1 to 1 school issue with windows.. need help/advise

msswarriors
New Contributor II

Our school is a mixed environment and the nice part of apple products is that when a machine is rebuilt it will automatically report to the MDM and configure the machine for our school.

However, with our Windows side we don't currently have that luxury. Does anyone know of a way to control the devices in a way that the IT staff would have the ability to identify quickly if a machine is being rebuilt with a different base build then what the school wants.

For example a student/teacher taking the machine home and putting a new version of the operating system and still using the device as needed but doesn't contain our group policies. Most of what our teachers and students need is web based so they could go months without connecting to our network.

We can monitor the last time they reported to our domain but that is too late sometimes for us to identify the rogue machine.

Thanks for any ideas.

7 REPLIES 7

larry_barrett
Valued Contributor

Set a bios password? Its always easier to prevent a problem than to find, report and fix a problem.

ScottBrianSPS
New Contributor

Are you allowing users to have admin rights on their own machines? We don't allow any user to have install or admin rights and there are very finite restrictions via Active Directory you can put in place that won't restrict their use of the device for web based or your installed base of applications. No one needs to install a new OS on your machines but you : )

msswarriors
New Contributor II

There is only one local admin account and a few users that are part of the domain admin. We had a situation where a student over the break appears to have rebuilt the machine based on an windows install they had. When he came back to school he didn't access the schools network but another network that is close by that was open. Therefore, none of our filtering software was no longer installed.

Obviously what we are trying to avoid. We have a filter based on the user that logs onto the machine if onsite of not. Therefore, we need to make sure the GPO stay in place. A rebuild machine no longer has that.

Thus we want to know when a machine is being attempted to be reinstalled. Mac with the MDM helps but I don't know of a windows side that would work similar.

hdsreid
Contributor III

Do you have any kind of management software for Windows? SCCM or the like? I think InTune can do W10 MDM as well, but I doubt it is anything like Mac MDM support. GPO isn't gonna do much if you are allowing devices to leave. How do you monitor ANYTHING that students/teachers do outside of school, let alone formatting the device?

ryanj
New Contributor III

I have started to setup intune & windows autopilot for our admin/reception team to get somewhat close to the Jamf & Device Enrolment experience. Just like DEP you can force the deice to be enrolled in management.

It’s not perfect but should help!

mainelysteve
Valued Contributor

@msswarriors I'm assuming they're using the Reset PC functionality within Windows and not necessary booting off external media to reinstall Windows? If so then check this out. If they're using external media then you need to remove that option from your bios/efi bootmenu.

msswarriors
New Contributor II

New at the school and am still trying to figure out what all the school has on the Windows side for deployment. Sounds like in the past everything has been done one by one. I know we have Office 365, Active Directory, MS Exchange Server. Still digging into all the servers we have here.