mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-20 09:17:25 +00:00
cookbook v0.1
This commit is contained in:
Paolo Matarazzo
parent
4f8dc02e3c
commit
f61b3008c6
@ -4,7 +4,6 @@ items:
|
||||
- name: Deploy and manage Windows 11 SE devices in a school
|
||||
href: school-deployment/toc.yml
|
||||
- name: Deploy and manage Windows devices in a school
|
||||
expanded: true
|
||||
items:
|
||||
- name: Deploy Windows 10 in a school
|
||||
href: deploy-windows-10-in-a-school.md
|
||||
|
||||
@ -18,12 +18,112 @@ appliesto:
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
# Advanced capabilities
|
||||
|
||||
Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
|
||||
This section of the cookbook provides information about the advanced capabilities in Intune for Education for device management, reporting, security, and support.
|
||||
|
||||
## Endpoint security
|
||||
|
||||
Intune for Education helps protect devices and school data with tools like security baselines and Windows Update policies. Through the Endpoint security node, you can configure device security and manage security tasks for devices at risk. The node configures and deploys Microsoft Defender for Endpoint to help prevent security breaches and gain visibility into your school’s security posture.
|
||||
|
||||
### Create security policies
|
||||
|
||||
To create security policies in Intune for Education:
|
||||
|
||||
1. In the [Microsoft Endpoint Manager admin center](https://intuneeducation.portal.azure.com/), select the **Endpoint security** node.
|
||||
1. Under **Manage**, choose the policies you want to set from the included list. For more information, see [Antivirus](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-antivirus-policy), [Disk encryption](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-disk-encryption-policy), [Firewall](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-firewall-policy), [Endpoint detection and response](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-edr-policy), [Attack surface reduction](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy), and [Account protection](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy).
|
||||
1. Select **Create policy**. For more information, see [Creating an endpoint security policy](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-policy).
|
||||
|
||||
|
||||
|
||||
|
||||
## Manage device firmware for Surface devices
|
||||
|
||||
Managing devices from the cloud has dramatically simplified IT deployment and provisioning. Surface devices are designed to use a unique Unified Extensible Firmware Interface (UEFI) setting that provides the ability to enable or disable built-in devices and components, protect UEFI settings from being changed, and adjust device boot settings. With [Device Firmware Configuration Interface profiles built into Intune](https://docs.microsoft.com/en-us/intune/configuration/device-firmware-configuration-interface-windows), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI enables Windows to pass management commands from Intune to UEFI for Autopilot-deployed devices. DFCI also supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI with Windows Autopilot](https://docs.microsoft.com/en-us/mem/autopilot/dfci-management) and [Manage DFCI on Surface devices](https://docs.microsoft.com/en-us/surface/surface-manage-dfci-guide). Then, return to this document to continue with the steps below.
|
||||
|
||||
### Prerequisites
|
||||
|
||||
The following prerequisites are required to manage DFCI with Intune:
|
||||
|
||||
- The device must be managed with Intune, as DFCI management is not supported with Set Up School PCs (provisioning package) enrollments. For more information, see [DFCI Management](https://docs.microsoft.com/en-us/mem/autopilot/dfci-management).
|
||||
- The device should be registered through Windows Autopilot in Intune. The device must be registered for Windows Autopilot by a [Microsoft CSP partner](https://partner.microsoft.com/membership/cloud-solution-provider) or registered directly by the OEM. **NOTE:** Devices manually registered for Autopilot (such as by importing a CSV file) are not allowed to use DFCI. By design, DFCI management requires external attestation of the device’s commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot.
|
||||
- The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process or as a firmware update that you install. Work with your device vendors to determine the [manufacturers that support DFCI](https://docs.microsoft.com/en-us/mem/autopilot/dfci-management).
|
||||
|
||||
### Manage DFCI profiles with Autopilot
|
||||
|
||||
There are four basic parts to managing a DFCI profile with Windows Autopilot:
|
||||
|
||||
- Create a DFCI profile.
|
||||
- Create an Autopilot profile.
|
||||
- Create an enrollment status profile.
|
||||
- Configure DFCI settings on Surface devices.
|
||||
|
||||
The DFCI environment requires creating a DFCI profile that contains settings and an Autopilot profile to apply those settings to registered devices. An enrollment status profile is also recommended to ensure settings are pushed down during OOBE setup when users start the device.
|
||||
|
||||
#### Create a DFCI profile
|
||||
|
||||
Create a [DFCI profile](https://docs.microsoft.com/en-us/surface/surface-manage-dfci-guide), and then assign it to the Azure AD security group that contains your targeted Surface devices:
|
||||
|
||||
1. In Microsoft Endpoint Manager, select **Devices** → **Configuration profiles** → **Create profile**.
|
||||
1. In the **Create a profile** pane:
|
||||
1. For the platform, select **Windows 10 and later**.
|
||||
1. For the profile type, select **Templates**, and then select **Device Firmware Configuration Interface**.
|
||||
1. Enter a name and description for the profile.
|
||||
|
||||
|
||||
|
||||
6. In **Configuration settings**, review the available settings in the UEFI configuration.
|
||||
1. Select **Assignments**.
|
||||
1. Under **Select groups to include**, select the Azure AD security group that contains your target devices.
|
||||
1. Select **Next** to continue through **applicability rules**.
|
||||
1. Review the group settings, and then select **Create**.
|
||||
|
||||
#### Create an Autopilot profile
|
||||
|
||||
To create an Autopilot profile:
|
||||
|
||||
1. In Microsoft Endpoint Manager, choose **Select devices** → **Windows enrollment**.
|
||||
1. Scroll to **Deployment profiles**, and then follow the on-screen prompts.
|
||||
|
||||
For more information, see [How to create Autopilot Profile](https://docs.microsoft.com/en-us/surface/surface-manage-dfci-guide). Then, return to this document to continue with the steps below.
|
||||
|
||||
#### Create an enrollment status profile
|
||||
|
||||
To ensure devices apply the DFCI configuration during OOBE before users sign in, you must configure enrollment status. For more information, see [Set up an enrollment status page](https://docs.microsoft.com/en-us/intune/enrollment/windows-enrollment-status), and then return to this document to continue with the steps below.
|
||||
|
||||
#### Configure DFCI settings on Surface devices
|
||||
|
||||
You can configure DFCI policy settings by editing the DFCI profile from Microsoft Endpoint Manager:
|
||||
|
||||
1. In the Microsoft Endpoint Manager admin center, select **Devices** → **Windows** → **Configuration profiles**.
|
||||
1. Select the **DFCI profile name** → **Properties** → **Settings**.
|
||||
|
||||
:::image type="content" source="./image25.png" alt-text="Device Firmware Configuration Interface page in Microsoft Endpoint Manager admin center" border="true":::
|
||||
|
||||
For more information, see [Configuring the DFCI environment and managing UEFI configuration settings for targeted Surface devices](https://docs.microsoft.com/en-us/surface/surface-manage-dfci-guide).
|
||||
|
||||
|
||||
## Microsoft Surface Management Portal
|
||||
|
||||
Located in the Microsoft Endpoint Manager admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school’s Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more. When Surface Laptop SE devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities.
