diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 99abf98502..fa05afcd2e 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1,5 +1,5 @@ # [Windows 10 for education](index.md) -## [Use Set up School PCs app](use-set-up-school-pcs-app.md) +## [Use the Set up School PCs app](use-set-up-school-pcs-app.md) ## [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file diff --git a/education/windows/images/app1.jpg b/education/windows/images/app1.jpg new file mode 100644 index 0000000000..cb7f499183 Binary files /dev/null and b/education/windows/images/app1.jpg differ diff --git a/education/windows/images/oobe.jpg b/education/windows/images/oobe.jpg new file mode 100644 index 0000000000..53a5dab6bf Binary files /dev/null and b/education/windows/images/oobe.jpg differ diff --git a/education/windows/images/prov.jpg b/education/windows/images/prov.jpg new file mode 100644 index 0000000000..1593ccb36b Binary files /dev/null and b/education/windows/images/prov.jpg differ diff --git a/education/windows/images/setupmsg.jpg b/education/windows/images/setupmsg.jpg new file mode 100644 index 0000000000..12935483c5 Binary files /dev/null and b/education/windows/images/setupmsg.jpg differ diff --git a/education/windows/images/signin.jpg b/education/windows/images/signin.jpg new file mode 100644 index 0000000000..ad31bb31c4 Binary files /dev/null and b/education/windows/images/signin.jpg differ diff --git a/education/windows/images/signinprov.jpg b/education/windows/images/signinprov.jpg new file mode 100644 index 0000000000..dccd7e98e2 Binary files /dev/null and b/education/windows/images/signinprov.jpg differ diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md new file mode 100644 index 0000000000..0daa935fc1 --- /dev/null +++ b/education/windows/set-up-school-pcs-technical.md @@ -0,0 +1,112 @@ +--- +title: Set up School PCs app technical reference +description: Describes the changes that the app makes to a PC. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Technical reference for the Set up School PCs app +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +The Set up School PCs app helps you set up new computers running Windows 10, version 1607. + +If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. + +The following table tells you what you get using the **Set up School PCs** app in your school. + +| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | +| --- | :---: | :---: | :---: | :---: | +| **Fast sign-in**
Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X | +| **Custom Start experience**\*
The apps students need are pinned to Start, and unncessary apps are removed. | X | X | X | X | +| **Temporary access, no sign-in required**
This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X | +| **School policies**\*
Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X | +| **Azure AD Join**
The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X | +| **Single sign-on to Office 365**
By signing on with student IDs, students have fast access to Office 365 web apps. | | | X | X | +| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X | +| | | | | | +\* Feature applies to Windows 10 Pro for Education, Windows 10 Enterprise, and Windows 10 Enterprise for EDU + +> **Note**: If your school only uses traditional domains through Active Directory, [use Windows Imaging and Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs. You can only use the Set up School PCs app to set up PCs that are not connected to your traditional domain. + +## Prerequisites for IT + +* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give her appropriate privileges or make a special account. +* Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) +* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) +* After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System. + + +## Information about Windows Update + +It is the intent of the shared PC mode to always be up to date. If using the **Set up School PCs** app, Shared PC mode configures the power states and Windows Update to : +* Wake nightly +* Check and install updates +* Forcibly reboot if necessary to finish applying updates + +However, the PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. + +## Guidance for accounts on shared PCs + +* On a Windows PC joined to Azure Active Directory + * By default, the account that joined the PC to AAD will have an admin account on that PC, and well as Global Administrators of the domain. + * With Azure AD Premium, which accounts have admin accounts on a PC can be specified via the Additional administrators on Azure AD Joined devices setting on the Azure portal. +* If shared PC mode with the account manager turned on is set up on a PC that is already in use, existing local accounts will not be deleted. However, all other local accounts created after Shared PC mode is turned on will automatically be deleted at sign off, including admin accounts. + * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or + * Create admin accounts before enabling Shared PC mode, or + * Create exempt accounts before signing off. +* The account management service supports accounts that are exempt from deletion. + * An account can be marked exempt from deletion by adding the account SID to the **HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\** registry key. + * To add the account SID to the registry key using PowerShell: + * $adminName = "LocalAdmin" + * $adminPass = 'Pa$$word123' + * iex "net user /add $adminName $adminPass" + * $user = New-Object System.Security.Principal.NTAccount($adminName) + * $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) + * $sid = $sid.Value; + * New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force +* It is recommended to not have any local admin accounts on the PC to improve the reliability and security of the PC. + + + +## Provisioning package details + +The **Set up School PCs** app produces a specialized provisioning package that makes use of the SharedPC configuration service provider (CSP). + + +* Uninstalled apps + * 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) + * ? (Microsoft.Appconnector_8wekyb3d8bbwe) + * Money (Microsoft.BingFinance_8wekyb3d8bbwe) + * News (Microsoft.BingNews_8wekyb3d8bbwe) + * Sports (Microsoft.BingSports_8wekyb3d8bbwe) + * Weather (Microsoft.BingWeather_8wekyb3d8bbwe) + * Phone dialer (Microsoft.CommsPhone_8wekyb3d8bbwe) + * ? (Microsoft.ConnectivityStore_8wekyb3d8bbwe) + * Get Started (Microsoft.Getstarted_8wekyb3d8bbwe) + * Microsoft Office Hub (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) + * Solitaire (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) + * Skype (Microsoft.SkypeApp_kzf8qxf38zg5c) + * ? (Microsoft.WindowsPhone_8wekyb3d8bbwe) + * Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) + * Xbox (Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) + * Groove (Microsoft.ZuneMusic_8wekyb3d8bbwe) + * Movies and TV (Microsoft.ZuneVideo_8wekyb3d8bbwe) + * Outlook Mail and Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) +* Local Group Policies + +> **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required + + +

