Merge branch 'main' into vp-csp-auto2

.openpublishing.redirection.json

@@ -20294,6 +20294,26 @@
       "source_path": "windows/security/identity-protection/hello-for-business/reset-security-key.md",
       "redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-security-key",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md",
+      "redirect_url": "/windows/configuration/provisioning-packages/provision-pcs-with-apps",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-crm.md",
+      "redirect_url": "/windows/resources",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-powerbi.md",
+      "redirect_url": "/windows/resources",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/manage-wifi-sense-in-enterprise.md",
+      "redirect_url": "/windows/resources",
+      "redirect_document_id": false
     }
   ]
 }

education/windows/TOC.yml

@@ -38,8 +38,12 @@ items:
       href: edu-stickers.md
     - name: Configure Take a Test in kiosk mode
       href: edu-take-a-test-kiosk-mode.md
-    - name: Configure federated sign-in
+    - name: Federated identity
-      href: federated-sign-in.md
+      items:
+      - name: Configure federated sign-in
+        href: federated-sign-in.md
+      - name: Configure federation between Google Workspace and Azure AD
+        href: configure-aad-google-trust.md
     - name: Configure Shared PC
       href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
     - name: Use the Set up School PCs app

education/windows/configure-aad-google-trust.md

@@ -0,0 +1,128 @@
+---
+title: Configure federation between Google Workspace and Azure AD
+description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
+ms.date: 1/12/2023
+ms.topic: how-to
+---
+
+# Configure federation between Google Workspace and Azure AD
+
+This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Azure AD.\
+Once configured, users will be able to sign in to Azure AD with their Google Workspace credentials.
+
+## Prerequisites
+
+To configure Google Workspace as an IdP for Azure AD, the following prerequisites must be met:
+
+1. An Azure AD tenant, with one or multiple custom DNS domains (that is, domains that aren't in the format \**.onmicrosoft.com*)
+    - If the federated domain hasn't yet been added to Azure AD, you must have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace
+    - Learn how to [Add your custom domain name using the Azure Active Directory portal](/azure/active-directory/fundamentals/add-custom-domain)
+1. Access to Azure AD with an account with the *Global Administrator* role
+1. Access to Google Workspace with an account with *super admin* privileges
+
+To test federation, the following prerequisites must be met:
+
+1. A Google Workspace environment, with users already created
+    > [!IMPORTANT]
+    > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD
+1. Individual Azure AD accounts already created: each Google Workspace user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
+    - School Data Sync (SDS)
+    - Azure AD Connect sync for environment with on-premises AD DS
+    - PowerShell scripts that call the Microsoft Graph API
+    - Provisioning tools offered by the IdP - this capability is offered by Google Workspace through [auto-provisioning](https://support.google.com/a/answer/7365072)
+
+## Configure Google Workspace as and IdP for Azure AD
+
+1. Sign in to the [Google Workspace Admin Console](https://admin.google.com) with an account with *super admin* privileges
+1. Select **Apps > Web and mobile apps**
+1. Select **Add app > Search for apps** and search for *microsoft*
+1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
+   :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
+1. On the *Google Identity Provider details* page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
+1. On the *Service provider details* page
+      - Select the option **Signed response**
+      - Verify that the Name ID format is set to **PERSISTENT**
+      - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping. For more information, see (article to write).\
+        If using Google auto-provisioning, select **Basic Information > Primary email**
+      - Select **Continue**
+1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes
+
+    |Google Directory attributes|Azure AD attributes|
+    |-|-|
+    |Basic Information: Primary Email|App attributes: IDPEmail|
+
+    > [!IMPORTANT]
+    > You must ensure that your the Azure AD user accounts email match those in your Google Workspace.
+
+1. Select **Finish**
+
+Now that the app is configured, you must enable it for the users in Google Workspace:
+
+1. Sign in to the [Google Workspace Admin Console](https://admin.google.com) with an account with *super admin* privileges
+1. Select **Apps > Web and mobile apps**
+1. Select **Microsoft Office 365**
+1. Select **User access**
+1. Select **ON for everyone > Save**
+
+## Configure Azure AD as a Service Provider (SP) for Google Workspace
+
+The configuration of Azure AD consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\
+Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in an elevated PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the *Global Administrator* role.
+
+```powershell
+Install-Module -Name MSOnline
+Import-Module MSOnline
+
+$DomainName = "<your domain name>"
+
+$xml = [Xml](Get-Content GoogleIDPMetadata.xml)
+
+$cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
+$issuerUri = $xml.EntityDescriptor.entityID
+$logOnUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
+$LogOffUri = "https://accounts.google.com/logout"
+$brand = "Google Workspace Identity"
+Connect-MsolService
+$DomainAuthParams = @{
+    DomainName = $DomainName
+    Authentication = "Federated"
+    IssuerUri = $issuerUri
+    FederationBrandName = $brand
+    ActiveLogOnUri = $logOnUri
+    PassiveLogOnUri = $logOnUri
+    LogOffUri = $LogOffUri
+    SigningCertificate = $cert
+    PreferredAuthenticationProtocol = "SAMLP"
+}
+Set-MsolDomainAuthentication @DomainAuthParams
+```
+
+To verify that the configuration is correct, you can use the following PowerShell command:
+
+```powershell
+Get-MsolDomainFederationSettings -DomainName $DomainName
+```
+
+```output
+ActiveLogOnUri                         : https://accounts.google.com/o/saml2/idp?<GUID>
+DefaultInteractiveAuthenticationMethod : 
+FederationBrandName                    : Google Workspace Identity
+IssuerUri                              : https://accounts.google.com/o/saml2?idpid=<GUID>
+LogOffUri                              : https://accounts.google.com/logout
+MetadataExchangeUri                    : 
+NextSigningCertificate                 : 
+OpenIdConnectDiscoveryEndpoint         : 
+PassiveLogOnUri                        : https://accounts.google.com/o/saml2/idp?idpid=<GUID>
+SigningCertificate                     : <BASE64 encoded certificate>
+SupportsMfa                            : 
+```
+
+## Verify federated authentication between Google Workspace and Azure AD
+
+From a private browser session, navigate to https://portal.azure.com and sign in with a Google Workspace account:
+
+1. As username, use the email as defined in Google Workspace
+1. The user will be redirected to Google Workspace to sign in
+1. After Google Workspace authentication, the user will be redirected back to Azure AD and signed in
+
+:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::

