Windows laptops and tablets setup guide
Guidance for Microsoft Windows devices provided with safeguarding and mobile device management software and how to install your own.
- Preparing laptops and tablets ordered without DfE settings installed
- Preparing laptops and tablets ordered with DfE settings installed
- Managing settings and software
- Mobile device management
- Content filtering
- Reconfigure your devices
- Getting local admin and BIOS passwords to install your own software and settings
- User guidance for young people and their carers
When ordering Microsoft devices, a selection can be made between:
- not having DfE settings installed - these 'Standard' devices can be configured with your preferred safeguarding software and brought into your existing device management framework
- having DfE settings installed - these 'DfE Restricted' devices have temporary safeguarding settings installed - content filtering and mobile device management (MDM) software - which you’ll need to replace before they expire on 30 September 2021. You’ll need to reset these devices before you can apply new settings, or download some types of software. You'll be reliant on DfE for technical support.
If you receive any new or refurbished Windows devices for your school or college through donations, we recommend following our guidance on preparing a standard Windows device before lending the device to a child, family or young person. Further information on erasing data from donated devices is available from the National Cyber Security Centre.
Preparing laptops and tablets ordered without DfE settings installed
If you order devices after September 2020, you have the option to receive them without DfE safeguarding settings installed prior to delivery. These 'Standard' devices will have the manufacturer’s factory settings as they would arrive if purchased from a retailer.
This allows devices to be configured to your own standards with your preferred software and settings, and without the limitations imposed by DfE configured devices. You’ll immediately be able to bring these devices into your own device management framework and support them in the same way you do for all devices under your control.
You will be responsible for setting up management and safeguarding measures before you distribute the devices – such as content filtering, antivirus software and mobile device management – to avoid risks to the children and young people in your care.
Read our guidance on preparing a standard Windows device.
Preparing laptops and tablets ordered with DfE settings installed
The following guidance applies only to devices ordered in the 2020 summer term, and those ordered after September 2020 where you have selected 'DfE Restricted' devices which have software and settings installed prior to delivery.
DfE-provided settings are a ‘one-size fits all’ solution, designed to block harmful content. These settings are not configurable at a local level.
Managing settings and software
Microsoft Windows devices come with antivirus software, content filtering and remote management settings already so they're ready to use.
Content filtering and remote management will stop working when the licences expire on 30 September 2021. You can replace the DfE settings with your own at any point.
Microsoft Windows laptops and tablets come with the Windows 10 Education operating system.
Security and antivirus
Microsoft Windows devices come with Windows Defender Antivirus.
Microsoft Windows devices do not have Office 365 applications installed, but school-aged children will be able to use Office 365 online if you or their school have an active subscription. A child or young person not in school (such as a care leaver) can make use of their own preferred online system.
Schools can apply for government funding to get set up on Office 365 Education. Office 365 Education includes Microsoft Word, Excel and Powerpoint as well as many mobile device management features.
Mobile device management
Microsoft Windows laptops and tablets are delivered to you with security settings already configured and managed by the Department for Education (DfE) using Microsoft Intune.
These mobile device management (MDM) settings prevent children and young people from making changes to files or settings that might stop the device from working. It is not possible to tailor the configured MDM to meet local needs. Anything you try to install yourself may be lost when the device checks in with the MDM, which happens at regular intervals.
DfE will not actively monitor users' activity through the mobile device management solution. Websites users visit on their devices will be logged by Cisco Umbrella, but we will not monitor these logs and they will not be available to the school, local authority or trust. DfE will turn logging on when we need to check that ongoing filtering is effective, for example by letting us test whether the filtering is effective after adjusting filtering rules.
Bitlocker encryption has not been enabled on the devices to make it easier for you to reimage them.
Microsoft Windows devices come with a web-filtering service called Cisco Umbrella installed. This blocks a range of illegal and inappropriate content and limits searching to the ‘Safe Search’ provided by popular search engines.
The web-filtering settings are designed to make the devices safe to use and suitable for a wide range of users, from pre-school children up to care leavers.
This filtering should not prevent legitimate use of the devices. Contact us to report instances where legitimate use is blocked.
