Windows laptops and tablets setup guide
Guidance for Microsoft Windows devices provided with safeguarding and mobile device management software and how to install your own.
Preparing laptops and tablets ordered without DfE settings
If you order ‘Standard’ Windows devices without DfE safeguarding settings, they can be configured to your own standards with your preferred software and settings. You’ll immediately be able to bring these devices into your own device management framework and support them in the same way you do for all devices under your control.
You'll be responsible for setting up management and safeguarding measures before you distribute the devices to avoid risks to the children and young people in your care.
Read our guidance on preparing a Standard Windows device.
If you receive any new or refurbished Windows devices for your school or college through donations, we recommend following our guidance on preparing a Standard Windows device before lending the device to a child, family or young person. Further information on erasing data from donated devices is available from the National Cyber Security Centre.
Preparing laptops and tablets ordered with DfE settings
If you order ‘DfE Restricted’ devices, they'll be delivered with the following pre-installed security software that is not configurable at a local level:
- Microsoft Intune - device management software that prevents users from installing unauthorised software or making changes to files and settings
- Cisco Umbrella - content filtering software that blocks a range of illegal and inappropriate content and limits searching to the ‘Safe Search’ provided by popular search engines
Licenses for this software will expire on 30 September 2021. You can take control of the devices at any time by restoring them to factory settings and applying your own remote management solution. Read our guidance on how to apply your own settings to devices to see the actions required to ensure those who have received devices can continue to do so safely.
DfE Restricted Microsoft Windows devices come with the Windows 10 Education operating system and include the following security and antivirus software:
- Windows Information Protection
- Windows Defender Credential/System Guard
- Windows Defender Exploit Guard
- Windows Defender Antivirus
BitLocker encryption has not been enabled on the devices to make it easier for you to reimage them.
Microsoft Windows devices do not have Microsoft 365 (formerly Office 365) applications installed, but users will be able to use Microsoft 365 online if their school has an active subscription. A child or young person not in school (such as a care leaver) can make use of their own preferred online system.
Schools can apply for government funding to get set up on Microsoft 365 Education. Microsoft 365 Education includes Microsoft Word, Excel and Powerpoint as well as many mobile device management features.
Mobile device management (MDM)
DfE's Microsoft Intune MDM settings prevent users from making changes to files or settings that might stop the device from working.
Microsoft Intune licenses will expire on 30 September 2021. Read our guidance on how to apply your own settings.
We do not actively monitor users’ activity through the MDM and it's not possible to tailor the configured MDM to meet local needs. Anything you try to install yourself may be lost when the device checks in with the MDM, which happens at regular intervals.
DfE’s Cisco Umbrella settings block a range of illegal and inappropriate content and limits searching to the ‘Safe Search’ provided by popular search engines.
Cisco Umbrella licenses will expire on 30 September 2021. Read our guidance on how to apply your own settings.
The settings settings are designed to make the devices safe to use and suitable for a wide range of users, from pre-school children up to care leavers. Websites users visit on their devices will be logged by Cisco Umbrella, but DfE will not monitor these logs and they will not be available to schools, local authorities or trusts. DfE may turn logging on when adjusting filtering rules to test whether they are effective.
This filtering should not prevent legitimate use of the devices. Contact us to report instances where legitimate use is blocked or inappropriate content can be accessed.
When devices connect to a new network, there will be a short delay before the content filtering starts to work. This usually takes less than 15 seconds but could take up to 3 minutes. During this time, users may be able to access any website without restriction. We are working with Cisco to reduce this delay and will automatically update devices to support this.
Reconfiguring devices with DfE settings
Licenses for pre-installed security software (Microsoft Intune and Cisco Umbrella) will expire on 30 September 2021. We recommend following our guidance on applying your own settings to devices as soon as possible to ensure those who have received devices can continue to do so safely.
You can take control of the devices at any time by restoring them to factory settings. This will remove all DfE software and settings.
Once laptops and tablets have been reset or security software licenses have been allowed to expire, it’s your responsibility to set up safeguarding measures to avoid risks to the children and young people in your care.
User guidance for young people and their carers
Our guidance on how to get started with your Microsoft Windows laptop or tablet can be shared with young people and their parents, guardians and carers.
You may want to add contact information to this guidance for the person or team offering IT support to device users.