From b1346a9431499d811fcad72839700f10b67bf428 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 10 Apr 2024 07:24:50 -0400 Subject: [PATCH] Acrolinx --- education/windows/change-home-to-edu.md | 54 +++++++++---------- .../windows/configure-aad-google-trust.md | 18 +++---- education/windows/edu-stickers.md | 6 +-- .../set-up-school-pcs-provisioning-package.md | 12 ++--- 4 files changed, 45 insertions(+), 45 deletions(-) diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index df9bd1d11f..88685f15ae 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -21,25 +21,25 @@ Customers with qualifying subscriptions can upgrade student-owned and institutio > [!NOTE] > To be qualified for this process, customers must have a Windows Education subscription that includes the student use benefit and must have access to the Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center. -IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). Alternatively, IT admins can set up a portal through [Kivuto OnTheHub](http://onthehub.com) where students can request a *Windows Pro Education* product key. The table below provides the recommended method depending on the scenario. +IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). Alternatively, IT admins can set up a portal through [Kivuto OnTheHub](http://onthehub.com) where students can request a *Windows Pro Education* product key. The following table provides the recommended method depending on the scenario. | Method | Product key source | Device ownership | Best for | |-|-|-|-| | MDM | VLSC | Personal (student-owned) | IT admin initiated via MDM | -| Kivuto | Kivuto | Personal (student-owned) | Initiated on device by student, parent or guardian | +| Kivuto | Kivuto | Personal (student-owned) | Initiated on device by student, parent, or guardian | | Provisioning package | VLSC | Personal (student-owned) or Corporate (institution-owned) | IT admin initiated at first boot | These methods apply to devices with *Windows Home* installed; institution-owned devices can be upgraded from *Windows Professional* or *Windows Pro Edu* to *Windows Education* or *Windows Enterprise* using [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation). ## User Notifications -Users aren't notified their device has been or will be upgraded to Windows Education when using MDM. It's the responsibility of the institution to notify their users. Institutions should notify their users that MDM will initiate an upgrade to Windows Education and this upgrade will give the institution extra capabilities, such as installing applications. +Users aren't notified when their device is upgraded to Windows Education when using MDM. It's the responsibility of the institution to notify their users. Institutions should notify their users that MDM initiates an upgrade to Windows Education, and that the upgrade gives the institution extra capabilities, such as installing applications. Device users can disconnect from MDM in the Settings app, to prevent further actions from being taken on their personal device. For instructions on disconnecting from MDM, see [Remove your Windows device from management](/mem/intune/user-help/unenroll-your-device-from-intune-windows). ## Why upgrade student-owned devices from Windows Home to Windows Education? -Some school institutions want to streamline student onboarding for student-owned devices using MDM. Typical MDM requirements include installing certificates, configuring WiFi profiles and installing applications. On Windows, MDM uses Configuration Service Providers (CSPs) to configure settings. Some CSPs aren't available on Windows Home, which can limit the capabilities. Some of the CSPs not available in Windows Home that can affect typical student onboarding are: +Some school institutions want to streamline student onboarding for student-owned devices using MDM. Typical MDM requirements include installing certificates, configuring WiFi profiles, and installing applications. On Windows, MDM uses Configuration Service Providers (CSPs) to configure settings. Some CSPs aren't available on Windows Home, which can limit the capabilities. Some of the CSPs not available in Windows Home that can affect typical student onboarding are: - [EnterpriseDesktopAppManagement](/windows/client-management/mdm/enterprisemodernappmanagement-csp) - which enables deployment of Windows installer or Win32 applications. - [DeliveryOptimization](/windows/client-management/mdm/policy-csp-deliveryoptimization) - which enables configuration of Delivery Optimization. @@ -48,11 +48,11 @@ A full list of CSPs are available at [Configuration service provider reference]( ## Requirements for using a MAK to upgrade from Windows Home to Windows Education -- Access to Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center. +- Access to Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center - A qualifying Windows subscription such as: - - Windows A3, or; - - Windows A5. -- A pre-installed and activated instance of Windows 10 Home or Windows 11 Home. + - Windows A3, or + - Windows A5 +- A preinstalled and activated instance of Windows 10 Home or Windows 11 Home You can find more information in the [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/productoffering). @@ -67,20 +67,20 @@ IT admins with access to the VLSC or the Microsoft 365 