|
||||
|
||||
To access and use the Surface Management Portal:
|
||||
|
||||
1. In the Microsoft Endpoint Manager admin center, select **All services** → **Surface Management Portal**.
|
||||
|
||||
:::image type="content" source="./image26.png" alt-text="Surface Management Portal monitoring page in Microsoft Endpoint Manager admin center" border="true":::
|
||||
|
||||
2. To display insights for all your Surface devices, select **Monitor**. This shows devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive.
|
||||
1. To see details on each insights category, select **View report**. This displays diagnostic information that you can customize and export.
|
||||
|
||||
To see the device’s warranty information, select **Device warranty and coverage**.
|
||||
|
||||
5. To see support requests and their status, select **Support requests**.
|
||||
|
||||
## How to contact Microsoft Support
|
||||
|
||||
Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
|
||||
|
||||
Follow these steps to obtain support in Microsoft Endpoint Manager:
|
||||
|
||||
- Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com)
|
||||
|
||||
@ -18,4 +18,89 @@ appliesto:
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
# Set up device management
|
||||
|
||||
This section of the cookbook focuses on how to set up the device management environment. Managing hundreds of devices across a school environment can be complex and time-consuming without the proper tools and resources. Microsoft Endpoint Manager provides a collection of cloud-based device management services that can help to eliminate this complexity. Intune for Education is one such service provided by Microsoft Endpoint Manager for managing and configuring students’ and teachers’ devices.
|
||||
|
||||
|
||||
|
||||
## Cloud-based device management
|
||||
|
||||
Microsoft Intune for Education is a cloud-based mobile device management service for schools. It is designed to enable common education scenarios and settings, such as the need for shared devices. Intune for Education supports an entire device lifecycle that begins when a device is enrolled and progresses through additional phases until the device is no longer used. IT administrators can easily manage classroom devices with bulk enrollment and streamlined deployment. At the end of the school year, they can also reset devices, wipe them, and prepare them for next year. For more information, see [Intune for Education documentation](https://docs.microsoft.com/en-us/intune-education/what-is-intune-for-education), and then return to this document to continue with the steps below.
|
||||
|
||||
## Configuring management settings
|
||||
|
||||
With Intune for Education, you can configure group settings to manage how users and devices will interact in your school. Settings assigned to users will apply regardless of what devices they use. Similarly, settings assigned to devices will apply regardless of who is using them. There are two ways to manage group settings in Intune for Education:
|
||||
|
||||
- **Express Configuration.** Configure a selection of settings that are most used in school environments.
|
||||
- **Group settings.** Configure all settings for any group of devices or users.
|
||||
|
||||
**NOTE:** Express Configuration is ideal when you are just getting started. Settings are preconfigured to Microsoft-recommended values but can be changed to fit your school’s policies. We recommend using [Express Configuration](https://docs.microsoft.com/en-us/intune-education/express-configuration-intune-edu) to set up your Windows devices.
|
||||
|
||||
### Prerequisites
|
||||
|
||||
Before configuring settings with Intune for Education, consider these prerequisites:
|
||||
|
||||
- **Microsoft subscription.** In most scenarios, [Microsoft 365](https://www.microsoft.com/licensing/product-licensing/microsoft-365-enterprise) may be the best option, as it provides [Enterprise Mobility + Security (EMS)](https://www.microsoft.com/microsoft-365/enterprise-mobility-security), [Microsoft Endpoint Manager](https://docs.microsoft.com/en-us/mem/endpoint-manager-overview), and common productivity apps. Intune for Education is included in Microsoft 365 Education A1 for Devices, A3, and A5. For more information, see this [this comparison sheet](https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf), which includes a table detailing the Microsoft Modern Work Plan for Education.
|
||||
- **Intune subscription.** Intune is licensed in three ways—as a standalone Azure service, as part of [EMS](https://www.microsoft.com/microsoft-365/enterprise-mobility-security), and included with [Microsoft 365](https://www.microsoft.com/licensing/product-licensing/microsoft-365-enterprise). (For more information, see [Intune licensing](https://docs.microsoft.com/en-us/mem/intune/fundamentals/licenses).) You can also [sign up for a free trial account](https://docs.microsoft.com/en-us/mem/intune/fundamentals/free-trial-sign-up).
|
||||
- **Supported device platform.** School devices running Windows 10 (1709 and later), Windows 11, Windows 11 SE, iOS (11.0 and later), and iPad OS (13.0 and later) are supported.
|
||||
- **Optional requirements.** Microsoft 365 Education, Azure Active Directory Connect, School Data Sync, Set Up School PCs app, Windows Configuration Designer, and Windows Autopilot.
|
||||
|
||||
### Configure settings with Express Configuration
|
||||
|
||||
With Express Configuration, you can get Intune for Education up and running in just a few steps, all from a single console. You can select a group of Windows 11 SE devices or users, pick the specific apps that you want available, and choose key configuration settings from those most often used in schools.
|
||||
|
||||
The [Intune for Education portal](https://intuneeducation.portal.azure.com/) provides a step-by-step walkthrough of how to use Express Configuration; you can access the demo from the home page. For more information, see [Express Configuration in Intune for Education](https://docs.microsoft.com/en-us/intune-education/express-configuration-intune-edu), and then return to this document to continue with the steps below.
|
||||
|
||||
### Configure group settings
|
||||
|
||||
Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings:
|
||||
|
||||
1. Go to the [Intune for Education portal](https://intuneeducation.portal.azure.com/), and then select the **Groups** tile.
|
||||
1. On the **Choose settings** screen, select **Group**.
|
||||
1. Select the reverse caret to expand the group and review information about individual settings.
|
||||
|
||||
For more information, see [Set up Intune for Education](https://docs.microsoft.com/en-us/microsoft-365/education/deploy/use-intune-for-education), and then return to this document to continue with the steps below.
|
||||
|
||||
**NOTE:** For a fully interactive demo, see the [Microsoft Education Interactive Demos](https://www.microsoft.com/en-us/education/interactive-demos/deploy-apps-and-policies) site. The Intune for Education demo shows how IT administrators can deploy apps and policies designed for classroom directly from the cloud. It also explains how using Intune for Education helps to ensure that the right apps are delivered to the right devices at the right time.
|
||||
|
||||
## Managing Windows 11 SE apps
|
||||
|
||||
Windows 11 SE supports all web applications and a set of native applications. These apps can be deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com/). For the list of available desktop apps, see [Available apps](https://docs.microsoft.com/en-us/education/windows/windows-11-se-overview). If the apps you need aren’t included, anyone in your school district can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). For more information, see [Windows 11 SE for Education](https://docs.microsoft.com/en-us/education/windows/windows-11-se-overview).
|
||||
|
||||
Intune for Education supports two types of Windows apps: web apps and desktop apps. For more information, see [Add desktop apps](https://docs.microsoft.com/en-us/intune-education/add-desktop-apps-edu) and [Add web apps](https://docs.microsoft.com/en-us/intune-education/add-web-apps-edu).
