Preparing Microsoft Windows laptops and tablets

Guidance for Microsoft Windows devices provided with safeguarding and mobile device management software and how to install your own.

Contents


When ordering Microsoft devices, a selection can be made between:

  • not having DfE settings installed - these 'Standard' devices can be configured with your preferred safeguarding software and brought into your existing device management framework
  • having DfE settings installed - these 'DfE Restricted' devices are not configurable, with limitations on downloading certain software and changing the strict content filters that may prevent some browsers and conferencing tools from functioning. You will be reliant on DfE for technical support.

Preparing laptops and tablets ordered without DfE settings installed

If you order devices after September 2020, you have the option to receive them without DfE safeguarding settings installed prior to delivery. These 'Standard' devices will have the manufacturer’s factory settings as they would arrive if purchased from a retailer.

This allows devices to be configured to your own standards with your preferred software and settings, and without the limitations imposed by DfE configured devices. You’ll immediately be able to bring these devices into your own device management framework and support them in the same way you do for all devices under your control.

You will be responsible for setting up management and safeguarding measures before you distribute the devices – such as content filtering, antivirus software and mobile device management – to avoid risks to the children and young people in your care.

Preparing laptops and tablets ordered with DfE settings installed

The following guidance applies only to devices ordered between May and July 2020, and those ordered after September 2020 where you have selected 'DfE Restricted' devices which have software and settings installed prior to delivery.

DfE-provided settings are a ‘one-size fits all’ solution, designed to block harmful content. These settings are not configurable at a local level.

Managing settings and software

Microsoft Windows devices come with antivirus software, content filtering and remote management settings already so they're ready to use.

Content filtering and remote management will stop working when the licences expire on 30 September 2021. You can replace the DfE settings with your own at any point.

Operating system

Microsoft Windows laptops and tablets come with the Windows 10 Education operating system.

Security and antivirus

Microsoft Windows devices include the following security and antivirus software:

  • Windows Information Protection
  • Windows Defender Credential/System Guard
  • Windows Defender Exploit Guard
  • Windows Defender Antivirus

Education software

Microsoft Windows devices do not have Office 365 applications installed, but school-aged children will be able to use Office 365 online if you or their school have an active subscription. A child or young person not in school (such as a care leaver) can make use of their own preferred online system.

Schools can apply to get set up on Office 365 Education for free. Office 365 Education includes Microsoft Word, Excel and Powerpoint as well as many mobile device management features.

Mobile device management

Microsoft Windows laptops and tablets are delivered to you with security settings already configured and managed by the Department for Education (DfE) using Microsoft Intune.

These mobile device management (MDM) settings prevent children and young people from making changes to files or settings that might stop the device from working. It is not possible to tailor the configured MDM to meet local needs. Anything you try to install yourself may be lost when the device checks in with the MDM, which happens at regular intervals.

DfE will not actively monitor users' activity through the mobile device management solution. Websites users visit on their devices will be logged by Cisco Umbrella, but we will not monitor these logs and they will not be available to the school, local authority or trust. DfE will turn logging on when we need to check that ongoing filtering is effective, for example by letting us test whether the filtering is effective after adjusting filtering rules.

Bitlocker encryption has not been enabled on the devices to make it easier for you to reimage them.

Content filtering

Microsoft Windows devices come with a web-filtering service called Cisco Umbrella installed. This blocks a range of illegal and inappropriate content and limits searching to the ‘Safe Search’ provided by popular search engines.

The web-filtering settings are designed to make the devices safe to use and suitable for a wide range of users, from pre-school children up to care leavers.

This filtering should not prevent legitimate use of the devices. You can access support to report instances where legitimate use is blocked.

The first time the device connects to a new network, there will be a short delay before the content filtering starts to work. This usually takes less than 15 seconds but could take up to 2.5 minutes. During this time, users may be able to access any website without restriction while Cisco Umbrella registers the new device and checks network ports. DfE is working with Cisco to reduce this delay. Any updates made to support this will be deployed to the devices automatically.

You can lend the devices to users straight away as the MDM and content filtering will be in place until 30 September 2021. After this, the MDM will expire. The devices will continue to work with the last settings provided by the MDM but they will no longer be managed or updated, and web content will no longer be filtered.

Reconfigure your devices

You can take control of the devices at any time by restoring them to factory settings and applying your own remote management solution. This will restore the machine to its original state without any DfE software or settings, and it will no longer be enrolled in the DfE device management system.

If you remove the MDM and content filtering provided by DfE or continue using the devices after 30 September 2021 once the software expires, it is your responsibility to safeguard the young people in your care. Once the software has been removed, or expired, DfE will no longer support these devices.

You can choose to remove the DfE safeguarding software and replace it with your own, or you can distribute the devices without any content filtering and MDM installed. You cannot change the DfE content filtering settings on the devices to relax the restrictions and meet individual needs.

