Microsoft Intune and Autopilot make deploying Windows 10 devices, including Microsoft Surfaces, in schools really simple.
Windows 10 modern desktop management is a suite of tools and services which allow schools to deploy and manage Windows 10 devices in the cloud. It’s like iPad MDM but for Windows.
The days of Group Policy, Active Directory, and desktop imaging are gone — well mostly! These have been replaced with Microsoft Intune and a suite of other tools designed to help schools deploy Windows 10 devices and apps to teachers and students.
As remote learning becomes an increasingly large part of school life, it’s essential that students and teachers have access to all the apps and services they need. Windows 10 modern desktop management makes this happen.
Getting started with Microsoft Intune and Autopilot
This getting started guide provides an overview of how to manage student Windows 10 devices with Microsoft Intune in your school. I’ll be skipping over a lot of technical detail but at the bottom you’ll find a list of excellent free technical resources so you can get up and running quickly.
If you’re serious about getting to grips with Windows 10 modern desktop management, I strongly recommend the Udemy training course which allows you to get Microsoft certified before doing a live roll out.
What is the Microsoft Modern Desktop?
The modern world requires that schools move beyond on-premise servers, strictly maintained desktop computers and controlled applications. The age of schools maintaining their own servers is over and with it goes the traditional method of desktop management.
School desktops were traditionally managed using services like Active Directory and Group Policy. Computers were kept in stasis and updates to applications tightly controlled.
As we shift with increasing speed towards every student using their own computer, this level of control is increasingly unreasonable and unsustainable. Students and staff now expect to be able to install their own apps, to personally tailor their online experience, and sync their documents between multiple devices.
It’s for these reasons that Active Directory and Group Policy servers hosted within a school are no longer sufficient to meet the needs of schools.
The world where an application update had to wait for IT it has passed. Services like Microsoft Intune allow schools to manage student and staff computers whether they are in school or at home. The Microsoft Store for Education and Company Portal allows students and staff to install applications instantly.
Even Windows 10 now updates itself with a continuous delivery model known as Windows as a Service. This means an updated version of Windows 10 will be pushed to users every six months, regardless of school policies.
How to manage Windows 10 with Intune
This is where Microsoft Autopilot and Microsoft Intune come in. These two services allow schools to go from an out-of-the-box version of Windows 10 to a fully customised and managed device without IT ever having to touch the device.
Schools IT departments can customise the operating system, install applications, apply licenses, and even run PowerShell scripts all from the cloud. It’s like super-iPad MDM.
There are many possible scenarios available when deploying Windows 10 in schools, but I’m going to focus on deploying Windows 10 devices in a sealed box to students and deploying basic apps and settings automatically without IT ever touching the device.
First, let’s take a look at the basics.
What is Microsoft Intune?
Microsoft Intune is a mobile device management service which is integrated into Microsoft 365. Intune allows schools to manage and configure devices in the cloud without the need for on-premise servers. If you’ve used an MDM service to manage iPads before, you’ll already have a good idea of how Intune works.
I’m sure Microsoft won’t appreciate the comparison, but Intune combined with Autopilot are similar to Apple’s MDM management solutions like Apple School Manager and JAMF. Unlike iPad MDM management, however, you can really get under the hood of your Intune devices and do things like run PowerShell scripts, set policies, configure remote access apps, and even make registry changes.
There are two flavours of Microsoft Intune available to schools:
In reality these are both the same system, but Microsoft Intune for Education gives a paired down set of options, which is more suited to schools with smaller IT departments or less technically inclined staff.
Does Intune work with devices other that Microsoft Surfaces?
Yes. This is a common misconception about Microsoft Intune. Most Windows 10 devices can be managed by Intune. You might also be interested to know that you can also manage iPads, Macs, and Android devices within Intune. More below.
Licensing requirements for Microsoft Intune
The following licensing requirements must be met to use Microsoft Intune in your school:
- Devices must be pre-installed with Windows 10 Pro, Pro Education, Pro for Workstations, Enterprise, or Education Version 1703 or higher. All Microsoft Surfaces and many other manufacturers’ devices meet this requirement. You can also install Windows on older device to bring them within the system.
- Azure AD Premium P1 or P2 licenses should be applied to your Microsoft 365 users.
- Microsoft Intune licenses should be applied to your users.
Which operating systems does Intune support?