|
||||
|
||||
**NOTE:** You can prepare and add an app to Microsoft Intune as a Win32 app from the [approved app list](https://docs.microsoft.com/en-us/education/windows/windows-11-se-overview) in Windows 11 SE.
|
||||
|
||||
With Intune for Education, you can specify the groups for which apps should be installed. Specifically, apps can be deployed by assigning them to security groups. If you select a security group containing users, the apps will be installed on any managed device that the user signs into. If you select a security group containing devices, the apps will be installed on those devices and available to any user who signs in. For more information, see [Install apps for all users](https://docs.microsoft.com/en-us/microsoft-365/education/deploy/use-intune-for-education), and then return to this document to continue with the steps below.
|
||||
|
||||
|
||||
|
||||
**NOTE:** For additional details about setting up the device management environment and managing devices using Intune for Education, see [Appendix: Device Management – Level 2](#) in this cookbook.
|
||||
|
||||
**UP NEXT:** After setting up the device management environment, it’s time to start enrolling devices.
|
||||
|
||||
|
||||
### Set up the Enrollment Status Page
|
||||
|
||||
With the deployment profile completed, you’re ready to define the Enrollment Status Page (ESP), which is a greeting page for users signing in and enrolling Windows 11 SE devices. The ESP displays provisioning progress and shows app and profile installation status during device setup. Only Windows 11 SE-approved apps should be included as part of the ESP configuration and targeted to Windows 11 SE devices.
|
||||
|
||||
To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager. For a complete list of steps on setting up the ESP in Intune for Education, see [Set up the Enrollment Status Page](https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-status), and then return to this document to continue with the steps below.
|
||||
|
||||
### Set enrollment restrictions for personally owned devices
|
||||
|
||||
To block personally owned devices from enrolling, use restrictions for device platform and OS version.
|
||||
|
||||
1. In the Microsoft Endpoint Manager admin center, select **Devices** → **Enroll devices** → **Enrollment device platform restrictions**.
|
||||
1. Select the Windows tab you are configuring, and then select **Create restriction**.
|
||||
1. On the **Basics** page, give the restriction a name and optional description.
|
||||
1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block**.
|
||||
|
||||
:::image type="content" source="./image16.png" alt-text="Device enrollment restriction page in Microsoft Endpoint Manager admin center" border="true":::
|
||||
|
||||
5. Optionally, on the **Scope tags** page, add scope tags to the restriction.
|
||||
1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups.
|
||||
1. To assign the restriction to all device users, select **Add all users**.
|
||||
1. On the **Review + create**, select **Create** to save the restriction.
|
||||
|
||||
For more information, see [Create a device platform restriction](https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set).
|
||||
@ -18,4 +18,110 @@ appliesto:
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
## Windows Autopilot
|
||||
|
||||
Windows Autopilot is especially useful in scenarios where devices are handed out to users without the need to build, maintain, and apply custom operating system images. These devices will be enrolled as school-owned devices.
|
||||
|
||||
A cloud-based provisioning technology, Windows Autopilot can be used to set up and preconfigure devices at the start of the school year. There’s no need to wipe devices or use custom OS images. The device must be preregistered, and the enrollment profile created and assigned in Intune for Education. When users sign in with their school account, they are automatically enrolled.
|
||||
|
||||
**NOTE:** A fix for the known TPM attestation issue can now be addressed by using the latest Bare Metal Recovery (BMR) with 5b CU. For more information, see [Support tip: Recovering from Windows Autopilot error code 0x81039023 on Windows 11 SE](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-recovering-from-windows-autopilot-error-code/ba-p/3283743).
|
||||
|
||||
### Prerequisites
|
||||
|
||||
Before setting up Windows Autopilot, consider these prerequisites:
|
||||
|
||||
- **Software requirements. Ensure your school and devices meet the** [**software, networking, licensing, and configuration requirements**](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements)** for Windows Autopilot.**
|
||||
- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. We recommend that you connect with a partner through the [Microsoft Partner Center](https://partner.microsoft.com/) and work with them to register your devices.
|
||||
- **Intune for Education tenant. Ensure your tenant for Intune for Education is set up. We recommend configuring your tenant with** [**School Data Sync**](#)**, as this method automatically creates Student and Teacher groups for each school, as well as a combined Teacher and Student group. It also creates tenant-wide All Teachers and All Student groups.**
|
||||
- **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune](https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints).
|
||||
|
||||
**NOTE:** Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use) and [Microsoft 365](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).
|
||||
|
||||
### Register devices to Windows Autopilot
|
||||
|
||||
Before deployment, devices must be registered with the Windows Autopilot deployment service. Each device’s unique hardware identity (known as a *hardware hash*) is captured and uploaded to the Autopilot service, and the device is associated with an Azure tenant ID. There are three main ways to register devices to Autopilot:
|
||||
|
||||
- **Complete the OEM registration process.** When you purchase devices from an OEM, that company can automatically register them with Windows Autopilot. Before an OEM can register devices, your school must grant permission. The OEM begins this process with approval granted by an Azure AD global administrator from the school. For Microsoft Surface registration, collect the details shown in this [documentation table](https://docs.microsoft.com/en-us/surface/surface-autopilot-registration-support) before submitting the request to Microsoft Support. You can make requests using the [Microsoft Devices Autopilot Support](https://prod.support.services.microsoft.com/supportrequestform/0d8bf192-cab7-6d39-143d-5a17840b9f5f) form.
|
||||
- **Manually register devices with Windows Autopilot.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune](https://docs.microsoft.com/en-us/mem/autopilot/add-devices), [Partner Center](https://msdn.microsoft.com/partner-center/autopilot), [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa), or the [Microsoft Store](https://apps.microsoft.com/store/apps).
|
||||
|
||||
**NOTE:** Windows 11 SE devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices. For more information, see [Set up devices with Autopilot](https://docs.microsoft.com/en-us/intune-education/windows-autopilot-setup).
|
||||
|
||||
- **Allow a Cloud Solution Provider (CSP) to register devices.** Surface devices can be registered by device resellers (with active CSP partner status) as part of the ordering process. As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see this [Microsoft Partner Center clickable demo](https://cloudpartners.transform.microsoft.com/resources/autopilot-in-edu-setup-english). Then, return to this document to continue with the steps below.
|
||||
|
||||
### Set up the devices
|
||||
|
||||
It’s easy to set up Windows 11 SE devices with Windows Autopilot and Microsoft Endpoint Manager. First, you create a dynamic device group, and then you apply a Windows Autopilot deployment profile to each device in this group. Deployment profiles determine the deployment mode and customize the OOBE for your end users.
|
||||
|
||||
### Create a dynamic device group
|
||||
|
||||
Dynamic groups reference rules that you create to assign devices to groups. The criteria for a rule are specified during initial group creation and can be edited afterward. A device group is required to assign a Windows Autopilot deployment profile. You can create a group with a dynamic membership rule using Autopilot device attributes. Autopilot devices that meet these rules are automatically added to the group.
