensing, and configuration requirements][WIN-1] for Windows Autopilot
- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. We recommend that you connect with a partner through the [Microsoft Partner Center][MSFT-1] and work with them to register your devices. - **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. We recommend that you connect with a partner through the [Microsoft Partner Center][MSFT-1] and work with them to register your devices
- **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1]. - **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1]
**NOTE:** Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [Microsoft Intune][INT-1] and [Microsoft 365][M365-1]. > [!NOTE]
> Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [<u>Microsoft Intune</u>][INT-1] and [<u>Microsoft 365</u>][M365-1].
### Register devices to Windows Autopilot ## Register devices to Windows Autopilot
Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded, so that the Autopilot service can recognize which tenant devices belong to and which OOBE experience they should present to the users. There are three main ways to register devices to Autopilot: Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded to the Autopilot service, so that the Autopilot service can recognize which tenant devices belong to and which OOBE experience they should offer to the users. There are three main ways to register devices to Autopilot:
- **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more inrmation, see [Windows Autopilot customer consent][MEM-2]. - **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more information, see [OEM registration][MEM-2]
> [!NOTE] > [!NOTE]
> For **Microsoft Surface registration**, collect the details shown in this [<u>documentation table</u>][SURF-1] and follow the instruction to submit the request form to Microsoft Support. > For **Microsoft Surface registration**, collect the details shown in this [<u>documentation table</u>][SURF-1] and follow the instruction to submit the request form to Microsoft Support.
- **Cloud Solution Provider (CSP) registration process.** As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see [Partner registration][MEM-5]
> [!TIP]
> Try the <a href="https://cloudpartners.transform.microsoft.com/resources/autopilot-in-edu-setup-english" target="_blank"><u>Microsoft Partner Center clickable demo</u></a>, which provides detailed steps to establish a partner relationship and register devices.
- **Manual registration.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune][MEM-6]
> [!IMPORTANT]
> **Windows 11 SE** devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices.
- **Manually register devices with Windows Autopilot.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune](/mem/autopilot/add-devices), [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) or [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). ## Create groups for Autopilot devices
**NOTE:** Windows 11 SE devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices. For more information, see [Set up devices with Autopilot][EDU-1]. **Windows Autopilot deployment profiles** determine the Autopilot *deployment mode* and define the out-of-box experience of your devices. A device group is required to assign a Windows Autopilot deployment profile to the devices.
For this task, it is recommended to create dynamic device groups using Autopilot attributes.
- **Allow a Cloud Solution Provider (CSP) to register devices.** Surface devices can be registered by device resellers (with active CSP partner status) as part of the ordering process. As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see this [Microsoft Partner Center clickable demo][MSFT-2].
### Set up the devices
First, you create a dynamic device group, and then you apply a Windows Autopilot deployment profile to each device in this group. Deployment profiles determine the deployment mode and customize the out-of-box experience of your devices.
### Create a group for your Autopilot devices
A device group is required to assign a Windows Autopilot deployment profile. You can create a group with a dynamic membership rule using Autopilot device attributes. Autopilot devices that meet these rules are automatically added to the group.
Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag: Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag:
1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a> 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
1. Select **Groups** > Pick a group to manage 1. Select **Groups** > **Create group**
1. Select **Windows device settings** 1. Specify a **Group name** and select **Dynamic**
1. Expand the different categories and review information about individual settings 1. Under **Rules**, select **I want to manage: Devices** and use the clause **Where: Device group tag starts with**, specifying the required tag value
1. Select **Create group**
:::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="false":::
:::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="false"::: More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see [](). > [!TIP]
> You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings.
### Create an Autopilot deployment profile ## Create Autopilot deployment profiles
For Autopilot devices to offer a customized OOBE experience, you must create **deployment profiles** and assign them to a group containing the devices. For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices.
A deployment profile is a set of settings that determine the behavior of the device during OOBE. A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be:
1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Azure AD join process during OOBE
1. **Self-deploying:** devices with this profile are not associated with the user enrolling the device. User credentials are not required to complete the Azure AD join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode.
1. **User-driven:** Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device.
1. **Self-deploying:** Devices with this profile are not associated with the user enrolling the device. User credentials are not required to enroll the device.
To learn more about deployment profiles, see [Windows Autopilot deployment profiles](/mem/autopilot/profiles).
