Technical reference for the Set up School PCs app

Applies to:

  • Windows 10

The Set up School PCs app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic.

If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity.

Here's a list of what you get when using the Set up School PCs app in your school.

Feature No Internet Azure AD Office 365 Azure AD Premium
Fast sign-in
Each student can sign in and start using the computer in less than a minute, even on their first sign-in.
X X X X
Custom Start experience
The apps students need are pinned to Start, and unnecessary apps are removed.
X X X X
Guest account, no sign-in required
This option sets up computers for common use. Anyone can use the computer without an account.
X X X X
School policies
Settings specific to education create a useful learning environment and the best computer performance.
X X X X
Azure AD Join
The computers are joined to your Azure AD or Office 365 subscription for centralized management.
X X X
Single sign-on to Office 365
By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps.
X X
Take a Test
Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced.
X
Settings roaming via Azure AD
Student user and application settings data can be synchronized across devices for a personalized experience.
X

Note

If your school uses Active Directory, use Windows Configuration Designer to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD.

Automated Azure AD join

One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated.

To make this as seamless as possible, in your Azure AD tenant:

  • Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token.

    In the Azure portal, select Azure Active Directory. Go to Users and groups > Device Settings and in Users may join devices to Azure AD, click Selected and choose the members you want to enable to join devices to Azure AD.

    Figure 1 - Select the users you want to enable to join devices to Azure AD

    Select the users you want to enable to join devices to Azure AD

  • Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff.

    • When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app.
    • If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student.
  • Turn off multifactor authentication.

    In the Azure portal, select Azure Active Directory. Go to Users and groups > Device Settings and set Require Multi-Factor Auth to join devices to No.

    Figure 2 - Turn off multi-factor authentication in Azure AD

    Turn off multi-factor authentication in Azure AD

  • Set the maximum number of devices a user can add to unlimited.

    In the Azure portal, select Azure Active Directory. Go to Users and groups > Device Settings and set Maximum number of devices per user to Unlimited.

    Figure 3 - Set maximum number of devices per user to unlimited

    Set maximum number of devices per user to unlimited

  • Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time.

    In the Azure portal, select Azure Active Directory. Go to Users and groups > All users and look at the list of user names. User names that start with package_ followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these.

    Figure 4 - Delete the accounts automatically created for the Azure AD tokens

    Delete the accounts automatically created for the Azure AD tokens

  • Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the Review package summary page in Set up School PCs.

    Figure 5 - Sample summary page showing the expiration date

    Sample summary page showing the expiration date

Information about Windows Update

Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to:

  • Wake nightly
  • Check and install updates
  • Forcibly reboot if necessary to finish applying updates

The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked.

Guidance for accounts on shared PCs

  • We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
  • When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through Guest or Kiosk will also be deleted automatically at sign out.
  • On a Windows PC joined to Azure Active Directory:
    • By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
    • With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the Additional administrators on Azure AD Joined devices setting on the Azure portal.
  • Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through Settings > Accounts > Other people > Add someone else to this PC after shared PC mode is turned on won't be deleted. However, any new local accounts created by the Guest or Kiosk selection on the sign-in screen, if enabled, will automatically be deleted at sign-out.
  • If admin accounts are necessary on the PC
    • Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
    • Create admin accounts before setting up shared PC mode, or
    • Create exempt accounts before signing out.
  • The account management service supports accounts that are exempt from deletion.

    • An account can be marked exempt from deletion by adding the account SID to the HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\ registry key.
    • To add the account SID to the registry key using PowerShell:

      $adminName = "LocalAdmin"
      $adminPass = 'Pa$$word123'
      iex "net user /add $adminName $adminPass"
      $user = New-Object System.Security.Principal.NTAccount($adminName) 
      $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) 
      $sid = $sid.Value;
      New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
      

Custom images

Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the /oobe flag to create an image that teachers can then apply the Set up School PCs provisioning package to. Learn more about sysprep.

Provisioning package details

The Set up School PCs app produces a specialized provisioning package that makes use of the SharedPC configuration service provider (CSP).

Education customizations set by local MDM policy

  • By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud.
  • A custom Start layout, taskbar layout, and lock screen image are set.
  • Prohibits unlocking the PC to developer mode.
  • Prohibits untrusted Microsoft Store apps from being installed.
  • Prohibits students from removing MDM.
  • Prohibits students from adding new provisioning packages.
  • Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs).
  • Sets Windows Update to update nightly.