|
||||
|
||||
The steps for creating a dynamic device group are completed in Microsoft Endpoint Manager:
|
||||
|
||||
1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then select **Groups** → **New Group**.
|
||||
1. Configure the following properties:
|
||||
1. **Group type**: Select **Security**.
|
||||
1. **Group name/Group description**: Enter a valid name and description for your group.
|
||||
1. **Azure AD roles can be assigned to the group**: Select **Yes**. This allows Azure AD roles to be assigned to the group you are creating. Once set, the group is permanent and always allowed to be assigned Azure AD roles. For more information, see [Use Azure AD groups to manage role assignments](https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept).
|
||||
1. **Membership type**: Select **Dynamic Device**. This property allows you to choose how devices become members of this group. For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/en-us/mem/intune/fundamentals/groups-add).
|
||||
1. **Owners**: Select users who own this group. Owners can also delete the group.
|
||||
1. **Dynamic device members**: Select **Add dynamic query** → **Add expression**.
|
||||
|
||||
|
||||
|
||||
### Create rules using Autopilot device attributes
|
||||
|
||||
Autopilot devices that meet the rules are automatically added to the group. Note that creating an expression using non-Autopilot attributes does not guarantee that devices included in the group are registered to Autopilot.
|
||||
|
||||
The following steps will create a dynamic device group that uses the query expression defined in the rule.
|
||||
|
||||
1. Create expressions, as desired:
|
||||
1. To create a group that includes all your Autopilot devices, enter **(device.devicePhysicalIDs -any (\_ -contains "[ZTDID]"))**.
|
||||
1. The Intune group tag field maps to the OrderID attribute on Azure AD devices. To create a group that includes all Autopilot devices with a specific group tag (the Azure AD device OrderID), enter **(device.devicePhysicalIds -any (\_ -eq "[OrderID]:179887111881"))**.
|
||||
1. To create a group that includes all your Autopilot devices with a specific Purchase Order ID, enter **(device.devicePhysicalIds -any (\_ -eq "[PurchaseOrderId]:76222342342"))**.
|
||||
|
||||
|
||||
|
||||
5. Save your expressions.
|
||||
1. Select **Create**.
|
||||
|
||||
### Create an Autopilot deployment profile
|
||||
|
||||
Once the dynamic device group is created, it can be used for assigning Windows Autopilot deployment profiles. These profiles are used to configure Autopilot devices.
|
||||
|
||||
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** → **Windows** → **Windows enrollment** → **Deployment Profiles** → **Create Profile** → **Windows PC**.
|
||||
1. On the **Basics** page:
|
||||
1. Enter a **Name** and optional **Description**.
|
||||
1. If you want all devices in the assigned groups to convert to Autopilot automatically, for **Convert all targeted devices to Autopilot**, select **Yes**.
|
||||
1. On the **Out-of-box experience** page, for **Deployment** mode, choose one option:
|
||||
1. **User-driven:** Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device.
|
||||
1. **Self-deploying:** Devices with this profile are not associated with the user enrolling the device. User credentials are not required to enroll the device. When a device has no user associated with it, user-based compliance policies do not apply. When using self-deploying mode, only compliance policies targeting the device will be applied.
|
||||
1. In the **Join to Azure AD** field, choose **Azure AD joined**.
|
||||
|
||||
|
||||
|
||||
9. On the **Assignments** page:
|
||||
1. Choose **Select groups to include**, and then choose the groups you want to include in this profile.
|
||||
1. If a group is not showing in the group list, select **Add groups**, and then select the desired group. In this case, you will select the dynamic device group you created above in [Create a dynamic device group](#).
|
||||
|
||||
|
||||
|
||||
12. On the **Review + create** page, select **Create** to generate the profile.
|
||||
|
||||
For more information, see [Configure Autopilot profiles](https://docs.microsoft.com/en-us/mem/autopilot/profiles), and then return to this document to continue with the steps below.
|
||||
|
||||
### Enrollment Status Page reference here
|
||||
## branding reference here
|
||||
### Autopilot end-user experience
|
||||
|
||||
Once configuration is complete and devices are distributed, students and teachers are able to complete device setup with Autopilot. They can set up their devices at home, at school, or wherever there is a reliable network. After a user turns on the device and signs in with their school account, enrollment automatically starts.
|
||||
|
||||
When a Windows 11 SE device is turned on for the first time, the end-user experience with Windows Autopilot using a Wi-Fi connection is as follows:
|
||||
|
||||
1. Identify the language and region.
|
||||
1. Select the keyboard layout and decide on the option for a second keyboard layout.
|
||||
1. Connect to the internet. Windows will verify network connectivity to the internet. If connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step.
|
||||
1. Wait for detection. Windows will detect that the device has an Autopilot profile assigned and belongs to your school.
|
||||
1. Enter the email address and password associated with your school account.
|
||||
1. Apply updates. Once connected, the Windows 11 SE device will look for and apply required updates.
|
||||
1. Sign in on the school-branded welcome screen. Users need only their school account credentials. No local administrator permissions are required.
|
||||
@ -18,4 +18,19 @@ appliesto:
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
# Manual OOBE
|
||||
|
||||
If you are setting up a Windows 11 SE device individually and network bandwidth is not an issue, you can use the out-of-the-box, first-run setup experience to configure the device, join it to your school’s Azure Active Directory account, and enroll it in Intune.
|
||||
|
||||
### Configure, join, and enroll devices
|
||||
|
||||
When using OOBE, no advance preparation is needed:
|
||||
|
||||
1. Follow the on-screen prompts for region selection, keyboard selection, and network connection.
|
||||
1. Wait for updates. If any updates are available, they will be installed at this time.
|
||||
|
||||
:::image type="content" source="./image14.png" alt-text="Surface Laptop SE loading page" border="true":::
|
||||
|
||||
3. When prompted, select **Work or School Account**. This will deploy Windows 11 SE to the device within a few minutes.
|
||||
|
||||
:::image type="content" source="./image15.png" alt-text="User sign-in page on Surface Laptop SE" border="true":::
|
||||
@ -18,4 +18,18 @@ appliesto:
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
# Device enrollment overview
|
||||
|
||||
Enrolling large numbers of Windows 11 SE devices to Azure Active Directory and Intune for Education can help save time, effort, and cost. There are four methods for setting up Windows 11 SE devices and enrolling them in your education tenant:
|
||||
|
||||
- **Windows Autopilot.** Uses cloud-based technologies and services to set up and configure Windows devices with a zero-touch deployment approach. Windows Autopilot helps simplify the Windows device lifecycle, from initial deployment to end of life, for both IT administrators and end users. For more information, see [Overview of Windows Autopilot](https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot).
|
||||
|
||||
**NOTE:** There are some limitations to Windows Autopilot in Windows 11 SE. For more information, see [Device settings](https://docs.microsoft.com/intune-education/windows-11-se-overview).
|
||||
|
||||
- **Set Up School PCs app.** Configures devices with the apps and features students need, removing those they do not need. You create a provisioning package with the app and then automatically install the package to enroll devices into Intune for Education. For more information, see [Use the Set Up School PCs app](https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app).