Microsoft Intune can be used to manage most flavours of Windows 10, including:
- Surface Hub
- Windows 10 (Home, S, Pro, Education, and Enterprise versions)
- Windows 10 Enterprise 2019 LTSC
- Windows 10 IoT Enterprise (x86, x64)
- Windows Holographic for Business
- Windows 10 Teams (Surface Hub)
- Windows 10 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode)
In this getting started guide we’re only looking at Windows 10 management, however, you may be surprised to learn that Microsoft Intune also supports other operating systems, including Android 5.0 and later, Apple iOS 11.0 and later, Apple iPadOS 13.0 and later, and Mac OS X 10.12 and later.
Windows 10 InTune minimum hardware requirements
Throughout this article, I’ll be discussing brand new devices, but the hardware requirements to manage Windows 10 with Intune are so low that you can easily adjust this method to run on much older hardware.
Microsoft Intune can manage any devices above the hardware specification below. This is an extremely low specification and makes it possible to reuse any old laptops that you may have sitting around:
|Processor||1 GHz or faster processor|
|Memory||1 GB RAM on 32-bit versions and 2 GB for 64-bit versions|
|Hard disk||16 GB for 32-bit versions and 32 GB for 64-bit versions|
|Graphics card||DirectX 9 or later with a Windows Display Driver Model (WDDM) 1.0 driver|
|Display resolution||800×600 pixels|
|Internet Connection||Required to perform updates and to take use some features.|
What is Microsoft Autopilot?
Microsoft Autopilot is a service which automatically joins Windows 10 devices to your school’s Microsoft Intune service. It’s like joining a desktop to a domain but in the cloud. Once joined Intune will push any configurations and apps that you’ve deployed for that device.
When you purchase a Windows 10 device from your reseller they will be able to provide you an Autopilot configuration file. This is a CSV file which contains unique information used to identify each device, including:
- Device Serial Number: Your Windows 10 computer’s serial number.
- Windows Product ID: The Windows product ID.
- Hardware Hash: a unique string of characters generated using information about the device, like manufacturer, model, device serial number etc.
- Group Tag: a number used to tell Autopilot which Intune group to add the device to. For example, you may have a student tag group and a staff group tag so that when the device is joined to Intune the correct configuration and apps are installed.
Once you’ve uploaded the CSV file to Autopilot, when the WIndows 10 device is turned on and connected to the internet, it will check to see if it is assigned to an organisation and automatically recommend to the student to sign in with their school account.
By setting a Group Tag in the CSV file, Intune will know the corresponding group that the device should be a member of and automatically push any settings and apps that you have applied.
Is there another way to get the Autopilot hardware hash?
Yes. You can use PowerShell to extract the hardware hash of a Windows 10 device. This is useful if you want to manage old laptops within Intune. Full documentation on how to extract the hash can be found here.
The Microsoft Roadmap, which is worth following if you want to stay up to date with all the latest Microsoft Teams and Microsoft developments, suggests that there will soon be a more elegant way to access the Autopilot hash informaiton.
How to deploy Windows 10 devices to students
Microsoft Intune is extremely flexible and allows for a range of deployment scenarios. In this guide, however, I’m going to run through the most efficient model for deployment student Windows 10 devices. In this case I’m using Microsoft Surfaces, however, the same is true of any other hardware manufacturer.
Below I’ve outlined three aimthat I want to achieve with my Intune deployment:
- I don’t want to touch the devices – social distancing and a large number of devices make it impractical to configure each one.
- All configuration and apps need to be pushed automatically.
- It needs to be really simple for the student to set up their new device.
WIth a combination of Autopilot and Intune it’s possible to completely automate this process, from purchase to a student using the device in lessons without the IT department ever having to touch the device.
Here’s a high-level view of the workflow involved:
- Device is purchased from the supplier.
- Supplier provides Microsoft Autopilot CSV file containing device identification information to the school.
- School imports CSV file into Microsoft Autopilot.
- Device is delivered — either to the school or student’s home.
- Sealed device is opened by the student.
- Student turns on the device.
- Microsoft Autopilot recognises the device and deploys the appropriate Microsoft Intune profile.
- Apps and configuration settings are automatically deployed.
In this scenario I’m not concerned how the device is purchased — this could be ordered by the school, or directly by a parent through a school purchasing portal or leasing scheme.
How to install apps on student devices using Microsoft Intune
There are two primary ways to install or distribute apps to student Windows 10 devices through Intune:
The Microsoft Store for Education
The Microsoft Store for Education is the Windows version of the iPad App Store. It allows schools to purchase apps and assign licenses to students. You can also create a curated private app store just for your school and limit access to the full store if you choose.
