>On a Windows account, a user can change the default browser for their own account.
Not if they lock down that setting via GPO and let the default behavior of remote > local. There's a lot of settings that can't be undone in the GUI and take diving into the registry to undo when set by GPO but then they'll just get re-applied on GP refresh anyways. Talking about who can do what is immaterial to how domains and remote management actually work if they're not designed how you think they should be. The remote admin will always have more control than the local user in this situation, it's been that way for a very long time now and is unlikely to change.
As a normal user, on a Windows box, if you log into say a corporate Microsoft 365 account with your corporate credentials that device may get managed by the domain (pending any admin approvals needed on the management end) in some fashion because by default the local user/MS account user is a local admin and the services and processes that handle all of this run as SYSTEM thus the user has the authority to delegate that authority to remote management at-will.
Like, this is all basic stuff for BYOD and MDM policies if you've worked anywhere with a halfway competent IT staff. OP didn't read the fine print probably. Wouldn't be the first parent to not do so and freak out over nothing.
> As a normal user, on a Windows box, if you log into say a corporate Microsoft 365 account with your corporate credentials that device may get managed by the domain (pending any admin approvals needed on the management end) in some fashion because by default the local user/MS account user is a local admin…
The parent owns the device and would have the local admin account. They aren't joining the device to a managed domain where something like GPO would be relevant (unless configured by the parent, naturally). The student would only have a non-admin local account, and would be incapable of granting device administration privileges to the school. The school could still manage their browser profile, of course—if the browser itself is actually signed in to the school account, which is something you can disable while still logging in to the account on the web—but they would have no access to or control over other user accounts or anything else requiring local admin privileges.
Not if they lock down that setting via GPO and let the default behavior of remote > local. There's a lot of settings that can't be undone in the GUI and take diving into the registry to undo when set by GPO but then they'll just get re-applied on GP refresh anyways. Talking about who can do what is immaterial to how domains and remote management actually work if they're not designed how you think they should be. The remote admin will always have more control than the local user in this situation, it's been that way for a very long time now and is unlikely to change.
As a normal user, on a Windows box, if you log into say a corporate Microsoft 365 account with your corporate credentials that device may get managed by the domain (pending any admin approvals needed on the management end) in some fashion because by default the local user/MS account user is a local admin and the services and processes that handle all of this run as SYSTEM thus the user has the authority to delegate that authority to remote management at-will.
Like, this is all basic stuff for BYOD and MDM policies if you've worked anywhere with a halfway competent IT staff. OP didn't read the fine print probably. Wouldn't be the first parent to not do so and freak out over nothing.