|
||||
- **Windows Configuration Designer.** Configures end-user devices without imaging. Using Windows provisioning, you can specify the desired configuration for enrollment and then apply those settings to target devices in minutes. Windows Configuration Designer is best suited for small to medium schools with deployments that range from tens to a few hundred computers. It is offered as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). For more information, see [Install Windows Configuration Designer](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd).
|
||||
- **Manual out-of-the-box experience (OOBE).** Requires the user’s school credentials. This experience happens when a user first opens a new device preinstalled with Windows 11 SE. It enables the user to customize certain functionality before reaching the desktop. Keep in mind that when using the manual OOBE, there is a lack of support for the [Device Firmware Configuration Interface](#) (DFCI). In addition, users going through this flow will automatically become local administrators on their devices, which can cause management issues.
|
||||
|
||||
## Choosing the best method
|
||||
|
||||
In this section of the cookbook, we review four methods for device enrollment. While all will work, Windows Autopilot and the Set Up School PCs app are usually easier, faster, and more efficient for school environments. There are various points to consider when choosing between Windows Autopilot and the Set Up School PCs app. This [table](https://docs.microsoft.com/en-us/intune-education/add-devices-windows) describes the ideal scenarios for using either method. We recommend reviewing the table when making your enrollment and deployment plan. Also, note that DFCI management is not supported with Set Up School PCs enrollment.
|
||||
@ -18,4 +18,20 @@ appliesto:
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
# Set up School PCs
|
||||
|
||||
The Set Up School PCs app is especially useful in scenarios where large numbers of school-owned devices need to be enrolled. The app helps you configure Surface Laptop SE devices with the features students need, remove those they do not need, and enroll the devices into Intune for Education. With the Set Up School PCs app, you create a provisioning package to enroll devices using a USB drive. For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app](https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app). Then, return to this document to continue with the steps below.
|
||||
|
||||
### Create the provisioning package
|
||||
|
||||
The Set Up School PCs app guides you through configuration choices for school-owned devices. Review the [Set Up School PCs demo](https://www.microsoft.com/en-us/education/interactive-demos/enroll-devices-at-scale) to step through how to create provisioning packages and save them to USB.
|
||||
|
||||
|
||||
|
||||
**NOTE:** Importantly, for **Configure device settings** → **OS version**, you must select **Windows 11 SE**.
|
||||
|
||||
The devices will be joined to Azure Active Directory and automatically enrolled in Intune. Note that the Set Up School PCs app will configure many settings, allowing you to optimize devices for shared use and other scenarios.
|
||||
|
||||
### Provision devices with USB
|
||||
|
||||
To provision Surface Laptop SE devices with USB, insert the provisioning package saved to USB during manual OOBE. For more information, see [Run package - Install package on PC](https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app), which steps through running and installing the provisioning package.
|
||||
@ -18,4 +18,8 @@ appliesto:
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
# Windows Configuration Designer
|
||||
|
||||
Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Ideal for small-to-medium schools that manage up to a few hundred devices, Windows Configuration Designer lets you configure devices without imaging. For more information, see [Install Windows Configuration Designer](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd), which provides details about the app, its provisioning process, and considerations for its use.
|
||||
|
||||
|
||||
@ -1,19 +1,39 @@
|
||||
---
|
||||
title: # Microsoft Endpoint Manager support
|
||||
description: # How to obtain Microsoft support from Microsoft Endpoint Manager admin center.
|
||||
title: Introduction
|
||||
description: Introduction to deployment and management of Windows 11 SE in education environments
|
||||
ms.date: 08/31/2022
|
||||
ms.prod: windows
|
||||
ms.technology: windows
|
||||
ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
|
||||
ms.topic: conceptual
|
||||
ms.localizationpriority: medium
|
||||
author: paolomatarazzo
|
||||
ms.author: paoloma
|
||||
#ms.reviewer:
|
||||
manager: aaroncz
|
||||
ms.collection: # education
|
||||
ms.collection: education
|
||||
# highpri - high priority, strategic, important, current, etc. articles
|
||||
# openauth - the article is owned by PM or community for open authoring
|
||||
appliesto:
|
||||
- ✅ <b>Windows 10</b>
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
- ✅ <b>Windows 11 SE</b>
|
||||
---
|
||||
|
||||
# Why read this cookbook?
|
||||
|
||||
Microsoft 365 solutions for Education empower education professionals to unlock creativity, promote teamwork, and provide a simple and safe experience for everyone—all in a comprehensive and affordable cloud offering. This cookbook introduces the tools and services available from Microsoft for deploying and managing devices in schools, thereby enabling modern device management across the school environment. The cookbook is intended for education professionals responsible for these efforts, including:
|
||||
- System or school leaders
|
||||
- IT administrators
|
||||
- Teachers
|
||||
- Microsoft partners
|
||||
|
||||
In the cookbook, we provide a comprehensive path for schools to enroll, deploy, and manage new Surface Laptop SE and Windows 11 SE devices. Specifically, we include step-by-step guidance on the deployment, management, and resetting of the new Surface Laptop SE and Windows 11 SE operating system for education. At multiple steps, we also highlight resources available on Microsoft Docs to help with your rollout. Note that depending on your school setup scenario, you may not need to implement all steps.
|
||||
|
||||
# New expectations for education technology
|
||||
|
||||
Microsoft recognizes that the education landscape continues to change rapidly and dramatically. To better equip students for success, it’s essential for schools to stay up to date with technology and tools for teaching and learning. The Microsoft cloud management solution is flexible, affordable, and scalable—helping to ensure that devices are easily updated and students always have what they need, whether they're learning in person or remotely, synchronously or asynchronously. Microsoft also delivers exceptional standards of security and privacy to keep students safer as the hybrid learning model evolves.
|
||||
|
||||
Below are some additional key ways that Microsoft addresses expectations for modern device management in school environments:
|
||||
|
||||
- **Maximize learning time.** Schools expect lower boot times for an enhanced user experience for students and staff, all on a device optimized for the classroom. They also expect devices to always be up to date with policies that update silently and outside of class time. Intune for Education enables automatic updates to all school devices and software at optimal times you choose.
|
||||
- **Designed for learning environments.** Schools need identity-based management for secure app delivery and simple device management. They also need to ensure that the right apps are delivered at the right time. With Azure Active Directory (Azure AD) and Intune for Education, you can enable profile-based app delivery with the ability to manage device policies, settings, and apps. You can also save time setting up devices with more apps and policies preinstalled and pre-configured than ever before—simply enroll and go.
|
||||
- **Simplify deployment and management.** End-to-end guidance and support from Microsoft and partners can help schools streamline both deployment and cloud migration. With Intune for Education and Surface SE devices, education professionals can deploy apps to users and apply device settings that create a great classroom experience in just a few simple steps.
|
||||
- **Cost-effective remote management.** Intune for Education enables a modern IT environment—complete with remote management—in school settings. This helps to provide reduced and more predictable IT costs, along with better performance, availability, and security. Intune for Education also enables a predictable and stable software as a service (SaaS) model, which eliminates spending spikes from upgrading hardware and software.