education/windows/federated-sign-in.md

@@ -1,7 +1,7 @@
 ---
 title: Configure federated sign-in for Windows devices
 description: Description of federated sign-in feature for Windows 11 SE and how to configure it via Intune
-ms.date: 09/15/2022
+ms.date: 01/12/2023
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
@@ -10,7 +10,7 @@ appliesto:
 <!-- MAXADO-6286399 -->
 # Configure federated sign-in for Windows 11 SE
 
-Starting in **Windows 11 SE, version 22H2**, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called **federated sign-in**. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
+Starting in Windows 11 SE, version 22H2, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called *federated sign-in*. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
 
 ## Benefits of federated sign-in
 
@@ -25,7 +25,9 @@ To implement federated sign-in, the following prerequisites must be met:
 
 1. An Azure AD tenant, with one or multiple domains federated to a third-party SAML 2.0 IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
     >[!NOTE]
-    >If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, please contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, please refer to these [guidelines][MSFT-1].
+    >If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1].
+    >
+    >For a step-by-step guide on how to configure Google Workspace as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md).
 1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
 1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
     - [School Data Sync (SDS)][SDS-1]

windows/application-management/provisioned-apps-windows-client-os.md

@@ -102,9 +102,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
 
     ---
     
-- [HEVC Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEVCVideoExtension_8wekyb3d8bbwe) | Package name: Microsoft.HEVCVideoExtension
+- [HEVC Video Extensions](ms-windows-store://pdp/?productid=9NMZLZ57R3T7) | Package name: Microsoft.HEVCVideoExtension 
-> [!NOTE]
-> For devices running Windows 11, version 21H2, and any supported version of Windows 10, you need to acquire the [HEVC Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEVCVideoExtension_8wekyb3d8bbwe) from the Microsoft Store.
   - Supported versions:
 
     ---
@@ -113,6 +111,8 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
     | ❌ |  ✔️|||
     
     ---  
+    >[!NOTE]
+    >For devices running Windows 11, version 21H2, and any supported version of Windows 10, you need to acquire the [HEVC Video Extensions](ms-windows-store://pdp/?productid=9NMZLZ57R3T7) from the Microsoft Store.
 