To create an Autopilot deployment profile: To create an Autopilot deployment profile:
More advanced Autopilot deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see [](). 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
1. Select **Groups** > Select a group from the list
1. Select **Windows device settings**
1. Expand the **Enrolment** category
1. From **Configure Autopilot deployment profile for device** select **User-driven**
1. Ensure that **User account type** is configured as **Standard**
1. Select **Save**
While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
### Configure an Enrollment Status Page ### Configure an Enrollment Status Page
An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status. An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status.
Some Windows Autopilot deployment profiles require the ESP to be configured.
To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager. To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager.
@ -94,20 +102,21 @@ For more information, see [Set up the Enrollment Status Page][MEM-3].
> [!CAUTION] > [!CAUTION]
> When targeting an ESP to **Windows 11 SE devices**, only approved apps should be included as part of the ESP configuration. > When targeting an ESP to **Windows 11 SE devices**, only approved apps should be included as part of the ESP configuration.
## branding reference here
### Autopilot end-user experience ### Autopilot end-user experience
Once configuration is complete and devices are distributed, students and teachers are able to complete device setup with Autopilot. They can set up their devices at home, at school, or wherever there is a reliable network. After a user turns on the device and signs in with their school account, enrollment automatically starts. Once configuration is complete and devices are distributed, students and teachers are able to complete the out-of-box experience with Autopilot. They can set up their devices at home, at school, or wherever there is a reliable Internet connection.
When a Windows device is turned on for the first time, the end-user experience with Windows Autopilot is as follows:
When a Windows 11 SE device is turned on for the first time, the end-user experience with Windows Autopilot using a Wi-Fi connection is as follows: 1. Identify the language and region
1. Select the keyboard layout and decide on the option for a second keyboard layout
1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step
1. Apply updates: the device will look for and apply required updates
1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed and a reboot will occur
1. The user authenticates to Azure AD, using the school account
1. The device joins Azure AD, enrolls in Intune and all the settings and applications are configured
1. Identify the language and region. > [!NOTE]
1. Select the keyboard layout and decide on the option for a second keyboard layout. > Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection.
1. Connect to the internet. Windows will verify network connectivity to the internet. If connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step.
1. Wait for detection. Windows will detect that the device has an Autopilot profile assigned and belongs to your school.
1. Enter the email address and password associated with your school account.
1. Apply updates. Once connected, the Windows 11 SE device will look for and apply required updates.
1. Sign in on the school-branded welcome screen. Users need only their school account credentials. No local administrator permissions are required.
________________________________________________________ ________________________________________________________
## Next steps ## Next steps
@ -120,19 +129,20 @@ With the devices joined to Azure AD tenant and managed by Intune, you can use In
<!-- Reference links in article --> <!-- Reference links in article -->
[MEM-1]: /mem/intune/fundamentals/intune-endpoints [MEM-1]: /mem/intune/fundamentals/intune-endpoints
[MEM-3]: /mem/intune/enrollment/windows-enrollment-status [MEM-2]: /mem/autopilot/oem-registration
[MEM-2]: /mem/autopilot/registration-auth [MEM-3]: /mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune
[MEM-4]: /mem/autopilot/profiles
[MEM-5]: /mem/autopilot/partner-registration
[MEM-6]: /mem/autopilot/add-devices
[WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements [WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements
[MSFT-1]: https://partner.microsoft.com/ [MSFT-1]: https://partner.microsoft.com/
[MSFT-2]: https://cloudpartners.transform.microsoft.com/resources/autopilot-in-edu-setup-english
[INT-1]: /intune/network-bandwidth-use [INT-1]: /intune/network-bandwidth-use
[M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2 [M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
[EDU-1]: /intune-education/windows-autopilot-setup
[EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot [EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
[SURF-1]: /surface/surface-autopilot-registration-support [SURF-1]: /surface/surface-autopilot-registration-support

3
education/windows/school-deployment/set-up-azure-ad.md
View File

@ -149,8 +149,7 @@ To allow provisioning packages to complete the Azure AD Join process:
> [!NOTE] > [!NOTE]
> If it is required that only specific users can join devices to Azure AD, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users. > If it is required that only specific users can join devices to Azure AD, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
1. Select Save 1. Select Save
:::image type="content" alt-text="Configure device settings from Microsoft Entra admin center." source="images/entra-device-settings.png":::
:::image type="content" alt-text="Configure device settings from Microsoft Entra admin center." source="images/entra-device-settings.png":::
________________________________________________________ ________________________________________________________