|
||||
@ -18,4 +18,49 @@ appliesto:
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
## Device inventory and reporting
|
||||
|
||||
As an IT administrator, you can view current devices, applications, settings, and overall health in Microsoft Endpoint Manager. You can also download reports to review or share offline.
|
||||
|
||||
To access, view, and download reports:
|
||||
|
||||
1. Go Microsoft Endpoint Manager, and then select **Reports**.
|
||||
|
||||
:::image type="content" source="./image21.png" alt-text="Device inventory reports page in Intune for Education" border="true":::
|
||||
|
||||
2. Review the desired reports. For more information about common reports, see:
|
||||
|
||||
[Device inventory](https://docs.microsoft.com/en-us/intune-education/what-are-reports)
|
||||
[Device actions](https://docs.microsoft.com/en-us/intune-education/what-are-reports)
|
||||
[Application inventory](https://docs.microsoft.com/en-us/intune-education/what-are-reports)
|
||||
[Settings errors](https://docs.microsoft.com/en-us/intune-education/what-are-reports)
|
||||
[Windows Defender](https://docs.microsoft.com/en-us/intune-education/what-are-reports)
|
||||
Autopilot deployment
|
||||
|
||||
3. If needed, use the search box to find specific devices, applications, and settings.
|
||||
1. To download a report, select **Download**. The report will download as a comma-separated value (CSV) file, which you can view and modify in a spreadsheet app like Microsoft Excel.
|
||||
|
||||
|
||||
### Windows and cloud security
|
||||
|
||||
Security extends from hardened firmware to the operating system through cloud management. You can manage devices with just a few clicks; control mics, USB ports, and Bluetooth; disable webcams; lock the operating system when the laptop is closed; and control physical access using the integrated Kensington Nano Security Slot.
|
||||
|
||||
### Windows Update for Business
|
||||
|
||||
Windows Update for Business enables you to keep the Windows client devices in your school always up to date with the latest security defenses and Windows features. To do this, you directly connect these systems to the Windows Update service. For more information, see [Windows Update for Business](https://docs.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb).
|
||||
|
||||
### Microsoft Defender for Endpoint
|
||||
|
||||
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help networks prevent, detect, investigate, and respond to advanced threats. You can use Defender for Endpoint to help secure your entire school network. For more information, see [Onboard devices and configure Microsoft Defender for Endpoint capabilities](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboard-configure?view=o365-worldwide).
|
||||
|
||||
### Microsoft Intelligent Security Graph
|
||||
|
||||
Microsoft Intelligent Security Graph (ISG) offers application control with a tool that provides an option to automatically enable apps that ISG recognizes as having a known good reputation. Using ISG can help reduce the amount of time spent on complex application control processes. For more information, see [Microsoft ISG](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph).
|
||||
|
||||
### Microsoft Endpoint Manager and DFCI support
|
||||
|
||||
With DFCI profiles built into Intune for Education, Surface UEFI management extends the modern management stack to the UEFI hardware level. With DFCI profiles, you can dramatically simplify IT deployment and provisioning across the device’s lifecycle—all from the cloud. DFCI management requires the device to be enrolled with Windows Autopilot and be registered by a partner or OEM. For more information, see [Manage DFCI on Surface devices](https://docs.microsoft.com/en-us/surface/surface-manage-dfci-guide).
|
||||
|
||||
### Microsoft Defender SmartScreen
|
||||
|
||||
Microsoft Defender SmartScreen helps to protect students from phishing or malware websites and apps, and from downloading potentially malicious files. Microsoft Defender SmartScreen comes preinstalled on all Surface Laptop SE devices and adds another layer of protection against malicious activity. For more information, see [Microsoft Defender SmartScreen](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview).
|
||||
@ -18,4 +18,92 @@ appliesto:
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
# Manage devices with Microsoft Intune
|
||||
|
||||
Microsoft Intune delivers streamlined remote management throughout the school year, giving IT the ability to manage apps, control security and privacy remotely, and generate compliance reports.
|
||||
|
||||
## Remote device management
|
||||
|
||||
With Intune for Education, you can manage groups, applications, resources, and individual needs of multiple students. There are several ways to manage students’ devices, including organizing what groups they belong to; determining what apps they have access to; and configuring device settings, customizations, and restrictions. You can also monitor when users sign in and troubleshoot devices remotely.
|
||||
|
||||
## Managing groups
|
||||
|
||||
By organizing students, classrooms, or learning curricula into groups, you can provide students with the resources they need, as well as manage several student devices all at once.
|
||||
|
||||
**NOTE:** Before you begin creating groups, it is a good idea to plan them out to determine what students may need from their devices. For example:
|
||||
|
||||
- For all devices, block apps from using location services.
|
||||
- For AP Computer Science, assign students apps to edit code.
|
||||
- For 12th grade History, enable web browsing to access academic articles.
|
||||
- For all Photography students, enable the device’s camera.
|
||||
|
||||
*Out of the box, Intune for Education comes with default groups that enable you to manage All devices and All users. There are also two additional groups if you use Microsoft SDS: All teachers and All students. SDS also creates individual groups for students and teachers of specific schools, which fold under the All teachers and All students groups. Beyond the defaults, groups can be customized to suit various needs. For example, if you have both Windows and iOS devices in your school, you can create groups, such as All iPads and All Windows 10 PCs.*
|
||||
|
||||
Finally, two group types can be created: assigned groups and dynamic groups. Assigned groups are used when you want to manually add users or devices to a group. Dynamic groups reference rules that you create to assign students or devices to groups and then automate the assignment of devices to those groups.
|
||||
|
||||
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Create groups in Intune for Education](https://docs.microsoft.com/en-us/intune-education/create-groups)
|
||||
- [Edit a group name](https://docs.microsoft.com/en-us/intune-education/edit-groups-intune-for-edu)
|
||||
- [Move a group up or down within your existing group list](https://docs.microsoft.com/en-us/intune-education/edit-groups-intune-for-edu)
|
||||
- Delete a group to remove apps and settings from devices
|
||||
- [Assign and delegate group admins](https://docs.microsoft.com/en-us/intune-education/group-admin-delegate)
|
||||
- [Manually add or remove users and devices to an existing assigned group](https://docs.microsoft.com/en-us/intune-education/edit-groups-intune-for-edu)
|
||||
- [Edit dynamic group rules to accommodate for new devices, locations, or school years](https://docs.microsoft.com/en-us/intune-education/edit-groups-intune-for-edu)
|
||||
|
||||
### Create Windows Update policies
|
||||
|
||||
Create update rings that specify how and when [feature and quality updates](https://docs.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools) are applied to your Windows 10 and later devices. With Windows 11 SE, new features and quality updates include the content of all previous updates. If you have installed the latest update, you know your Windows devices are up to date.
|
||||
|
||||
1. In the Microsoft Endpoint Manager admin center, select **Devices** → **Windows** → **Update rings for Windows 10 and later** → **Create Profile**.
