diff --git a/education/breadcrumb/toc.yml b/education/breadcrumb/toc.yml
index 7955da8797..15833fa467 100644
--- a/education/breadcrumb/toc.yml
+++ b/education/breadcrumb/toc.yml
@@ -16,4 +16,3 @@ items:
- name: Windows
tocHref: /windows/configuration/
topicHref: /education/windows/index
-
diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml
index 777191ba8b..d3f96435a9 100644
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@@ -38,6 +38,8 @@ items:
href: edu-stickers.md
- name: Configure Take a Test in kiosk mode
href: edu-take-a-test-kiosk-mode.md
+ - name: Configure federated sign-in
+ href: federated-sign-in.md
- name: Configure Shared PC
href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
- name: Use the Set up School PCs app
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 2318393a4e..6ef47f7153 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -129,7 +129,7 @@ For example:
- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package)
- Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
- 
+ 
## Ad-free search with Bing
Provide an ad-free experience that is a safer, more private search option for Kâ12 education institutions in the United States.
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
new file mode 100644
index 0000000000..0f769a31e1
--- /dev/null
+++ b/education/windows/federated-sign-in.md
@@ -0,0 +1,132 @@
+---
+title: Configure federated sign-in for Windows devices
+description: Description of federated sign-in feature for Windows 11 SE and how to configure it via Intune
+ms.date: 09/15/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: how-to
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- â
Windows 11 SE, version 22H2
+---
+
+
+# Configure federated sign-in for Windows 11 SE
+
+Starting in **Windows 11 SE, version 22H2**, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called **federated sign-in**. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
+
+## Benefits of federated sign-in
+
+Federated sign-in enables students to sign-in in less time, and with less friction.
+With fewer credentials to remember and a simplified sign-in process, students are more engaged and focused on learning.
+> [!IMPORTANT]
+> Currently, this feature is designed for 1:1 devices. For an optimal experience, you should not enable federated sign-in on shared devices.
+
+## Prerequisites
+
+To implement federated sign-in, the following prerequisites must be met:
+
+1. An Azure AD tenant, with one or multiple domains federated to a third-party SAML 2.0 IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
+ >[!NOTE]
+ >If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, please contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, please refer to these [guidelines][MSFT-1].
+1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
+1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
+ - [School Data Sync (SDS)][SDS-1]
+ - [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS
+ - PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
+ - provisioning tools offered by the IdP
+1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
+1. Enable federated sign-in on the Windows devices that the users will be using
+ > [!IMPORTANT]
+ > This feature is exclusively available for Windows 11 SE, version 22H2.
+
+To use federated sign-in, the devices must have Internet access. This feature won't work without it, as the authentication is done over the Internet.
+
+## Enable federated sign-in on devices
+
+
+To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies, which can be configured using Microsoft Intune.
+
+To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
+
+| Setting |
+|--------|
+| OMA-URI: **`./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser`** Data type: **Integer** Value: **1**|
+| OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`** Data type: **String** Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**|
+| OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** Data type: **Integer** Value: **1**|
+| OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** Data type: **String** Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**|
+
+:::image type="content" source="images/federated-sign-in-settings-intune.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-intune.png" border="true":::
+
+Assign the policy to a security group that contains as members the devices that require federated sign-in.
+
+
+
+## How to use federated sign-in
+
+Once the devices are configured, a new sign-in experience becomes available.
+
+As the end users enter their username, they'll be redirected to the identity provider sign-in page. Once users are authenticated by the IdP, they'll be signed-in. In the following animation, you can see how the first sign-in process works:
+
+:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Windows 11 SE sign-in using federated sign-in through Clever and QR code badge." border="false":::
+
+> [!IMPORTANT]
+> Once the policy is enabled, the first user to sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen.
+
+## Important considerations
+
+Federated sign-in doesn't work on devices that have the following settings enabled:
+
+- **EnableSharedPCMode**, which is part of the [SharedPC CSP][WIN-1]
+- **Interactive logon: do not display last signed in**, which is a security policy part of the [Policy CSP][WIN-2]
+- **Take a Test**, since it leverages the security policy above
+
+## Troubleshooting
+
+- The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen
+- Select the *Other User* button, and the standard username/password credentials are available to log into the device
+
+-----------
+
+[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
+[AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign
+[AZ-3]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
+
+[GRAPH-1]: /graph/api/user-post-users?tabs=powershell
+
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
+
+[MSFT-1]: https://www.microsoft.com/download/details.aspx?id=56843
+
+[SDS-1]: /schooldatasync
+
+[WIN-1]: /windows/client-management/mdm/sharedpc-csp
+[WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin
\ No newline at end of file
diff --git a/education/windows/images/federated-sign-in-settings-intune.png b/education/windows/images/federated-sign-in-settings-intune.png
new file mode 100644
index 0000000000..bdde7cf85a
Binary files /dev/null and b/education/windows/images/federated-sign-in-settings-intune.png differ
diff --git a/education/windows/images/setedupolicies_wcd.PNG b/education/windows/images/wcd/setedupolicies.PNG
similarity index 100%
rename from education/windows/images/setedupolicies_wcd.PNG
rename to education/windows/images/wcd/setedupolicies.PNG
diff --git a/education/windows/images/win-11-se-federated-sign-in.gif b/education/windows/images/win-11-se-federated-sign-in.gif
new file mode 100644
index 0000000000..c234f729fc
Binary files /dev/null and b/education/windows/images/win-11-se-federated-sign-in.gif differ
diff --git a/education/windows/index.yml b/education/windows/index.yml
index 8cf1e59688..fa426ef022 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -49,6 +49,8 @@ landingContent:
url: windows-11-se-settings-list.md
- linkListType: whats-new
links:
+ - text: Configure federated sign-in
+ url: federated-sign-in.md
- text: Configure education themes
url: edu-themes.md
- text: Configure Stickers
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 1dda28b5c8..ec5e0b87bc 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -6643,6 +6643,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### FederatedAuthentication policies
+
+
+ -
+ FederatedAuthentication/EnableWebSignInForPrimaryUser
+
+
+
### Feeds policies
-
diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md
new file mode 100644
index 0000000000..6933fd3afe
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md
@@ -0,0 +1,81 @@
+---
+title: Policy CSP - FederatedAuthentication
+description: Use the Policy CSP - Represents the enablement state of the Web Sign-in Credential Provider for device sign-in.
