mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 22:07:22 +00:00
Merge branch 'release-windows-2302' of https://github.com/MicrosoftDocs/windows-docs-pr into CIUpdateInfo-6544872
This commit is contained in:
Meghan Stewart
commit
10d6816acd
@ -1,20 +1,19 @@
|
||||
---
|
||||
title: Configure federated sign-in for Windows devices
|
||||
description: Description of federated sign-in feature for Windows 11 SE and how to configure it via Intune
|
||||
ms.date: 01/12/2023
|
||||
description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
|
||||
ms.date: 02/10/2023
|
||||
ms.topic: how-to
|
||||
appliesto:
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
|
||||
ms.collection:
|
||||
- highpri
|
||||
- tier1
|
||||
- education
|
||||
---
|
||||
|
||||
<!-- MAXADO-6286399 -->
|
||||
# Configure federated sign-in for Windows 11 SE
|
||||
# Configure federated sign-in for Windows devices
|
||||
|
||||
Starting in Windows 11 SE, version 22H2, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called *federated sign-in*. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
|
||||
Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via web sign-in. This feature is called *federated sign-in*. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
|
||||
|
||||
## Benefits of federated sign-in
|
||||
|
||||
@ -27,11 +26,12 @@ With fewer credentials to remember and a simplified sign-in process, students ar
|
||||
|
||||
To implement federated sign-in, the following prerequisites must be met:
|
||||
|
||||
1. An Azure AD tenant, with one or multiple domains federated to a third-party SAML 2.0 IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
|
||||
1. An Azure AD tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Azure AD?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
|
||||
>[!NOTE]
|
||||
>If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1].
|
||||
>
|
||||
>For a step-by-step guide on how to configure Google Workspace as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md).
|
||||
|
||||
- For a step-by-step guide on how to configure **Google Workspace** as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md)
|
||||
- For a step-by-step guide on how to configure **Clever** as an identity provider for Azure AD, see [Setup guide for Badges into Windows and Azure AD][EXT-1]
|
||||
1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
|
||||
1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
|
||||
- [School Data Sync (SDS)][SDS-1]
|
||||
@ -41,19 +41,22 @@ To implement federated sign-in, the following prerequisites must be met:
|
||||
1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
|
||||
1. Enable federated sign-in on the Windows devices that the users will be using
|
||||
> [!IMPORTANT]
|
||||
> This feature is exclusively available for Windows 11 SE, version 22H2.
|
||||
> This feature is exclusively available for Windows Education SKUs, including Windows 11 SE, Windows 11 Pro Education and Windows Education.
|
||||
|
||||
To use federated sign-in, the devices must have Internet access. This feature won't work without it, as the authentication is done over the Internet.
|
||||
|
||||
## Enable federated sign-in on devices
|
||||
<!--
|
||||
To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
|
||||
> [!IMPORTANT]
|
||||
> WS-Fed is the only supported federated protocol to join a device to Azure AD. If you have a SAMl 2.0 IdP, it's recommended to complete the Azure AD join process using one of the following methods:
|
||||
> - provisioning packages (PPKG)
|
||||
> - Windows Autopilot self-deploying mode
|
||||
|
||||
## Configure federated sign-in
|
||||
|
||||
To use web sign-in with a federated identity provider, your devices must be configured with different policies. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
|
||||
|
||||
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
|
||||
|
||||
To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:-->
|
||||
|
||||
To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies, which can be configured using Microsoft Intune.
|
||||
To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
|
||||
|
||||
[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
|
||||
|
||||
@ -69,25 +72,25 @@ To sign-in with a SAML 2.0 identity provider, your devices must be configured wi
|
||||
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
|
||||
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
|
||||
|
||||
<!--
|
||||
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
|
||||
|
||||
|
||||
To configure federated sign-in using a provisioning package, use the following settings:
|
||||
|
||||
| Setting |
|
||||
|--------|
|
||||
| <li> Path: **`FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Value: **Enabled**</li>|
|
||||
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
|
||||
| <li> Path: **`Policies/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
|
||||
| <li> Path: **`Policies/Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
|
||||
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during he sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
|
||||
|
||||
:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
|
||||
|
||||
Apply the provisioning package to the devices that require federated sign-in.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
|
||||
|
||||
---
|
||||
-->
|
||||
|
||||
## How to use federated sign-in
|
||||
|
||||
@ -113,7 +116,10 @@ Federated sign-in doesn't work on devices that have the following settings enabl
|
||||
- The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen
|
||||
- Select the *Other User* button, and the standard username/password credentials are available to log into the device
|
||||
|
||||
[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
|
||||
<!--links-->
|
||||
|
||||
[AZ-1]: /azure/active-directory/hybrid/whatis-fed
|
||||
[AZ-4]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
|
||||
[AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign
|
||||
[AZ-3]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
|
||||
|
||||
@ -127,3 +133,7 @@ Federated sign-in doesn't work on devices that have the following settings enabl
|
||||
|
||||
[WIN-1]: /windows/client-management/mdm/sharedpc-csp
|
||||
[WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin
|
||||
|
||||
[KB-1]: https://support.microsoft.com/kb/5022913
|
||||
|
||||
[EXT-1]: https://support.clever.com/hc/s/articles/000001546
|
||||
BIN
education/windows/images/federated-sign-in-settings-ppkg.png
Normal file
BIN
education/windows/images/federated-sign-in-settings-ppkg.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 132 KiB |
@ -29,7 +29,7 @@ For example, you can override the default set of apps with your own a set of pin
|
||||
|
||||
To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs.