|
||||
|
||||
|
||||
|
||||
2. Under **Basics**, specify a name and description (optional).
|
||||
1. Under **Update ring settings**, configure settings for your school needs. For more information, see [Windows Update settings](https://docs.microsoft.com/en-us/mem/intune/protect/windows-update-settings) and [Creating and assigning update rings](https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings).
|
||||
|
||||
**NOTE:** You can also create expedited quality updates for Windows 10 and later. This policy lets you expedite the installation of the most recent Windows security updates on Intune-managed devices. For more information, see [Create and assign an expedited quality update](https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-expedite-updates).
|
||||
|
||||
## Managing apps and settings
|
||||
|
||||
With Intune for Education, school IT administrators have access to diverse apps to help students unlock their learning potential. This section discusses tools and resources for adding apps to Intune for Education, assigning apps to groups, and managing device policies.
|
||||
|
||||
### Add apps to Intune for Education
|
||||
|
||||
Multiple apps can be added to Intune for Education. Devices running Windows 11 SE are preinstalled with Office apps. During [Express Configuration](https://docs.microsoft.com/en-us/intune-education/express-configuration-intune-edu), all Office desktop apps are available in a single app called Microsoft 365.
|
||||
|
||||
#### Popular school apps
|
||||
|
||||
With Intune for Education, you can add popular school apps from the web. Keep in mind that only approved apps can be installed from the list found [here](https://docs.microsoft.com/en-us/education/windows/windows-11-se-overview). For more information, see [Add popular apps to Intune for Education](https://docs.microsoft.com/en-us/intune-education/add-popular-apps-edu).
|
||||
|
||||
#### Desktop apps
|
||||
|
||||
Intune for Education makes it easy to add desktop apps to your deployment. You can upload and add desktop apps to your Intune for Education inventory and then assign them to groups and install them on Windows. Note that only approved apps can be installed from the list found [here](https://docs.microsoft.com/en-us/education/windows/windows-11-se-overview). For more information, see [Add desktop apps in Intune for Education](https://docs.microsoft.com/en-us/intune-education/add-desktop-apps-edu).
|
||||
|
||||
#### Web apps
|
||||
|
||||
**Using Intune for Education, you can also add websites to your app inventory. Again, keep in mind that only approved apps can be installed from the list found** [**here**](https://docs.microsoft.com/en-us/education/windows/windows-11-se-overview)**. For more information, see Add web apps to Intune for Education.**
|
||||
|
||||
### Assign apps to groups
|
||||
|
||||
**With Intune for Education, you can make certain apps only available to select groups. For more information, see Assign apps to install them on school devices.**
|
||||
|
||||
**NOTE:** If you assign an app to a device running Windows 11 SE and receive the **0x87D300D9** error code with a **Failed** state:
|
||||
|
||||
- Be sure the app is on the [available apps list](https://docs.microsoft.com/en-us/education/windows/windows-11-se-overview), or add your own app.
|
||||
- If you submitted a request to add your own app and it was approved, check that the app meets package requirements.
|
||||
- If the app is not approved, it will not run on Windows 11 SE. Add your own app or use an app that runs in a web browser, such as a web app or PWA.
|
||||
|
||||
### Manage device policies
|
||||
|
||||
You can manage the settings of several devices from a single touchpoint. For more information, see:
|
||||
|
||||
- [Add Wi-Fi profiles](https://docs.microsoft.com/en-us/intune-education/add-wi-fi-profile)
|
||||
- [Add Take a Test profile](https://docs.microsoft.com/en-us/intune-education/take-a-test-profiles)
|
||||
- [View all Windows device settings ](https://docs.microsoft.com/en-us/intune-education/all-edu-settings-windows)
|
||||
|
||||
## Remote assistance
|
||||
|
||||
With devices managed by Intune for Education, you can remotely assist students and teachers with device issues. For more information, see [Remote assistance for managed devices - Intune for Education](https://docs.microsoft.com/en-us/intune-education/remote-assist-mobile-devices).
|
||||
@ -18,4 +18,27 @@ appliesto:
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
# Microsoft Endpoint Manager support
|
||||
|
||||
|
||||
|
||||
|
||||
## Remote actions
|
||||
|
||||
The following list includes some everyday actions you can perform on school devices. To see a complete list of what can be done on which device, simply select **All devices** and choose a specific device.
|
||||
|
||||
- [Autopilot Reset](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset)
|
||||
- [BitLocker Key Rotation](https://docs.microsoft.com/en-us/mem/intune/protect/encrypt-devices)
|
||||
- [Collect Diagnostics](https://docs.microsoft.com/en-us/mem/intune/remote-actions/collect-diagnostics)
|
||||
- [Delete](https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe)
|
||||
- [Fresh Start](https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-fresh-start)
|
||||
- [Full Scan](https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10)
|
||||
- [Quick Scan](https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10)
|
||||
- [Rename Device](https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-rename)
|
||||
- [Restart](https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-restart)
|
||||
- [Update Windows Defender Security Intelligence](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus)
|
||||
- [Lost Mode](https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-lost-mode)
|
||||
- [Wipe](https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe)
|
||||
- [Synchronize Device](https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-sync)
|
||||
|
||||
:::image type="content" source="./image20.png" alt-text="Bulk device action page in Microsoft Endpoint Manager admin center" border="true":::
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: # Microsoft Endpoint Manager support
|
||||
title: Microsoft Education
|
||||
description: # How to obtain Microsoft support from Microsoft Endpoint Manager admin center.
|
||||
ms.date: 08/31/2022
|
||||
ms.prod: windows
|
||||
@ -14,8 +14,38 @@ ms.collection: # education
|
||||
# highpri - high priority, strategic, important, current, etc. articles
|
||||
# openauth - the article is owned by PM or community for open authoring
|
||||
appliesto:
|
||||
- ✅ <b>Windows 10</b>
|
||||
- ✅ <b>Windows 11</b>
|
||||
- ✅ <b>Windows 11 SE</b>
|
||||
---
|
||||
# The powerful simplicity of Microsoft education technology
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
Our innovative approach to education technology is built on the idea of *powerful simplicity* and combines the unparalleled user experience and security features of Surface Laptop Student Edition (SE), Windows 11 SE, and Microsoft 365 Education. Students can unlock learning and develop new skills with Surface Laptop SE, which seamlessly runs Windows 11 SE—our new, cloud-first operating system—and Microsoft 365 Education. Surface Laptop SE comes preloaded with widely used apps like Microsoft Teams, Word, PowerPoint, Excel, and OneNote, so students are ready to learn right from the start. Likewise, teachers will appreciate how easy it is to develop and deploy their lessons and enrichment experiences, while IT administrators will save time, money, and frustration with comprehensive modern device management.
|
||||
|
||||
## Device lifecycle management
|
||||
|
||||
Historically, school IT administrators and educators have struggled to find a simple, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management.
|
||||
|
||||
Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Endpoint Manager (MEM). This gives IT administrators the flexibility to support diverse scenarios, including both school-owned devices and bring-your-own devices. MEM services include [Microsoft Intune](https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune), [Microsoft Intune for Education](https://www.microsoft.com/education/intune), Configuration Manager, Desktop Analytics, Windows Autopilot, and [Surface Management Portal](https://docs.microsoft.com/en-us/surface/surface-management-portal). These services are part of the Microsoft 365 stack to help secure access, protect data, and manage risk.