Admin Center, can find th It's critical that MAKs are protected whenever they're used. The following processes provide the best protection for a MAK being applied to a device: -- Provisioning package by institution approved staff; -- Manual entry by institution approved staff (don't distribute the key via email); -- Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp); +- Provisioning package by institution approved staff +- Manual entry by institution approved staff (don't distribute the key via email) +- Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp) > [!IMPORTANT] > If you are using a Mobile Device Management product other than Microsoft Intune, ensure the key isn't accessible by students. -- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Configuration Manager. +- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Configuration Manager For a full list of methods to perform a Windows edition upgrade and more details, see [Windows 10 edition upgrade](/windows/deployment/upgrade/windows-10-edition-upgrades). -## Downgrading, resetting, reinstalling and graduation rights +## Downgrading, resetting, reinstalling, and graduation rights After upgrading from *Windows Home* to *Windows Education* there are some considerations for what happens during downgrade, reset or reinstall of the operating system. -The table below highlights the differences by upgrade product key type: +The following table highlights the differences by upgrade product key type: | Product Key Type | Downgrade (in-place) | Reset | Student reinstall | |-|-|-|-| @@ -93,19 +93,19 @@ It isn't possible to downgrade to *Windows Home* from *Windows Education* withou ### Reset -If the computer is reset, Windows Education will be retained. +If the computer is reset, Windows Education is retained. ### Reinstall -The Education upgrade doesn't apply to reinstalling Windows. Use the original Windows edition when reinstalling Windows. The original product key or [firmware-embedded product key](#what-is-a-firmware-embedded-activation-key) will be used to activate Windows. +The Education upgrade doesn't apply to reinstalling Windows. Use the original Windows edition when reinstalling Windows. The original product key or [firmware-embedded product key](#what-is-a-firmware-embedded-activation-key) is used to activate Windows. -If students require a *Windows Pro Education* key that can work on a new install of Windows, they should use [Kivuto OnTheHub](http://onthehub.com) to request a key prior to graduation. +If students require a *Windows Pro Education* key that can work on a new install of Windows, they should use [Kivuto OnTheHub](http://onthehub.com) to request a key before graduation. For details on product keys and reinstalling Windows, see [Find your Windows product key](https://support.microsoft.com/windows/find-your-windows-product-key-aaa2bf69-7b2b-9f13-f581-a806abf0a886). ### Resale -The license will remain installed on the device if resold and the same conditions above apply for downgrade, reset or reinstall. +The license remains installed on the device if resold and the same conditions apply for downgrade, reset, or reinstall. ## Step by step process for customers to upgrade student-owned devices using Microsoft Intune @@ -113,7 +113,7 @@ These steps provide instructions on how to use Microsoft Intune to upgrade devic ### Step 1: Create a Windows Home edition filter -These steps configure a filter that will only apply to devices running the *Windows Home edition*. This filter will ensure only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters). +These steps configure a filter that only applies to devices running the *Windows Home edition*, ensuring that only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters). - Start in the [**Microsoft Intune admin center**](https://go.microsoft.com/fwlink/?linkid=2109431) - Select **Tenant administration** > **Filters** @@ -157,7 +157,7 @@ These steps create and assign a Windows edition upgrade policy. For more informa :::image type="content" source="images/change-home-to-edu-windows-edition-upgrade-policy.png" alt-text="Example of configuring the Windows upgrade policy in Microsoft Intune"::: - Optionally select scope tags as required and select **Next** -- On the **assignments** screen; +- On the **assignments** screen: - Select **Add all devices** - Next to **All devices**, select **Edit filter** @@ -171,7 +171,7 @@ These steps create and assign a Windows edition upgrade policy. For more informa - Don't configure any applicability rules and select **next** - Review your settings and select **Create** -The edition upgrade policy will now apply to all existing and new Windows Home edition devices targeted. +The edition upgrade policy applies to all existing and new Windows Home edition devices targeted. ### Step 3: Report on device edition @@ -191,11 +191,11 @@ You can check the Windows versions of managed devices in the Microsoft Intune ad Increases to MAK Activation quantity can be requested by contacting [VLSC support](/licensing/contact-us) and may be granted by exception. A request can be made by accounts with the VLSC Administrator, Key Administrator, or Key Viewer permissions. The request should include the following information: -- Agreement/Enrollment Number or License ID and Authorization. -- Product Name (includes