|
||||
|
||||
This article shows you how to create the XML file, add apps to the XML, and deploy the XML file.
|
||||
This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. To learn how to customize the taskbar buttons, see [CSP policies to customize Windows 11 taskbar buttons](supported-csp-taskbar-windows.md#csp-policies-to-customize-windows-11-taskbar-buttons).
|
||||
|
||||
## Before you begin
|
||||
|
||||
|
||||
@ -18,53 +18,65 @@ ms.topic: article
|
||||
|
||||
- Windows 11
|
||||
|
||||
The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices.
|
||||
|
||||
This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start).
|
||||
The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices.
|
||||
|
||||
For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
|
||||
|
||||
## CSP policies to customize Windows 11 taskbar buttons
|
||||
|
||||
- [Search/ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode)
|
||||
- Group policy: `Computer Configuration\Administrative Templates\Windows Components\Search\Configures search on the taskbar`
|
||||
- Local setting: Settings > Personalization > Taskbar > Search
|
||||
|
||||
- [Start/HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton)
|
||||
- Group policy: `Computer and User Configuration\Administrative Templates\Start Menu and Taskbar\Hide the TaskView button`
|
||||
- Local setting: Settings > Personalization > Taskbar > Task view
|
||||
|
||||
- [NewsAndInterests/AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests)
|
||||
- Group policy: `Computer Configuration\Administrative Templates\Windows Components\Widgets\Allow widgets`
|
||||
- Local setting: Settings > Personalization > Taskbar > Widgets
|
||||
|
||||
- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#configurechaticonvisibilityonthetaskbar)
|
||||
- Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat\Configure the Chat icon setting`
|
||||
- Local setting: Settings > Personalization > Taskbar > Chat
|
||||
|
||||
## Existing CSP policies that Windows 11 taskbar supports
|
||||
|
||||
- [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists)
|
||||
- [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
|
||||
- Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
|
||||
|
||||
- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar)
|
||||
- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar`
|
||||
- Local setting: None
|
||||
|
||||
- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#experience-configurechaticonvisibilityonthetaskbar)
|
||||
- Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat`
|
||||
- Local setting: Settings > Personalization > Taskbar > Chat
|
||||
|
||||
## Existing CSP policies that Windows 11 doesn't support
|
||||
|
||||
The following list includes some of the CSP policies that aren't supported on Windows 11:
|
||||
|
||||
- [TaskbarLockAll CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarlockall)
|
||||
- [ADMX_Taskbar/TaskbarLockAll](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarlockall)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings`
|
||||
|
||||
- [TaskbarNoAddRemoveToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoaddremovetoolbar)
|
||||
- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoaddremovetoolbar)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars`
|
||||
|
||||
- [TaskbarNoDragToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnodragtoolbar)
|
||||
- [ADMX_Taskbar/TaskbarNoDragToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnodragtoolbar)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars`
|
||||
|
||||
- [TaskbarNoRedock CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoredock)
|
||||
- [ADMX_Taskbar/TaskbarNoRedock](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoredock)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location`
|
||||
|
||||
- [TaskbarNoResize CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoresize)
|
||||
- [ADMX_Taskbar/TaskbarNoResize](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoresize)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar`
|
||||
|
||||
- [NoToolbarsOnTaskbar CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notoolbarsontaskbar)
|
||||
- [ADMX_StartMenu/NoToolbarsOnTaskbar](/windows/client-management/mdm/policy-csp-admx-startmenu#notoolbarsontaskbar)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar`
|
||||
|
||||
- [NoTaskGrouping CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notaskgrouping)
|
||||
- [ADMX_StartMenu/NoTaskGrouping](/windows/client-management/mdm/policy-csp-admx-startmenu#notaskgrouping)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items`
|
||||
|
||||
- [HidePeopleBar CSP](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
|
||||
|
||||
- [QuickLaunchEnabled CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-quicklaunchenabled)
|
||||
- [ADMX_StartMenu/QuickLaunchEnabled](/windows/client-management/mdm/policy-csp-admx-startmenu#quicklaunchenabled)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar`
|
||||
|
||||
- [Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar)
|
||||
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
|
||||
|
||||
@ -8,7 +8,6 @@ author: lizgt2000
|
||||
ms.reviewer:
|
||||
manager: aaroncz
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 09/20/2022
|
||||
ms.topic: conceptual
|
||||
ms.collection: tier1
|
||||
appliesto:
|
||||
@ -60,7 +59,9 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
|
||||
|
||||
- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
|
||||
|
||||
- [Read in Braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
|
||||
- [Read in braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
|
||||
|
||||
- Starting in Windows 11, version 22H2 with [KB5022913](https://support.microsoft.com/kb/5022913), the compatibility of braille displays has been expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience.
|
||||
|
||||
## Hearing
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user