Uninstalled apps

  • 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe)
  • Weather (Microsoft.BingWeather_8wekyb3d8bbwe)
  • Tips (Microsoft.Getstarted_8wekyb3d8bbwe)
  • Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe)
  • Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe)
  • Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe)
  • Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe)
  • Xbox (Microsoft.XboxApp_8wekyb3d8bbwe)
  • Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe)

Local Group Policies

Important

We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required.

Policy path

Policy name

Value

Admin Templates > Control Panel > Personalization

Prevent enabling lock screen slide show

Enabled

Prevent changing lock screen and logon image

Enabled

Admin Templates > System > Power Management > Button Settings

Select the Power button action (plugged in)

Sleep

Select the Power button action (on battery)

Sleep

Select the Sleep button action (plugged in)

Sleep

Select the lid switch action (plugged in)

Sleep

Select the lid switch action (on battery)

Sleep

Admin Templates > System > Power Management > Sleep Settings

Require a password when a computer wakes (plugged in)

Enabled

Require a password when a computer wakes (on battery)

Enabled

Specify the system sleep timeout (plugged in)

5 minutes

Specify the system sleep timeout (on battery)

5 minutes

Turn off hybrid sleep (plugged in)

Enabled

Turn off hybrid sleep (on battery)

Enabled

Specify the unattended sleep timeout (plugged in)

5 minutes

Specify the unattended sleep timeout (on battery)

5 minutes

Allow standby states (S1-S3) when sleeping (plugged in)

Enabled

Allow standby states (S1-S3) when sleeping (on battery)

Enabled

Specify the system hibernate timeout (plugged in)

Enabled, 0

Specify the system hibernate timeout (on battery)

Enabled, 0

Admin Templates>System>Power Management>Video and Display Settings

Turn off the display (plugged in)

5 minutes

Turn off the display (on battery)

5 minutes

Admin Templates>System>Power Management>Energy Saver Settings

Energy Saver Battery Threshold (on battery)

70

Admin Templates>System>Logon

Show first sign-in animation

Disabled

Hide entry points for Fast User Switching

Enabled

Turn on convenience PIN sign-in

Disabled

Turn off picture password sign-in

Enabled

Turn off app notification on the lock screen

Enabled

Allow users to select when a password is required when resuming from connected standby

Disabled

Block user from showing account details on sign-in

Enabled

Admin Templates>System>User Profiles

Turn off the advertising ID

Enabled

Admin Templates>Windows Components>Biometrics

Allow the use of biometrics

Disabled

Allow users to log on using biometrics

Disabled

Allow domain users to log on using biometrics

Disabled

Admin Templates>Windows Components>Cloud Content

Do not show Windows Tips

Enabled

Turn off Microsoft consumer experiences

Enabled

Admin Templates>Windows Components>Data Collection and Preview Builds

Toggle user control over Insider builds

Disabled

Disable pre-release features or settings

Disabled

Do not show feedback notifications

Enabled

Allow Telemetry

Basic, 0

Admin Templates > Windows Components > File Explorer

Show lock in the user tile menu

Disabled

Admin Templates > Windows Components > Maintenance Scheduler

Automatic Maintenance Activation Boundary

MaintenanceStartTime

Automatic Maintenance Random Delay

Enabled, 2 hours

Automatic Maintenance WakeUp Policy

Enabled

Admin Templates > Windows Components > OneDrive

Prevent the usage of OneDrive for file storage

Enabled

Admin Templates > Windows Components > Windows Hello for Business

Use phone sign-in

Disabled

Use Windows Hello for Business

Disabled

Use biometrics

Disabled

Windows Settings > Security Settings > Local Policies > Security Options

Accounts: Block Microsoft accounts

Note Microsoft accounts can still be used in apps.

Enabled

Interactive logon: Do not display last user name

Enabled

Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

Disabled

Shutdown: Allow system to be shut down without having to log on

Disabled

User Account Control: Behavior of the elevation prompt for standard users

Auto deny


Use the app

When you're ready to use the app, see Use Set up School PCs app.

Set up Windows devices for education