Preparing standard Microsoft Windows laptops and tablets

When you receive a standard Microsoft Windows laptop or tablet, you should follow these steps before lending the device to a child, family or young person.

Contents


This guidance is written with reference to standard Windows devices provided through the Get help with technology programme. It also applies to any new or refurbished devices a school or college has received through donations. Further information on erasing data from donated devices is available from the National Cyber Security Centre.

Re-image or factory reset the device

When you get a device, you need to prepare it to ensure it’s safely set up for users. It’s important to get your device into a ‘known state’ so that you are familiar with the software and settings and can confidently support users.

The following methods can be used to do this.

Use a pre-prepared Windows 10 Image

This is the recommended route as it will bring the device in line with other devices within your school or college network.

Install a clean version of Windows 10

Standard Windows devices come with Windows 10 already installed. If it does need to be reinstalled in future and you don’t have a pre-prepared image, Windows 10 can be installed via:

Perform a factory reset

If you don’t have your own image or a USB or DVD to boot from, you should reset the device to factory settings.

You’ll need to do this for each device individually.

  1. Log in to the Support Portal
  2. Click on the ‘How do I?’ section
  3. Select ‘How to reset your Microsoft Windows device to default factory settings’ and follow the instructions to use local admin and BIOS passwords to reset your devices

Confirm anti-virus and other security settings are in place

Open the Windows Security settings:

  • Press 'Windows Key+r' then type 'windowsdefender' and click 'OK' or press enter, or
  • Press 'Windows Key', click the 'Settings' icon then 'Update & Security' and 'Windows Security'

You will see an overview of the main security features available in Windows 10 and an alert if any actions are required.

Windows Security settings include:

Virus and threat protection

Virus and threat protection contains Virus scanning, Real-time protection and Tamper protection. Some of the Ransomware protection might show as disabled due to requiring OneDrive. We recommend that you:

  • confirm Virus scanning and Real-time protection is on as a minimum

Account protection

If Account protection contains Windows Hello, we recommend that you:

  • advise or assist users to set up a Windows Hello PIN or facial recognition login (depending on hardware) when they receive the device

App and browser control

App and Browser control contains Reputation-based protection such as SmartScreen, and Exploit protection which helps protect against attacks. We recommend that you:

  • turn Reputation Base protection on
  • use SmartScreen for Edge (if used as the web browser) to help prevent the device from accessing malicious sites

Device security

Device security contains elements that may not be enabled depending on the hardware of the device. We recommend that you:

  • turn on Core isolation and Secure boot if possible

Create local user accounts

We strongly advise creating a local user account to be used by the person you’re providing the device to. This will prevent users from having access to the Admin account.

Enrol into Mobile Device Management

If your school already has device management in place with remote connectivity, we recommend adding each device to the network to enhance the security of both devices and users.

If your school does not already have device management in place, we would not recommend setting this up due to the associated costs and resources involved.

Set up content filtering

You are responsible for setting up management and safeguarding measures before you distribute the devices to avoid risks to the children and young people in your care.