+ms.author: v-nsatapathy
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.localizationpriority: medium
+ms.date: 09/07/2022
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - FederatedAuthentication
+
+
+
+
+
+## FederatedAuthentication policies
+
+
+ -
+ FederatedAuthentication/EnableWebSignInForPrimaryUser
+
+
+
+
+
+
+
+**FederatedAuthentication/EnableWebSignInForPrimaryUser**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|No|No|
+|Education|No|No|
+|Windows SE|Yes|No|
+
+> [!NOTE]
+> Only available on Windows SE edition when Education/IsEducationEnvironment policy is also set to "1".
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+This policy specifies whether Web Sign-in can be used for device sign-in in a single-user environment.â
+
+> [!NOTE]
+> Web Sign-in is only supported on Azure AD Joined PCs.
+
+
+
+
+Value type is integer:
+- 0 - (default): Feature defaults as appropriate for edition and device capabilities.
+- 1 - Enabled: Web Sign-in Credential Provider will be enabled for device sign-in.
+- 2 - Disabled: Web Sign-in Credential Provider won't be enabled for device sign-in.
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index eaea592be5..888db084cb 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -408,6 +408,8 @@ items:
href: policy-csp-experience.md
- name: ExploitGuard
href: policy-csp-exploitguard.md
+ - name: Federated Authentication
+ href: policy-csp-federatedauthentication.md
- name: Feeds
href: policy-csp-feeds.md
- name: FileExplorer
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 6490c7a003..5a113a2520 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -25,7 +25,7 @@ appliesto:
|---|---|
|Shared PC mode | **EnableSharedPCMode** or **EnableSharedPCModeWithOneDriveSync**: when enabled, **Shared PC mode** is turned on and different settings are configured in the local group policy object (LGPO). For a detailed list of settings enabled by Shared PC Mode in the LGPO, see the [Shared PC technical reference](shared-pc-technical.md#enablesharedpcmode-and-enablesharedpcmodewithonedrivesync).- This setting controls the API: [IsEnabled][UWP-1]
|
| Account management | **EnableAccountManager**: when enabled, automatic account management is turned on. The following settings define the behavior of *account manager*: - **DeletionPolicy**
- **DiskLevelDeletion**
- **DiskLevelCaching**
- **InactiveThreshold**
For more information, see the [Shared PC CSP documentation][WIN-3].
**AccountModel**: this option controls which types of users can sign-in to the device, and can be used to enable the Guest and Kiosk accounts. For more information, see the [Shared PC CSP documentation][WIN-3].
**KioskModeAUMID**: configures an application (referred as Application User Model ID - AUMID) to automatically execute when the kiosk account is used to sign in. A new account will be created and will use assigned access to only run the app specified by the AUMID. [Find the Application User Model ID of an installed app][WIN-7].
**KioskModeUserTileDisplayText**: sets the display text on the kiosk account if **KioskModeAUMID** has been set.|
-| Advanced customizations | **SetEduPolicies**: when enabled, specific settings designed for education devices are configured in the LGPO. For a detailed list of settings enabled by SetEduPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setedupolicy).- This setting controls the API: [IsEducationEnvironment][UWP-2]
**SetPowerPolicies**: when enabled, different power settings optimized for shared devices are configured in the LGPO. For a detailed list of settings enabled by SetPowerPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setpowerpolicies).
**SleepTimeout**: specifies all timeouts for when the PC should sleep.
**SignInOnResume**: if enabled, specifies if the user is required to sign in with a password when the PC wakes from sleep.
**MaintenanceStartTime**: by default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update or Search indexing) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For a detailed list of settings enabled by MaintenanceStartTime, see [Shared PC technical reference](shared-pc-technical.md#maintenancestarttime).
**MaxPageFileSizeMB**: adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs.
**RestrictLocalStorage**: when enabled, users are prevented from saving or viewing local storage while using File Explorer.- This setting controls the API: [ShouldAvoidLocalStorage][UWP-3]
|
+| Advanced customizations | **SetEduPolicies**: when enabled, specific settings designed for education devices are configured in the LGPO. For a detailed list of settings enabled by SetEduPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setedupolicy).- This setting controls the API: [IsEducationEnvironment][UWP-2]
**SetPowerPolicies**: when enabled, different power settings optimized for shared devices are configured in the LGPO. For a detailed list of settings enabled by SetPowerPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setpowerpolicies).
**SleepTimeout**: specifies all timeouts for when the PC should sleep.
**SignInOnResume**: if enabled, specifies if the user is required to sign in with a password when the PC wakes from sleep.
**MaintenanceStartTime**: by default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update or Search indexing) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For a detailed list of settings enabled by MaintenanceStartTime, see [Shared PC technical reference](shared-pc-technical.md#maintenancestarttime).
**MaxPageFileSizeMB**: adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs.
**RestrictLocalStorage**: when enabled, users are prevented from saving or viewing local storage while using File Explorer.- This setting controls the API: [ShouldAvoidLocalStorage][UWP-3]
|
## Configure Shared PC