Microsoft Company Portal
I rarely hear people mentioning Company Portal, but this app is a key tool in the arsenal of any IT team. Company portal is an app, installable from the Windows Store, which allows IT departments to present traditional Windows applications — such as Adobe Photoshop — for single-click install to teachers and students.
IT admins can package up software with .EXE or .MSI files and build a curated app store specific to their school.
Microsoft School Data Sync (SDS) makes life so much easier – use it!
Microsoft School Data Sync (SDS) takes data from your school’s MIS//SIS system and automatically populates your school’s Microsoft 365 services with users, class groups, year groups, exam results, and lots of other useful information.
SDS is most commonly used to import classes, teachers, and students into Microsoft Teams, but you can also use it to create groups of student and staff Windows 10 devices and make them managable in Intune.
So you could, for example, use Intune to install an app for a specific class or year group. Take a look at the ClassThink guide on how to set up Microsoft School Data Sync in your school.
Learn Microsoft Azure Active Directory (Azure AD)
Microsoft Azure Active Directory is a cloud version of Microsoft Active Directory. It allows users to sign in to services, apps, and devices with their school Microsoft 365 account.
Schools are able to synchronise their local Active Directory user accounts and passwords to Azure Ad using the provided tools.
Invest in Azure AD Premium
Azure AD is the system your Windows 10 devices use to authenticate against your Microsoft 365 accounts. Buying Azure AD Premium unlocks a host of additional features, including password write-back to Active Directory, if you are using on-premise AD servers.
When I first looked at licensing for Azure AD I was shocked by apparent exorbitant cost. In particular, the Azure AD Premium P1 licenses seemed completely out of the reach of most schools.
I quickly realised, however, that the companies I asked for prices from were unfamiliar with this relatively new license and were quoting business prices. The education pricing for Azure AD Premium is much more reasonable and within reach of most schools.
Having run through this process a number of times on a large scale there are several pitfalls to look out for:
- Check that your reseller can provide the Autopilot hash file quickly. If the device is turned on by the student before the Autopilot file is uploaded the only way to join it to Intune correctly is a factory reset.
- Get Group Tags and a fallback dynamic group set up in Intune first. Without these you won’t be able to easily apply the correct settings and apps.
- Get your Intune setup reviewed by an Intune expert first. Microsoft Intune can work brilliantly, but make sure you’ve done your preparation to save problems down the line.
- Use Microsoft Support. Every school gets free support, including Microsoft Intune, via the Microsoft 365 admin center. Don’t be afraid to use it, Microsoft’s support is excellent.
- A Windows 10 computer can be joined to your Microsoft Intune system even if an Intune license has not been applied to the user. This can result in a device appearing in Intune but your configuration settings and policies never applying.
I’ve skipped over a lot of the technical detail in this article to keep it as accessible as possible, but you can find a range of excellent technical resources for free to get starting setting up Autopilot and Intune in your school. Below are some of my recommendations:
Microsoft Autopilot Documentation
This is Microsoft’s official documentation for Autopilot is easy to follow and covers all aspects of setting up the system.
Microsoft Intune Documentation
The official Microsoft documentation for Intune.
Kevin Sait’s Surface Guy Blog
Kevin is an extremely knowledgeable independent consultant who works for Microsoft. His blog is a gold mine of the latest developments and advice related to all things Microsoft, Surface, and Intune. Make sure to follow his website.
Microsoft Modern Desktop Training Materials
A range of training resources are available designed to support you becoming Microsoft certified.
Microsoft Managing Modern Desktop Certification
If you are intending to user Microsoft Intune and any other related services at scale, the Microsoft Management Modern Desktop Certification is an essential qualification. Udemy provides a range of online courses designed to get you Microsoft Certified.
Microsoft Teams Teachers Hub
Take a look at the ClassThink Teams Teachers Hub for information on how to deal with Teams classroom management and more.
Get Certified: Microsoft Managing Modern Desktop Exam MD-100
How to upgrade to Windows 10 and manage a staged rollout, including how to deploy devices using Windows Autopilot. Plus, see how to leverage Microsoft Intune profiles and policies to secure devices, ensure device compliance, control devices, and manage data access.
What you’ll learn…
- Implementing Windows 10
- Provisioning packages
- Deploying Windows 10 using Windows Autopilot
- Upgrading to Windows 10
- Managing Windows Update for Business
- Managing device authentication
- Working with user profiles
- Managing Windows 10 using Microsoft Intune
- Managing policy precedence