update

2025-06-08 02:27:22 +00:00 · 2022-08-17 20:56:06 -04:00 · 2022-08-17 20:56:06 -04:00 · c794b2f5cd
commit c794b2f5cd
parent e1487c482f
8 changed files with 158 additions and 68 deletions
--- a/education/windows/school-deployment/configure-device-settings.md
+++ b/education/windows/school-deployment/configure-device-settings.md
@ -0,0 +1,115 @@
 ---
 title: Configure devices with Microsoft Intune
 description: Configure policies and applications in preparation to device deployment
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Configure and secure devices with Microsoft Intune
 With Intune for Education, school IT administrators have access to diverse apps to help students unlock their learning potential. This section discusses tools and resources for adding apps to Intune for Education, assigning apps to groups, and managing device policies. 
 ## Configure device settings
 With Intune for Education, you can configure settings for users and devices in the school. Settings can be assigned to groups:
 - If you target settings to a **group of users**, those settings will apply, regardless of what managed devices the targeted users sign in to
 - If you target settings to a **group of devices**, those settings will apply regardless of who is using the devices
 There are two ways to manage settings in Intune for Education:
 - **Express Configuration.** Configure a selection of settings that are most used in school environments
 - **Group settings.** Configure all settings for any group of devices or users
 > [!NOTE]
 > Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices.
 ### Configure settings with Express Configuration
 With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools.
 > [!TIP]
 > To learn more, and practice step-by-step Express Configuration in Intune for Education, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/deploy-apps-and-policies" target="_blank"><b>this interactive demo</b></a>.
 ### Configure group settings
 Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Groups** > Pick a group to manage
 1. Select **Windows device settings**
 1. Expand the different categories and review information about individual settings
 For more information, see [Set up Intune for Education][INT-3].
 ## Create Windows Update policies
 Create update rings that specify how and when [feature and quality updates](/windows/deployment/update/get-started-updates-channels-tools) are applied to your Windows 10 and later devices. With Windows 11 SE, new features and quality updates include the content of all previous updates. If you have installed the latest update, you know your Windows devices are up to date.
 1. In the Microsoft Endpoint Manager admin center, select **Devices** → **Windows** → **Update rings for Windows 10 and later** → **Create Profile**. 
 #### [PICTURE HERE] Create Update rings page in Microsoft Endpoint Manager admin center
 1. Under **Basics**, specify a name and description (optional).
 1. Under **Update ring settings**, configure settings for your school needs. For more information, see [Windows Update settings](/mem/intune/protect/windows-update-settings) and [Creating and assigning update rings](/mem/intune/protect/windows-10-update-rings).
 **NOTE:** You can also create expedited quality updates for Windows 10 and later. This policy lets you expedite the installation of the most recent Windows security updates on Intune-managed devices. For more information, see [Create and assign an expedited quality update](/mem/intune/protect/windows-10-expedite-updates).
 ### Manage device policies
 You can manage the settings of several devices from a single touch point. For more information, see:
 - [Add Wi-Fi profiles](/intune-education/add-wi-fi-profile) 
 - [Add Take a Test profile](/intune-education/take-a-test-profiles) 
 - [View all Windows device settings ](/intune-education/all-edu-settings-windows)
 ## Endpoint security
 Intune for Education helps protect devices and school data with tools like security baselines and Windows Update policies. Through the Endpoint security node, you can configure device security and manage security tasks for devices at risk. The node configures and deploys Microsoft Defender for Endpoint to help prevent security breaches and gain visibility into your school's security posture. 
 ### Create security policies
 To create security policies in Intune for Education:
 1. In the [Microsoft Endpoint Manager admin center](https://intuneeducation.portal.azure.com/), select the **Endpoint security** node. 
 1. Under **Manage**, choose the policies you want to set from the included list. For more information, see [Antivirus](/mem/intune/protect/endpoint-security-antivirus-policy), [Disk encryption](/mem/intune/protect/endpoint-security-disk-encryption-policy), [Firewall](/mem/intune/protect/endpoint-security-firewall-policy), [Endpoint detection and response](/mem/intune/protect/endpoint-security-edr-policy), [Attack surface reduction](/mem/intune/protect/endpoint-security-asr-policy), and [Account protection](/mem/intune/protect/endpoint-security-account-protection-policy).
 1. Select **Create policy**. For more information, see [Creating an endpoint security policy](/mem/intune/protect/endpoint-security-policy).
 ### [PICTURE HERE] Endpoint security overview page in Microsoft Endpoint Manager
 ## Section review and next steps
 > [!div class="checklist"]
 > * Prerequisites
 > * Configure the Intune service for education devices
 > * Configure device settings
 > * Configure applications
 With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices.
