This guidance is written for Windows devices provided through the DfE get help with technology programme. It also applies to any new or refurbished devices a school or college has received through donations.
Further information on erasing data from donated devices is available from the National Cyber Security Centre.
Re-image or factory reset the device
You need to prepare devices to make sure they’re safely set up for users. It’s important to get devices into a ‘known state’ so you’re familiar with the software and settings and can confidently support users.
You can use the following methods to do this.
Use a pre-prepared Windows 10 Image
This is the recommended route as it will bring the device in line with other devices within your school or college network.
Install a clean version of Windows 10
Standard Windows devices came with Windows 10 already installed. If it needs to be reinstalled in future and you do not have a pre-prepared image, Windows 10 can be installed via:
USB – If installing from a USB, the USB stick should be wiped and formatted before loading the Windows 10 installer onto it to confirm the USB stick is clean. Find out how to install Windows 10 and boot from a USB.
DVD – Find out how to install Windows 10 and boot from a DVD.
Perform a factory reset
If you do not have your own image or a USB or DVD to boot from, you should reset the device to factory settings.
You’ll need to do this for each device individually. You can find out how to do this in the Guide to resetting Windows laptops and tablets.
Confirm anti-virus and other security settings are in place
Open the Windows Security settings:
Press ‘Windows Key+r’ then type ‘windowsdefender’ and select ‘OK’ or press enter, or
Press ‘Windows Key’, select the ‘Settings’ icon then ‘Update & Security’ and ‘Windows Security’.
You’ll see an overview of the main security features available in Windows 10 and an alert if any actions are required.
Windows Security settings include:
Virus and threat protection
Virus and threat protection contains Virus scanning, Real-time protection and Tamper protection. Some of the Ransomware protection might show as disabled due to requiring OneDrive. We recommend that you:
confirm Virus scanning and Real-time protection is on as a minimum.
If Account protection contains Windows Hello, we recommend that you:
advise or assist users to set up a Windows Hello PIN or facial recognition login (depending on hardware) when they receive the device.
App and browser control
App and browser control contains Reputation-based protection such as SmartScreen, and Exploit protection which helps protect against attacks. We recommend that you:
turn Reputation Base protection on
use SmartScreen for Edge (if used as the web browser) to help prevent the device from accessing malicious sites.
Device security contains elements that may not be enabled depending on the hardware of the device. We recommend that you:
turn on Core isolation and Secure boot if possible.
Create local user accounts
We strongly advise creating a local user account to be used by the person you’re providing the device to. This will prevent users from having access to the Admin account.
Enrol into Mobile Device Management
If your school already has device management in place with remote connectivity, we recommend adding each device to the network to enhance the security of both devices and users.
If you do not have an MDM solution, you should look into the benefits, costs and resource requirements to understand whether device management is appropriate before you make a decision.
Set up content filtering
You’re responsible for setting up management and safeguarding measures before you distribute the devices to avoid risks to the children and young people in your care.