Policy name

Value

When set

Admin Templates>Control Panel>Personalization

Prevent enabling lock screen slide show

Enabled

Always

Do not display the lock screen

Enabled

Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

Always

Prevent changing lock screen and logon image

Enabled

Always

Admin Templates>System>Power Management>Button Settings

Select the Power button action (plugged in)

Sleep

SetPowerPolicies=True

Select the Power button action (on battery)

Sleep

SetPowerPolicies=True

Select the Sleep button action (plugged in)

Sleep

SetPowerPolicies=True

Select the lid switch action (plugged in)

Sleep

SetPowerPolicies=True

Select the lid switch action (on battery)

Sleep

SetPowerPolicies=True

Admin Templates>System>Power Management>Sleep Settings

Require a password when a computer wakes (plugged in)

Enabled

SignInOnResume = True

Require a password when a computer wakes (on battery)

Enabled

SignInOnResume = True

Specify the system sleep timeout (plugged in)

SleepTimeout

SetPowerPolicies=True

Specify the system sleep timeout (on battery)

SleepTimeout

SetPowerPolicies=True

Turn off hybrid sleep (plugged in)

Enabled

SetPowerPolicies=True

Turn off hybrid sleep (on battery)

Enabled

SetPowerPolicies=True

Specify the unattended sleep timeout (plugged in)

SleepTimeout

SetPowerPolicies=True

Specify the unattended sleep timeout (on battery)

SleepTimeout

SetPowerPolicies=True

Allow standby states (S1-S3) when sleeping (plugged in)

Enabled

SetPowerPolicies=True

Allow standby states (S1-S3) when sleeping (on battery)

Enabled

SetPowerPolicies=True

Specify the system hibernate timeout (plugged in)

Enabled, 0

SetPowerPolicies=True

Specify the system hibernate timeout (on battery)

Enabled, 0

SetPowerPolicies=True

Admin Templates > System > Power Management > Video and Display Settings

Turn off the display (plugged in)

SleepTimeout

SetPowerPolicies=True

Turn off the display (on battery

SleepTimeout

SetPowerPolicies=True

Admin Templates > System > Logon

Show first sign-in animation

Disabled

Always

Hide entry points for Fast User Switching

Enabled

Always

Turn on convenience PIN sign-in

Disabled

Always

Turn off picture password sign-in

Enabled

Always

Turn off app notification on the lock screen

Enabled

Always

Allow users to select when a password is required when resuming from connected standby