 > [!div class="nextstepaction"]
 > [Next: Configure devices >](configure-devices.md)
 <!-- Reference links in article -->
 [EDU-1]: /education/windows/windows-11-se-overview
 [INT-2]: /intune-education/express-configuration-intune-edu
 [INT-3]: /microsoft-365/education/deploy/use-intune-for-education
 [INT-4]: /intune-education/add-desktop-apps-edu
 [INT-5]: /intune-education/add-web-apps-edu
--- a/education/windows/school-deployment/enroll-autopilot.md
+++ b/education/windows/school-deployment/enroll-autopilot.md
@ -16,44 +16,36 @@ appliesto:
 - ✅ <b>Windows 11</b>
 ---
-# Title
+# Windows Autopilot
 For more information, see [Overview of Windows Autopilot][MEM-1].
  > [!NOTE]
  > There are some limitations to Windows Autopilot in Windows 11 SE. For more information, see [**this article**][INT-1].
 ## Windows Autopilot
 Windows Autopilot is especially useful in scenarios where devices are handed out to users without the need to build, maintain, and apply custom operating system images. These devices will be enrolled as school-owned devices. 
 A cloud-based provisioning technology, Windows Autopilot can be used to set up and preconfigure devices at the start of the school year. There's no need to wipe devices or use custom OS images. The device must be preregistered, and the enrollment profile created and assigned in Intune for Education. When users sign in with their school account, they are automatically enrolled.
-**NOTE:** A fix for the known TPM attestation issue can now be addressed by using the latest Bare Metal Recovery (BMR) with 5b CU. For more information, see [Support tip: Recovering from Windows Autopilot error code 0x81039023 on Windows 11 SE](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-recovering-from-windows-autopilot-error-code/ba-p/3283743). 
+## Prerequisites
 ### Prerequisites
 Before setting up Windows Autopilot, consider these prerequisites:
- **Software requirements. Ensure your school and devices meet the** [**software, networking, licensing, and configuration requirements**](/windows/deployment/windows-autopilot/windows-autopilot-requirements)** for Windows Autopilot.**
+- **Software requirements. Ensure your school and devices meet the** [**software, networking, licensing, and configuration requirements**][WIN-1]** for Windows Autopilot.**
- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. We recommend that you connect with a partner through the [Microsoft Partner Center](https://partner.microsoft.com/) and work with them to register your devices.
+- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. We recommend that you connect with a partner through the [Microsoft Partner Center][MSFT-1] and work with them to register your devices.
- **Intune for Education tenant. Ensure your tenant for Intune for Education is set up. We recommend configuring your tenant with** [**School Data Sync**](#)**, as this method automatically creates Student and Teacher groups for each school, as well as a combined Teacher and Student group. It also creates tenant-wide All Teachers and All Student groups.**
+- **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1].
 - **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints). 
-**NOTE:** Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [Microsoft Intune](/intune/network-bandwidth-use) and [Microsoft 365](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).
+**NOTE:** Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [Microsoft Intune][INT-1] and [Microsoft 365][M365-1].
 ### Register devices to Windows Autopilot
 Before deployment, devices must be registered with the Windows Autopilot deployment service. Each device's unique hardware identity (known as a *hardware hash*) is captured and uploaded to the Autopilot service, and the device is associated with an Azure tenant ID. There are three main ways to register devices to Autopilot:
 - **Complete the OEM registration process.** When you purchase devices from an OEM, that company can automatically register them with Windows Autopilot. Before an OEM can register devices, your school must grant permission. The OEM begins this process with approval granted by an Azure AD global administrator from the school. For Microsoft Surface registration, collect the details shown in this [documentation table](/surface/surface-autopilot-registration-support) before submitting the request to Microsoft Support. You can make requests using the [Microsoft Devices Autopilot Support](https://prod.support.services.microsoft.com/supportrequestform/0d8bf192-cab7-6d39-143d-5a17840b9f5f) form.
- **Manually register devices with Windows Autopilot.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune](/mem/autopilot/add-devices), [Partner Center](https://msdn.microsoft.com/partner-center/autopilot), [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa), or the [Microsoft Store](https://apps.microsoft.com/store/apps).
+- **Manually register devices with Windows Autopilot.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune](/mem/autopilot/add-devices), [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) or [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa).
-**NOTE:** Windows 11 SE devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices. For more information, see [Set up devices with Autopilot](/intune-education/windows-autopilot-setup). 
+**NOTE:** Windows 11 SE devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices. For more information, see [Set up devices with Autopilot][EDU-1].
