Windows laptops and tablets setup guide
Guidance for Microsoft Windows devices provided with safeguarding and mobile device management software and how to install your own.
Preparing laptops and tablets ordered without DfE settings
If you order ‘Standard’ Windows devices without DfE safeguarding settings, they can be configured to your own standards with your preferred software and settings. You’ll immediately be able to bring these devices into your own device management framework and support them in the same way you do for all devices under your control.
You’ll be responsible for setting up management and safeguarding measures before you distribute the devices to avoid risks to the children and young people in your care.
Read our guidance on preparing a Standard Windows device.
If you receive any new or refurbished Windows devices for your school or college through donations, we recommend following our guidance on preparing a Standard Windows device before lending the device to a child, family or young person. Further information on erasing data from donated devices is available from the National Cyber Security Centre.
Preparing laptops and tablets ordered with DfE settings
Restricted devices were delivered with the following pre-installed security software that is not configurable at a local level:
- Microsoft Intune – device management software that prevents users from installing unauthorised software or making changes to files and settings
- Cisco Umbrella – content filtering software that blocks a range of illegal and inappropriate content and limits searching to the ‘Safe Search’ provided by popular search engines
Licenses for this software were due to expire on 30 September 2021. To ensure devices remain safe for children and young people to use, we’ve extended licenses until 30 September 2022. You should take control of the devices as soon as possible by restoring them to factory settings and applying your own remote management solution. Read our guidance on how to apply your own settings to devices to see the actions required to ensure those who have received devices can continue to do so safely.
DfE Restricted Microsoft Windows devices come with the Windows 10 Education operating system and include the following security and antivirus software:
- Windows Information Protection
- Windows Defender Credential/System Guard
- Windows Defender Exploit Guard
- Windows Defender Antivirus
BitLocker encryption has not been enabled on the devices to make it easier for you to reimage them.
Microsoft Windows devices do not have Microsoft 365 (formerly Office 365) applications installed, but users will be able to use Microsoft 365 online if their school has an active subscription. A child or young person not in school (such as a care leaver) can make use of their own preferred online system.
Schools can apply for government funding to get set up on Microsoft 365 Education. Microsoft 365 Education includes Microsoft Word, Excel and Powerpoint as well as many mobile device management features.
Mobile device management (MDM)
DfE's Microsoft Intune MDM settings prevent users from making changes to files or settings that might stop the device from working.
We do not actively monitor users’ activity through the MDM and it is not possible to tailor the configured MDM to meet local needs. Anything you try to install yourself may be lost when the device checks in with the MDM, which happens at regular intervals.
Read our guidance on how to apply your own settings.
DfE’s Cisco Umbrella settings block a range of illegal and inappropriate content and limits searching to the ‘Safe Search’ provided by popular search engines.
The settings are designed to make the devices safe to use and suitable for a wide range of users, from pre-school children up to care leavers. Websites that users visit on their devices will be logged by Cisco Umbrella, but DfE will not monitor these logs and they will not be available to schools, local authorities or trusts. DfE may turn logging on when adjusting filtering rules to test whether they’re effective.
This filtering should not prevent legitimate use of the devices. Contact us to report instances where legitimate use is blocked or inappropriate content can be accessed.
When devices connect to a new network, there’ll be a short delay before the content filtering starts to work. This usually takes less than 15 seconds but could take up to 3 minutes. During this time, users may be able to access any website without restriction. We’re working with Cisco to reduce this delay and will automatically update devices to support this.
Read our guidance on how to apply your own settings.
Reconfiguring devices with DfE settings
Licenses for pre-installed security software (Microsoft Intune and Cisco Umbrella) will expire on 30 September 2022. You should follow our guidance on applying your own settings to devices as soon as possible to ensure those who have received devices can continue to do so safely.
It’s your responsibility to set up safeguarding measures to avoid risks to the children and young people in your care.
User guidance for young people and their carers
Our guidance on how to get started with your Microsoft Windows laptop or tablet can be shared with young people and their parents, guardians and carers.
You may want to add contact information to this guidance for the person or team offering IT support to device users.