If you remove the DfE software, then devices will function as a new device would, without any web content blocked. This means the young person will be able to access all areas of the internet unrestricted.

It is up to you to decide whether it’s appropriate to remove the DfE safeguarding software on the Windows devices for users in your care. We recommend that you make this decision for care leavers together with their social workers.

When you lend the devices to users, it’s important to underline that parents and guardians should supervise the internet use of children and young people in their care. Local authorities should be alert to cases where parents or guardians of children with a social worker may not be in a position to do this.

See government advice on:

  • safeguarding, which signposts parents to trusted providers and includes detailed advice on keeping children safe online (this includes information on home filters, age appropriate parental controls, the risks of platforms and apps, and how to have age appropriate conversations with children about online safety)
  • support for parents and carers to keep children safe from online harm, which outlines resources to help keep children safe from different risks online and where to go to receive support and advice
  • support to stay safe online, which includes information on security and privacy settings

Requesting local admin and BIOS passwords to install your own software and settings

To install your own software or replace the mobile device management you will need to reset the device using the instructions below. This will remove all of the pre-installed configuration and software from the device.

You will need to do this for each device individually.

It is possible to install some software on the devices without resetting them, but anything you try to install yourself may be lost when the device checks in with the MDM, which happens at regular intervals.

Who can request local admin and BIOS passwords to reset devices

Local admin and BIOS passwords are needed to reset devices to factory default settings and install new software.

For security, only the following people can view this information:

  • a key contact (the person that completed your device forecast for devices delivered between May and July)
  • a technical contact (nominated when the devices were ordered between May and July)
  • a support contact (someone given access to the Support Portal by your key contact)
  • anyone authorised to order laptops and tablets for disadvantaged children requiring access to remote education due to shielding or local coronavirus (COVID-19) restrictions

Your local authority, trust or school is responsible for keeping this information secure when sharing it with colleagues who are preparing devices for children and young people.

To log in to the Support Portal for the first time, enter your email address and click ‘forgotten password’. If you’re authorised to access the support portal, you’ll receive an email with instructions on how to set up a password.

If you do not have access to the portal but think you should, please email COVID.TECHNOLOGY@education.gov.uk and include the name of the school, local authority or trust that ordered the devices.

How to get local admin and BIOS passwords

  1. Log in to the Computacenter Support Portal

  2. Click on the ‘How do I?’ section

  3. Select the ‘Get local admin and BIOS passwords for Microsoft Windows laptops and tablets’ guide and follow the instructions

How to reset Microsoft devices so you can add your own software and settings

To install your own software or replace Cisco Umbrella and Microsoft Intune you’ll need to restore factory settings on the device. This will remove all of the security and protection features on the device.

You’ll need to do this for each device individually.

For guidance on how to do this:

  1. Log in to the Computacenter Support Portal

  2. Click on the ‘How do I?’ section

  3. Select ‘How to reset your Microsoft Windows device to default factory settings’ and follow the instructions to use local admin and BIOS passwords to reset your devices

How to help anyone experiencing problems logging in to Windows devices

Some users with Windows device, which have been pre-installed with DfE settings, may experience a bug that makes it harder for them to log in to their laptops and tablets.

Users may find that the login is defaulting to the ‘.\localadmin' account and asking for a password, which they do not have.

We’ve identified a fix for this bug. The end users – young people, children or their families – will need to:

  • follow the steps below to apply the .\localuser workaround and log in to the device
  • connect the device to the internet so it can receive the fix update – leave the device turned on, plugged in to the mains and connected to the internet for at least 3 hours for the fix to be applied
  • restart the device – if the fix has been successful, the device should automatically login as “localuser”. If the user has previously set up a password they will need to enter it. If the device does not login automatically or the username is not “localuser” at the login prompt, then the fix has not been applied and the user may need to repeat the process

If no local user password has been set

  • Click "OK"
  • Change the username in the upper box from “.\localadmin” to “.\localuser” (it’s important to include the “.” dot and “\” backslash)
  • Do not enter a password
  • Press return
  • This should log you in as the local user

If a local user password has been set

  • Click "OK"
  • Change the username in the upper box from “.\localadmin” to “.\localuser” (it’s important to include the “.” dot and “\” backslash)
  • Enter the password you have set
  • Press return
  • This should log you in as the local user

If a user has set a password for “.\localuser” that they’ve forgotten, you’ll need to sign in to the “.\localadmin” account and reset their password using the "User Accounts" settings in the Control Panel.

We’ve illustrated these steps in our user guidance, which you can share with anyone using your Microsoft devices.

User guidance for young people and their carers

You can share this user guide on setting up Microsoft Windows laptops and tablets with young people and their parents, guardians and carers.

You may want to add contact information to this guidance for the person or team offering IT support to device users.

If users find that the login is defaulting to the “.\localadmin” account and asking for a password, please see the advice above.


Next

Getting started with your Microsoft Windows device


Previous

Device options and specifications