- **Allow a Cloud Solution Provider (CSP) to register devices.** Surface devices can be registered by device resellers (with active CSP partner status) as part of the ordering process. As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see this [Microsoft Partner Center clickable demo](https://cloudpartners.transform.microsoft.com/resources/autopilot-in-edu-setup-english).
+- **Allow a Cloud Solution Provider (CSP) to register devices.** Surface devices can be registered by device resellers (with active CSP partner status) as part of the ordering process. As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see this [Microsoft Partner Center clickable demo][MSFT-2].
 ### Set up the devices
-It's easy to set up Windows 11 SE devices with Windows Autopilot and Microsoft Endpoint Manager. First, you create a dynamic device group, and then you apply a Windows Autopilot deployment profile to each device in this group. Deployment profiles determine the deployment mode and customize the OOBE for your end users.
+First, you create a dynamic device group, and then you apply a Windows Autopilot deployment profile to each device in this group. Deployment profiles determine the deployment mode and customize the out-of-box experience of your devices.
 ### Create a dynamic device group
@ -147,9 +139,19 @@ ________________________________________________________
 > [< Enroll devices](enroll-overview.md)
 > [Manage devices >](manage-overview.md)
 <!-- Reference links in article -->
-
+[MEM-1]: /mem/intune/fundamentals/intune-endpoints
 [MEM-3]: /mem/intune/enrollment/windows-enrollment-status
 [WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements
 [MSFT-1]: https://partner.microsoft.com/
 [MSFT-2]: https://cloudpartners.transform.microsoft.com/resources/autopilot-in-edu-setup-english
 [INT-1]: /intune/network-bandwidth-use
 [M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
 [EDU-1]: /intune-education/windows-autopilot-setup
 [EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
--- a/education/windows/school-deployment/enroll-overview.md
+++ b/education/windows/school-deployment/enroll-overview.md
@ -22,8 +22,8 @@ appliesto:
 There are three methods for setting up Windows devices and enrolling them in your education tenant:
 - **Automatic Intune enrollment via Azure AD join.** This experience happens when a user first turns on a new device and it enables the user to customize certain Windows functionalities before reaching the desktop. When using this approach, users going through this flow will automatically become local administrators on the devices, which isn't ideal for education devices
- **Bulk enrollment with provisioning packages.** Provisioning packages are files that you can use to set up Windows devices. You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications. One benefit of provisioning packages is that you can use them to set up Windows devices that aren't registered in Windows Autopilot. These files can be applied during or after the out-of-box experience.
+- **Bulk enrollment with provisioning packages.** Provisioning packages are files that you can use to set up Windows devices. You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications. One benefit of provisioning packages is that you can use them to set up Windows devices that aren't registered in Windows Autopilot. These files can be applied during or after the out-of-box experience
- **Windows Autopilot** uses cloud services to set up and configure Windows devices with a zero-touch deployment approach. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users.
+- **Windows Autopilot** uses cloud services to set up and configure Windows devices with a zero-touch deployment approach. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users
 ## Choose the enrollment method
--- a/education/windows/school-deployment/enroll-package.md
+++ b/education/windows/school-deployment/enroll-package.md
@ -72,5 +72,6 @@ ________________________________________________________
 <!-- Reference links in article -->
 [EDU-1]: /education/windows/use-set-up-school-pcs-app
 [WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd
 [WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
--- a/education/windows/school-deployment/manage-overview.md
+++ b/education/windows/school-deployment/manage-overview.md
@ -24,38 +24,10 @@ Microsoft Intune delivers streamlined remote management throughout the school ye
 With Intune for Education, you can manage groups, applications, resources, and individual needs of multiple students. There are several ways to manage students' devices, including organizing what groups they belong to; determining what apps they have access to; and configuring device settings, customizations, and restrictions. You can also monitor when users sign in and troubleshoot devices remotely.
 ## Managing groups
 By organizing students, classrooms, or learning curricula into groups, you can provide students with the resources they need, as well as manage several student devices all at once. 
 **NOTE:** Before you begin creating groups, it is a good idea to plan them out to determine what students may need from their devices. For example: 
 - For all devices, block apps from using location services.
 - For AP Computer Science, assign students apps to edit code.
 - For 12th grade History, enable web browsing to access academic articles.
 - For all Photography students, enable the device's camera.
 *Out of the box, Intune for Education comes with default groups that enable you to manage All devices and All users. There are also two additional groups if you use Microsoft SDS: All teachers and All students.  SDS also creates individual groups for students and teachers of specific schools, which fold under the All teachers and All students groups. Beyond the defaults, groups can be customized to suit various needs. For example, if you have both Windows and iOS devices in your school, you can create groups, such as All iPads and All Windows 10 PCs.* 
 Finally, two group types can be created: assigned groups and dynamic groups. Assigned groups are used when you want to manually add users or devices to a group. Dynamic groups reference rules that you create to assign students or devices to groups and then automate the assignment of devices to those groups.
