Microsoft Windows laptops and tablets setup guide

When you receive a Microsoft Windows laptop or tablet, you should follow these steps before lending the device to a child, family or young person.

Contents


This guidance is written with reference to Windows devices provided through the Get help with technology programme. It also applies to any new or refurbished devices a school or college has received through donations. Further information on erasing data from donated devices is available from the National Cyber Security Centre.

Re-image or factory reset the device

When you get a device, you need to prepare it to make sure it’s safely set up for users. It’s important to get your device into a ‘known state’ so that you’re familiar with the software and settings and can confidently support users.

The following methods can be used to do this.

Use a pre-prepared Windows 10 Image

This is the recommended route as it will bring the device in line with other devices within your school or college network.

Install a clean version of Windows 10

Standard Windows devices come with Windows 10 already installed. If it does need to be reinstalled in future and you do not have a pre-prepared image, Windows 10 can be installed via:

Perform a factory reset

If you do not have your own image or a USB or DVD to boot from, you should reset the device to factory settings.

You’ll need to do this for each device individually. You can find out how to do this in the Guide to resetting Windows laptops and tablets.

Confirm anti-virus and other security settings are in place

Open the Windows Security settings:

  • Press ‘Windows Key+r’ then type ‘windowsdefender’ and select ‘OK’ or press enter, or
  • Press ‘Windows Key’, select the ‘Settings’ icon then ‘Update & Security’ and ‘Windows Security’

You’ll see an overview of the main security features available in Windows 10 and an alert if any actions are required.

Windows Security settings include:

Virus and threat protection

Virus and threat protection contains Virus scanning, Real-time protection and Tamper protection. Some of the Ransomware protection might show as disabled due to requiring OneDrive. We recommend that you:

  • confirm Virus scanning and Real-time protection is on as a minimum

Account protection

If Account protection contains Windows Hello, we recommend that you:

  • advise or assist users to set up a Windows Hello PIN or facial recognition login (depending on hardware) when they receive the device

App and browser control

App and browser control contains Reputation-based protection such as SmartScreen, and Exploit protection which helps protect against attacks. We recommend that you:

  • turn Reputation Base protection on
  • use SmartScreen for Edge (if used as the web browser) to help prevent the device from accessing malicious sites

Device security

Device security contains elements that may not be enabled depending on the hardware of the device. We recommend that you:

  • turn on Core isolation and Secure boot if possible

Create local user accounts

We strongly advise creating a local user account to be used by the person you’re providing the device to. This will prevent users from having access to the Admin account.

Enrol into Mobile Device Management

If your school already has device management in place with remote connectivity, we recommend adding each device to the network to enhance the security of both devices and users.

If you do not have an MDM solution, you should look into the benefits, costs and resource requirements to understand whether device management is appropriate before you make a decision.

Set up content filtering

You’re responsible for setting up management and safeguarding measures before you distribute the devices to avoid risks to the children and young people in your care.