Disabled

SignInOnResume = True

Block user from showing account details on sign-in

Enabled

Always

Admin Templates > System > User Profiles

Turn off the advertising ID

Enabled

SetEduPolicies = True

Admin Templates > Windows Components

Do not show Windows Tips

Enabled

SetEduPolicies = True

Turn off Microsoft consumer experiences

Enabled

SetEduPolicies = True

Microsoft Passport for Work

Disabled

Always

Prevent the usage of OneDrive for file storage

Enabled

Always

Admin Templates > Windows Components > Biometrics

Allow the use of biometrics

Disabled

Always

Allow users to log on using biometrics

Disabled

Always

Allow domain users to log on using biometrics

Disabled

Always

Admin Templates > Windows Components > Data Collection and Preview Builds

Toggle user control over Insider builds

Disabled

Always

Disable pre-release features or settings

Disabled

Always

Do not show feedback notifications

Enabled

Always

Admin Templates > Windows Components > File Explorer

Show lock in the user tile menu

Disabled

Always

Admin Templates > Windows Components > Maintenance Scheduler

Automatic Maintenance Activation Boundary

MaintenanceStartTime

Always

Automatic Maintenance Random Delay

Enabled, 2 hours

Always

Automatic Maintenance WakeUp Policy

Enabled

Always

Admin Templates > Windows Components > Microsoft Edge

Open a new tab with an empty tab

Disabled

SetEduPolicies = True

Configure corporate home pages

Enabled, about:blank

SetEduPolicies = True

Admin Templates > Windows Components > Search

Allow Cortana

Disabled

SetEduPolicies = True

Windows Settings > Security Settings > Local Policies > Security Options

Interactive logon: Do not display last user name

- Enabled

- Disabled when account model is only guest

Always

Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

Disabled

Always

Shutdown: Allow system to be shut down without having to log on

Disabled

Always

User Account Control: Behavior of the elevation prompt for standard users

Auto deny

Always

+ + + + diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index cca8ead346..28442ed89e 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# Use Set up School PCs app +# Use the Set up School PCs app **Applies to:** - Windows 10 Insider Preview @@ -16,4 +16,69 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -placeholder +Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. + +![Run app, turn on PC, insert USB key](images/app1.jpg) + +## What does this app do? + +The Set up School PCs app helps you set up new computers running Windows 10, version 1607. Some benefits of using this app to set up your students' PCs: +* A computer set up this way is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. + * Places tiles for OneNote, Office 365 web apps, and Microsoft Classroom on the Start menu + * Installs OneDrive for cloud-based documents and places it on the Start menu and task bar + * Sets Microsoft Edge as the default browser + * Uninstalls apps not specific to education, such as Solitaire and Sports + * Turns off Offers and tips + * Prevents students from adding personal Microsoft accounts to the computer +* Significantly improves how fast a student's first sign-in happens. +* The app connects the PCs to your school’s cloud so IT can manage them. +* Windows 10 automatically manages accounts no matter how many students use the PC. +* Keeps computers up-to-date without interfering with class time using Windows Update and maintenance hours (by default, 12 AM). +* Customizes the sign-in screen to support students with IDs and temporary users. +* Automatically manages account profiles on shared computers to maintain performance +* Locks down the computer to prevent mischievous activity: + * Prevents students from installing apps + * Prevents students from removing the computer from the school's device management system + * Prevents students from removing the Set up School PCs settings + + +## Tips for success + +* **Run the app at work**: For the best results, run the **Set up School PCs** app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions. +* **Apply to new computers**: The setup file that the **Set up School PCs** app creates should be used on new computers that haven't been set up for accounts yet. If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. +> **Warning**: Only use the setup file on computers that you want to configure and lock down for students. After you apply the setup file to a computer, the computer must be reset to remove the settings. +* **Turn on student PCs and stay on first screen**: The computer must be on this screen when you insert the USB key. + +![The first screen to set up a new PC](images/oobe.jpg) + +If you have gone past this screen, you may have to reset your PC to start over. To reset your PC after you have completed the first run experience, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +* **Use more than one USB key**: If you are setting up multiple PCs, you can set them up at the same time. Just run the **Set up School PCs** app again and save the same settings to another key. That way you can run set up on more than one PC at once. Create three keys and you can run it on three PCs at once, etc. +* **Start fresh**: If the PC has already been set up and you want to return to the first-run-experience to apply a new package, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +* **Keep it clean**: We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. + +## Set up School PCs app step-by-step + +The setup file on your USB drive is named SetupSchoolPCs.ppkg, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to "package", it means your setup file, and when it refers to "provisioning", it means applying the setup file to the computer. + +1. Start with a computer on the first-run setup screen. + + ![The first screen to set up a new PC](images/oobe.jpg) + +2. Insert the USB drive. Windows Setup will recognize the drive and ask you if you want to set up the device. Select Set up. + + ![Set up device?](images/setupmsg.jpg) + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + + ![Provision this device](images/prov.jpg) + +4. Read and accept the Microsoft Software License Terms. Your last step is to sign in. Use your Azure AD or Office 365 account and password. + + ![Sign in](images/signinprov.jpg) + +That's it! The computer is now ready for students. + +## Learn more + +See [The Set up School PCs app technical reference](set-up-school-pcs-technical.md) for prerequisites and provisioning details. +