top of page
Search
Writer's pictureSam Vokes

Managing Windows 11 SE devices in Microsoft Intune for Education

Recently i have been working with a customer who wanted to explore managing Windows 11 SE devices in Microsoft Intune for Education.


Windows 11 SE is an edition of Windows that's designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately). My personal view is that Windows 11 SE devices are an alternative approach to education customers using ChromeOS devices.


Onboarding

You have a couple of options when it comes to onboarding Windows 11 SE devices into Intune for Education. The first, is the Set up School PCs app which is essentially a stripped down version of Windows Configuration Designer, where by you create a provisioning package and apply to new or existing devices.


You can install the Schools PC app directly from the Microsoft Store:


In the same way the Windows Configuration Designer works, you create a bulk enrolment token and configure simple onboarding settings like a device name template. Here is a useful link: Use Set up School PCs app - Windows Education | Microsoft Learn


Windows 11 SE devices also support Windows Autopilot to provision devices into Intune for Education. Manual Autopilot-registration is supported. However, you can't use Microsoft Endpoint Configuration Manager or Windows PowerShell to capture hardware hashes from devices running Windows 11 SE.


Device Configuration

Admins in the Intune for Education portal have a range a Windows settings that can be applied to the device. First, you must create an Azure AD Security Group that represents your Windows 11 SE devices. A Dynamic Security Group is likely the preferred option where you can define a rule syntax that represents the Windows 11 SE devices e.g. Device Name, OS Version.


Once the group is created, you will then unlock the capabilities of applying Windows settings to the device.


Once you have agreed on a set of controls. The configuration profiles will appear in the Microsoft Intune portal also. Be aware, the naming conventions are very bad, like very bad.

Because you have applied settings to the Azure AD Security Group, the group will automatically be applied to each configuration profile.


If you've configured Windows Update settings in Intune for Education, a Windows Ring profile also gets created and automatically assigned to the group. You can adjust these settings to include Deadlines, Grace Periods etc. Which are supported for Windows SE devices: Update Policy CSP - Windows Client Management | Microsoft Learn

Windows Apps

A Windows 11 SE devices comes with range of inbuilt apps designed for education preinstalled on the operating system, including office: Windows 11 SE Overview - Windows Education | Microsoft Learn


You can deploy Store apps, Web links and Win32 apps to a Windows 11 SE device via Microsoft Intune for Education. Win32 Apps must be packaged in Microsoft Intune first, then assigned in Intune for Education.


Note: you can assign the group directly in Intune also and the changes are reflected in Intune for Education


Note: The biggest thing to be aware of with Windows 11 SE devices, is you can only deploy Win32 apps that are approved applications by Microsoft: Windows 11 SE Overview - Windows Education | Microsoft Learn


If you attempt to deploy an app that is not in the list, you will receive the following error in the Intune Management Extension log:

[Win32App] Msi installer failed with 1625 (This installation is forbidden by system policy.) error code on S-Mode device, retrying...

Summary

Because the purpose of Windows 11 SE devices are "ready to go", the onboarding and management of these devices is fairly straight forward. Just keep in mind, whatever you do in Intune for Education will also be reflected in Microsoft Intune, so if you are managing Windows devices in Microsoft Intune, avoid using the All Devices and All Users options in Intune for Education because you don't want those devices picking up settings specific for Windows 11 SE devices.







45 views
bottom of page