 For more information, see:
 - [Create groups in Intune for Education](/intune-education/create-groups) 
 - [Edit a group name](/intune-education/edit-groups-intune-for-edu)
 - [Move a group up or down within your existing group list](/intune-education/edit-groups-intune-for-edu)
 - Delete a group to remove apps and settings from devices 
 - [Assign and delegate group admins](/intune-education/group-admin-delegate)
 - [Manually add or remove users and devices to an existing assigned group](/intune-education/edit-groups-intune-for-edu)
 - [Edit dynamic group rules to accommodate for new devices, locations, or school years](/intune-education/edit-groups-intune-for-edu)
 ## Remote assistance
 With devices managed by Intune for Education, you can remotely assist students and teachers with device issues. For more information, see [Remote assistance for managed devices - Intune for Education](/intune-education/remote-assist-mobile-devices).
 ## Manage device firmware for Surface devices
 Managing devices from the cloud has dramatically simplified IT deployment and provisioning. Surface devices are designed to use a unique Unified Extensible Firmware Interface (UEFI) setting that provides the ability to enable or disable built-in devices and components, protect UEFI settings from being changed, and adjust device boot settings. With [Device Firmware Configuration Interface profiles built into Intune](/intune/configuration/device-firmware-configuration-interface-windows), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI enables Windows to pass management commands from Intune to UEFI for Autopilot-deployed devices. DFCI also supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI with Windows Autopilot](/mem/autopilot/dfci-management) and [Manage DFCI on Surface devices](/surface/surface-manage-dfci-guide). Then, return to this document to continue with the steps below. 
--- a/education/windows/school-deployment/set-up-azure-ad.md
+++ b/education/windows/school-deployment/set-up-azure-ad.md
@ -165,7 +165,7 @@ ________________________________________________________
 With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune.
 > [!div class="nextstepaction"]
-> [Next section: Set up Microsoft Intune >](set-up-microsoft-intune.md)
+> [Next: Set up Microsoft Intune >](set-up-microsoft-intune.md)
 <!-- Reference links in article -->
--- a/education/windows/school-deployment/set-up-microsoft-intune.md
+++ b/education/windows/school-deployment/set-up-microsoft-intune.md
@ -29,7 +29,10 @@ Microsoft Intune is one of the services provided by Microsoft Endpoint Manager.
 For more information, see [Intune for Education documentation][INT-1].
-In this section, you'll configure the Intune service to enroll and configure devices in your school.
+In this section you will:
 > [!div class="checklist"]
 > * Review Intune's licensing prerequisites
 > * Configure the Intune service for education devices
 ## Prerequisites
@ -86,16 +89,13 @@ ________________________________________________________
 ## Section review and next steps
 > [!div class="checklist"]
-> * Prerequisites
+> * Review Intune's licensing prerequisites
 > * Configure the Intune service for education devices
 > * Configure device settings
 > * Configure applications
-With the Intune service configured, you can start enrolling and managing students' and teachers' devices.
+With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices.
 > [!div class="nextstepaction"]
-> [< Previous section: Set up Azure AD](set-up-Azure-AD.md)
+> [Next: Configure devices >](configure-devices.md)
 > [Next section: Enroll devices >](enroll-overview.md)
 <!-- Reference links in article -->
@ -104,13 +104,7 @@ With the Intune service configured, you can start enrolling and managing student
 [MEM-4]: /mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy
 [INT-1]: /intune-education/what-is-intune-for-education
 [INT-2]: /intune-education/express-configuration-intune-edu
 [INT-3]: /microsoft-365/education/deploy/use-intune-for-education
 [INT-4]: /intune-education/add-desktop-apps-edu
 [INT-5]: /intune-education/add-web-apps-edu
 [MSFT-1]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security
 [MSFT-2]: https://www.microsoft.com/licensing/product-licensing/microsoft-365-education
 [MSFT-3]: https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf
 [EDU-1]: /education/windows/windows-11-se-overview
--- a/education/windows/school-deployment/toc.yml
+++ b/education/windows/school-deployment/toc.yml
@ -12,7 +12,13 @@ items:
      - name: Set up Microsoft Intune
        href: set-up-microsoft-intune.md
  - name: 2. Configure devices with Intune
    items:
      - name: Overview
        href: configure-devices-overview.md
      - name: Configure device settings
        href: configure-device-settings.md
      - name: Configure device applications
        href: configure-device-apps.md        
  - name: 3. Deploy devices
    items: 
      - name: Overview