|
||||
|
||||
## Why Intune for Education?
|
||||
|
||||
Surface Laptop SE with Windows 11 SE can be managed with Intune for Education, enabling simplified management of multiple devices from a single point. With the Set Up School PCs app, you can select Windows 11 SE as the operating system and then create a simple provisioning package. You can also use Windows Autopilot to set up Windows 11 SE devices across your schools. Similarly, Intune for Education provides simple avenues for resetting devices at the end of the school year so that they can be reused the following year.
|
||||
|
||||
|
||||
|
||||
From enrollment, through configuration and protection, to resetting, Intune for Education helps school IT administrators manage and optimize the devices across school settings:
|
||||
|
||||
- **Enroll.** To enable remote device management as the IT administrator, you need to enroll devices through an account in your tenant. Some methods require you to initiate enrollment, while others require students to complete the initial device setup process. This cookbook discusses the facets of various device enrollment methods.
|
||||
- 
|
||||
- **Protect.** In addition to its configuration capabilities, Intune for Education helps protect managed devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates.
|
||||
- **Reset.** When it’s time to repurpose a device, Intune for Education offers several methods, including resetting the device, removing it from management, and wiping it of school data. In this cookbook, we cover these and other device return and exchange scenarios.
|
||||
|
||||
For more information, see [Overview of the Microsoft Intune MDM lifecycle](https://docs.microsoft.com/en-us/mem/intune/fundamentals/device-lifecycle).
|
||||
|
||||
## Four pillars of modern device management
|
||||
|
||||
In the remainder of this cookbook, we will discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The cookbook is organized around the four main pillars of modern device management:
|
||||
|
||||
- **Identity management.** Setting up and configuring the identity system, with Microsoft 365 Education and Azure Active Directory as the foundation for user identity and authentication.
|
||||
- **Initial setup.** Setting up the Intune for Education environment for managing updates, applications, and settings.
|
||||
- **Device enrollment.** Setting up Windows 11 SE devices for deployment and enrolling them in Intune for Education.
|
||||
- **Device reset.** Resetting managed devices with Intune for Education.
|
||||
@ -18,4 +18,67 @@ appliesto:
|
||||
- ✅ <b>Windows 11</b>
|
||||
---
|
||||
|
||||
# Microsoft Endpoint Manager support
|
||||
# Device reset
|
||||
|
||||
When a device is lost, stolen, or needs to be replaced, or when a user moves to another position, it is usually time to wipe or reset the device. There are several ways you can do this—including resetting the device, removing it from management, or wiping the personal and school data on it. In scenarios where a device needs to be exchanged or returned, additional steps are required to prepare the device and then send it for repair. With Intune, IT administrators can remotely execute all these actions for device reset.
|
||||
|
||||
## Resetting a device
|
||||
|
||||
Two Reset Device actions can be used to reset and deregister student devices in preparation for next year: Autopilot Reset and factory reset. With Autopilot Reset, you return the device to a fully configured or known IT-approved state. With factory reset, you wipe all personal and school data and settings from the device, returning it to the default factory settings.
|
||||
|
||||
### Autopilot Reset
|
||||
|
||||
This reset action is ideal when all data on a device needs to be wiped, but the device will remain enrolled in your school. You can use Autopilot Reset to remove personal files, apps, and settings; reset Windows 11 SE devices from the lock screen; and apply original Intune settings and management enrollment (Azure Active Directory and device management).
|
||||
|
||||
With Intune for Education, wiping can be performed remotely:
|
||||
|
||||
1. In Intune for Education, choose **Groups** → **Choose a device group**.
|
||||
1. Choose a device, and then select **Autopilot Reset**.
|
||||
1. To confirm the reset, select **Autopilot Reset** again. A message appears when the reset is initiated. The device will reset the next time it connects to the Internet.
|
||||
|
||||
:::image type="content" source="./image17.png" alt-text="Using Autopilot Reset in Microsoft Endpoint Manager admin center" border="true":::
|
||||
|
||||
### Factory reset (wipe)
|
||||
|
||||
A factory reset, or a wipe, reverts a device to the original settings when it was purchased. All apps and data installed on the device after purchase are removed. The device is also removed from Intune management, and all data and settings are wiped from the device.
|
||||
|
||||
To perform a factory reset:
|
||||
|
||||
1. In Microsoft Endpoint Manager, go to **Devices** → **Windows devices** to view all enrolled devices.
|
||||
1. Choose the device you want to reset, and on the next screen, select **Wipe**.
|
||||
1. **NOTE:** We recommend keeping the enrollment state and associated user account. This option ensures that the Wipe action cannot be circumvented by turning off the device.
|
||||
1. Select **Yes** to reset the device to its factory defaults and delete the Intune object.
|
||||
|
||||
:::image type="content" source="./image18.png" alt-text="Using factory reset in Microsoft Endpoint Manager admin center" border="true":::
|
||||
|
||||
## Wiping and removing a device
|
||||
|
||||
With this action, a device’s data is wiped, and the device is removed from the school deployment. This action should only be performed for devices that are no longer going to be used. To completely remove a device, you need to perform two actions:
|
||||
|
||||
1. Perform a [factory reset (wipe)](#) on the device.
|
||||
1. Complete one of the following actions, depending on Intune enrollment:
|
||||
1. If the device [is not enrolled](#) in Intune, delete it from Autopilot.
|
||||
1. If the device [is enrolled](#) in Intune, delete it from Microsoft Endpoint Manager. (This removes device records from Intune, Azure AD, and Autopilot).
|
||||
|
||||
### Delete a device from Autopilot
|
||||
|
||||
To delete Autopilot devices that are not enrolled in Intune:
|
||||
|
||||
1. In Windows Autopilot, go to **Devices** → **Windows** → **Windows enrollment**.
|
||||
1. Under Windows Autopilot Deployment Program, select **Devices**.
|
||||
1. Choose the device you want to delete, and then select **Delete**. Note that device deletion can take a few minutes to complete.
|
||||
|
||||
### Delete a device using Intune
|
||||
|
||||
To delete devices that are enrolled in Intune:
|
||||
|
||||
1. Delete the device from the [**All devices blade**](https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune/remote-actions/devices-wipe.md) in Microsoft Endpoint Manager:
|
||||
1. Sign in to the Microsoft Endpoint Manager admin center.
|
||||
1. Select **Devices** → **All devices**.
|
||||
1. Choose the device you want to delete, and then select **Delete**.
|
||||
1. Delete the device from Azure Active Directory:
|
||||
1. From the Azure portal, sign in to Azure Active Directory.
|
||||
1. Select **Devices** → **Azure AD devices**.
|
||||
1. Follow the steps outlined in [Delete devices from the Azure Active Directory portal](https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe).
|
||||
|
||||
:::image type="content" source="./image19.png" alt-text="Device and account deletion page in Azure Active Directory admin center" border="true":::
|
||||
Loading…
x
Reference in New Issue
Block a user