version and edition). -- Last five characters of the product key. -- The number of host activations required. -- Business Justification or Reason for Deployment. +- Agreement/Enrollment Number or License ID and Authorization +- Product Name (includes version and edition) +- Last five characters of the product key +- The number of host activations required +- Business Justification or Reason for Deployment ### What is a firmware-embedded activation key? @@ -205,7 +205,7 @@ A firmware-embedded activation key is a Windows product key that is installed in (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey ``` -If the device has a firmware-embedded activation key, it will be displayed in the output. Otherwise, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. +If the device has a firmware-embedded activation key, it's displayed in the output. Otherwise the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later have a firmware-embedded key. A firmware embedded key is only required to upgrade using Subscription Activation, a MAK upgrade doesn't require the firmware embedded key. diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md index 11c4d05d72..70857ead38 100644 --- a/education/windows/configure-aad-google-trust.md +++ b/education/windows/configure-aad-google-trust.md @@ -8,8 +8,8 @@ appliesto: # Configure federation between Google Workspace and Microsoft Entra ID -This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Azure AD.\ -Once configured, users will be able to sign in to Microsoft Entra ID with their Google Workspace credentials. +This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Microsoft Entra ID.\ +Once configured, users can sign in to Microsoft Entra ID with their Google Workspace credentials. ## Prerequisites @@ -27,11 +27,11 @@ To test federation, the following prerequisites must be met: > [!IMPORTANT] > Users require an email address defined in Google Workspace, which is used to match the users in Microsoft Entra ID. > For more information about identity matching, see [Identity matching in Microsoft Entra ID](federated-sign-in.md#identity-matching-in-microsoft-entra-id). -1. Individual Microsoft Entra accounts already created: each Google Workspace user will require a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example: +1. Individual Microsoft Entra accounts already created: each Google Workspace user requires a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example: - School Data Sync (SDS) - Microsoft Entra Connect Sync for environment with on-premises AD DS - PowerShell scripts that call the Microsoft Graph API - - Provisioning tools offered by the IdP - this capability is offered by Google Workspace through [auto-provisioning](https://support.google.com/a/answer/7365072) + - Provisioning tools offered by the IdP - Google Workspace offers [autoprovisioning](https://support.google.com/a/answer/7365072) @@ -42,12 +42,12 @@ To test federation, the following prerequisites must be met: 1. Select **Add app > Search for apps** and search for *microsoft* 1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select** :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app."::: -1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Microsoft Entra ID later +1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it's used to setup Microsoft Entra ID later 1. On the **Service provider detail's** page - Select the option **Signed response** - Verify that the Name ID format is set to **PERSISTENT** - - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you may need to adjust the **Name ID** mapping.\ - If using Google auto-provisioning, select **Basic Information > Primary email** + - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping.\ + If using Google autoprovisioning, select **Basic Information > Primary email** - Select **Continue** 1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes @@ -136,7 +136,7 @@ AdditionalProperties : {} From a private browser session, navigate to https://portal.azure.com and sign in with a Google Workspace account: 1. As username, use the email as defined in Google Workspace -1. The user will be redirected to Google Workspace to sign in -1. After Google Workspace authentication, the user will be redirected back to Microsoft Entra ID and signed in +1. The user is redirected to Google Workspace to sign in +1. After Google Workspace authentication, the user is redirected back to Microsoft Entra ID and signed in :::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity."::: diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 5101c1b3ce..889b10b393 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -25,7 +25,7 @@ With Stickers, students feel more attached to the device as they feel as if it's ## Enable Stickers -Stickers aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG). +Stickers aren't enabled by default. The following instructions describe how to configure your devices using either Microsoft Intune or a provisioning package (PPKG). #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) @@ -62,14 +62,14 @@ Content-Type: application/json ## How to use Stickers -Once the Stickers feature is enabled, the sticker editor can be opened by either: +Once the Stickers feature is enabled, open sticker editor by either: - using the contextual menu on the desktop