The first time the device connects to a new network, there will be a short delay before the content filtering starts to work. This usually takes less than 15 seconds but could take up to 2.5 minutes. During this time, users may be able to access any website without restriction while Cisco Umbrella registers the new device and checks network ports. DfE is working with Cisco to reduce this delay. Any updates made to support this will be deployed to the devices automatically.
You can lend the devices to users straight away as the MDM and content filtering will be in place until 30 September 2021. After this, the MDM will expire. The devices will continue to work with the last settings provided by the MDM but they will no longer be managed or updated, and web content will no longer be filtered.
Reconfigure your devices
DfE safeguarding settings expire on 30 September 2021. You need to reset devices and apply your own settings before that date to ensure they're safe for children and young people to use.
You can take control of the devices at any time by restoring them to factory settings and applying your own remote management solution. This will restore the machine to its original state without any DfE software or settings, and it will no longer be enrolled in the DfE device management system.
You can choose to remove the DfE safeguarding software and replace it with your own, or you can distribute the devices without any content filtering and MDM installed. You cannot change the DfE content filtering settings on the devices to relax the restrictions and meet individual needs.
If you remove the DfE software, then devices will function as a new device would, without any web content blocked. This means the young person will be able to access all areas of the internet unrestricted.
It is up to you to decide whether it’s appropriate to remove the DfE safeguarding software on the Windows devices for users in your care. We recommend that you make this decision for care leavers together with their social workers.
When you lend the devices to users, it’s important to underline that parents and guardians should supervise the internet use of children and young people in their care. Local authorities should be alert to cases where parents or guardians of children with a social worker may not be in a position to do this.
The following advice is available to help keep children safe online:
- Keeping Children Safe in Education - guidance that schools and colleges must follow when carrying out their duties to safeguard and promote the welfare of children – both online and offline.
- Safeguarding and remote education during coronavirus - guidance to help you understand safeguarding procedures when planning remote education strategies and teaching remotely.
- Support for parents and carers to keep children safe from online harm - resources to help keep children safe from different risks online, and where to go to receive support and advice.
- Support to stay safe online - information on security and privacy settings.
Getting local admin and BIOS passwords to install your own software and settings
To install your own software or replace the mobile device management you will need to reset the device using the instructions below. This will remove all of the pre-installed configuration and software from the device.
You will need to do this for each device individually.
It is possible to install some software on the devices without resetting them, but anything you try to install yourself may be lost when the device checks in with the MDM, which happens at regular intervals.
Who can access local admin and BIOS passwords to reset devices
Local admin and BIOS passwords are needed to reset devices to factory default settings and install new software.
For security, only the following people can view this information:
- a key contact (the person that completed your device forecast for devices delivered between May and July)
- a technical contact (nominated when the devices were ordered between May and July)
- a support contact (someone given access to the Support Portal by your key contact)
- anyone authorised to order laptops and tablets for disadvantaged children requiring access to remote education due to shielding or local coronavirus (COVID-19) restrictions
Your local authority, trust or school is responsible for keeping this information secure when sharing it with colleagues who are preparing devices for children and young people.
To log in to the Support Portal for the first time, enter your email address and click ‘forgotten password’. If you’re authorised to access the support portal, you’ll receive an email with instructions on how to set up a password.
If you do not have access to the portal but think you should, contact us and include the name of the school, local authority or trust that ordered the devices.
How to get local admin and BIOS passwords
Log in to the Support Portal
Click on the ‘How do I?’ section
Select the ‘Get local admin and BIOS passwords for Microsoft Windows laptops and tablets’ guide and follow the instructions
How to reset Microsoft devices so you can add your own software and settings
To install your own software or replace Cisco Umbrella and Microsoft Intune you’ll need to restore factory settings on the device. This will remove all of the security and protection features on the device.
You’ll need to do this for each device individually.
For guidance on how to do this:
Log in to the Support Portal
Click on the ‘How do I?’ section
Select ‘How to reset your Microsoft Windows device to default factory settings’ and follow the instructions to use local admin and BIOS passwords to reset your devices
User guidance for young people and their carers
You can share this user guide on setting up Microsoft Windows laptops and tablets with young people and their parents, guardians and carers.
You may want to add contact information to this guidance for the person or team offering IT support to device users.
If users find that the login is defaulting to the “.\localadmin” account and asking for a password, see the advice above.