and selecting the option **Add or edit stickers** - opening the Settings app > **Personalization** > **Background** > **Add stickers** :::image type="content" source="./images/win-11-se-stickers-menu.png" alt-text="Windows 11 SE desktop contextual menu to open the sticker editor" border="true"::: -Multiple stickers can be added from the picker by selecting them. The stickers can be resized, positioned or deleted from the desktop by using the mouse, keyboard, or touch. +Multiple stickers can be added from the picker by selecting them. The stickers can be resized, positioned, or deleted from the desktop by using the mouse, keyboard, or touch. :::image type="content" source="./images/win-11-se-stickers-animation.gif" alt-text="animation showing Windows 11 SE desktop with 4 pirate stickers being resized and moved" border="true"::: diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index d7d8e6bb74..8b49992af0 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -34,15 +34,15 @@ For a more detailed look at the policies, see the Windows article [Set up shared | Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. | | Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When devices are optimized for shared use, the policy sets 25% of total disk space as the disk space threshold for account caching. When devices are optimized for use by a single student, the policy sets the value to 0% and doesn't delete accounts. | | Enable account manager | True | Enables automatic account management. | -| Inactive threshold | For shared device setup, 30 days; for single device-student setup, 180 days. | After 30 or 180 days, respectively, if an account hasn't signed in, it will be deleted. | +| Inactive threshold | For shared device setup, 30 days; for single device-student setup, 180 days. | After the threshold, if an account hasn't signed in, its user profile is deleted. | | Kiosk Mode AMUID | `Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App` | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. | | Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. | | Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy doesn't prevent students from saving on the PCs local hard drive. | | Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. | -| Max page file size in MB | 1024 | Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. | +| Max page file size in MB | 1024 | Sets the maximum size of the paging file to 1,024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. | | Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. | | Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. | -| Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. | +| Sleep timeout | 3,600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3,600 seconds (1 hour), is applied. | ## MDM and local group policies @@ -58,7 +58,7 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client | Hide OOBE for desktop | True | Hides the interactive OOBE flow for Windows 10. | | Download Mode | 1 - HTTP blended with peering behind the same NAT | Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates | | Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel | Specifies how frequently devices receive preview builds and feature updates. | -| Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user. | +| Allow auto update | 4 - Autoinstalls and restarts without device-user control | When an auto update is available, it autoinstalls and restarts the device without any input or action from the device user. | | Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates. | | Update power policy for cart restarts | 1 - Configured | Skips all restart checks to ensure that the reboot will happen at the scheduled install time. | | Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days. | @@ -70,7 +70,7 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client | Allow add provisioning package | Disabled | Students can't add and upload new provisioning packages to their device. | | Allow remove provisioning package | Disabled | Students can't remove packages that you've uploaded to their device, including the Set up School PCs app | | Start Layout | Enabled | Lets you specify the Start layout for users and prevents them from changing the configuration. | -| Import Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. | +| Import Microsoft Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. | | Allow pinned folder downloads | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the Downloads shortcut on the Start menu visible to students. | | Allow pinned folder File Explorer | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the File Explorer shortcut on the Start menu visible to students. | | Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. | @@ -112,7 +112,7 @@ The time it takes to install a package on a device depends on the: - Number of policies and apps within the package - Other configurations made to the device -Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes preinstalled apps, through CleanPC, will take much longer to provision. +Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations provisions the fastest. A package that removes preinstalled apps, through CleanPC, will take longer to provision. | Configurations | Connection type | Estimated provisioning time | |--|--|--|