 - [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | Package name:Microsoft.Messaging
   - Supported versions:

windows/client-management/mdm/policy-csp-system.md

@@ -703,13 +703,7 @@ The "Configure diagnostic data opt-in settings user interface" group policy can
 <!-- AllowTelemetry-AllowedValues-Begin -->
 **Allowed values**:
 
-| Value | Description |
+<hr/>
-|:--|:--|
-| 0 | Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
-Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. |
-| 1 (Default) | Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. |
-| 3 | Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. |
-<!-- AllowTelemetry-AllowedValues-End -->
 
 <!-- AllowTelemetry-GpMapping-Begin -->
 **Group policy mapping**:

windows/client-management/understanding-admx-backed-policies.md

@@ -1,6 +1,6 @@
 ---
 title: Understanding ADMX policies
-description: In Windows 10, you can use ADMX policies for Windows 10 mobile device management (MDM) across Windows 10 devices.
+description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices.
 ms.author: vinpa
 ms.topic: article
 ms.prod: windows-client
@@ -237,7 +237,7 @@ Below is the internal OS mapping of a Group Policy to an MDM area and name. This
 
 `./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]/<area>/<policy>`
 
-The data payload of the SyncML needs to be encoded so that it doesn't conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and encoding the policy data [Coder's Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii)
+The data payload of the SyncML needs to be encoded so that it doesn't conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and decoding the policy data [Coder's Toolbox](https://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii).
 
 **Snippet of manifest for AppVirtualization area:**
 

windows/configuration/cortana-at-work/cortana-at-work-crm.md

@@ -1,59 +0,0 @@
----
-title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in Windows
-description: How to set up Cortana to give salespeople insights on important CRM activities, including sales leads, accounts, and opportunities.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer: 
-manager: dougeby
-ms.technology: itpro-configure
----
-
-# Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
-
-Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant information at any given time. This information can even include getting company-specific news that surfaces when the person is meeting with a representative from another company.
-
->[!NOTE]
->For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819).
-
-![Cortana at work, showing the sales data pulled from Dynamics CRM.](../images/cortana-crm-screen.png)
-
-## Turn on Cortana with Dynamics CRM in your organization
-You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](/dynamics365/marketing/marketing-preview-features).
-
-**To turn on Cortana with Dynamics CRM**
-
-1. Go to **Settings**, and then click **Administration**.
-
-2. Choose **System Settings**, and then click the **Previews** tab.
-
-3. Read the license terms, and if you agree, select the **I’ve read and agree to the license terms** check box.
-
-4. For each preview feature you want to enable, click **Yes**.
-
-## Turn on Cortana with Dynamics CRM on your employees’ devices
-You must tell your employees to turn on Cortana, before they’ll be able to use it with Dynamics CRM.
-
-**To turn on local Cortana with Dynamics CRM**
-
-1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
-
-2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**.
-
-    ![Cotana at work, showing how to turn on the connected services for Dynamics CRM.](../images/cortana-connect-crm.png)
-
-    The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen.
-
-## Turn off Cortana with Dynamics CRM
-Cortana can only access data in Dynamics CRM when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off.
-
-**To turn off Cortana with Dynamics CRM**
-1. Go to **Settings**, and then click **Administration**.
-
-2. Choose **System Settings**, and then click the **Previews** tab.
-
-3. Click **No** for **Cortana**.
-
-    All Dynamics CRM functionality related to Cortana is turned off in your organization.

windows/configuration/cortana-at-work/cortana-at-work-powerbi.md

@@ -1,139 +0,0 @@
----
-title: Set up and test Cortana for Power BI in your organization (Windows)
-description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer: 
-manager: dougeby
-ms.technology: itpro-configure
----
-
-# Set up and test Cortana for Power BI in your organization
-
->[!IMPORTANT]
->Cortana for Power BI is deprecated and will not be available in future releases. This topic is provided as a reference for previous versions only.
-
-Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
-
->[!Note]
->Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
-
-## Before you begin
-To use this walkthrough, you’ll need:
-
-- **Windows 10 or Windows 11**. You’ll need your PC to be running at least Windows 10, version 1703 or later, or Windows 11.
-
-- **Cortana**. You need to have Cortana turned on and be logged into your account.
-
-- **Power BI account with data**. You can use an existing Power BI account, or else you can get a trial account by signing up at http://powerbi.com. Just make sure that either way, you enter some data that you can use.
-
-- **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while you’re establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account.
-
-    **To connect your account to Windows**
-    
-    a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**.
-    
-    b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows.
-
-## Set up your test environment for Cortana for Power BI
-Before you can start this testing scenario, you must first set up your test environment and data, and then you must turn on and set up Cortana to connect and work with Power BI.
-
-**To set up your test environment with Cortana and Power BI**
-
-1. Go to http://powerbi.com and sign-in with the same O365 credentials you used in the Set up and use Cortana with Office 365 topic.
-
-2. Expand the left rail by clicking the **Show the navigation pane** icon.
-
-    ![Cortana at work, showing the navigation expand icon in Power BI.](../images/cortana-powerbi-expand-nav.png)
-
-3. Click **Get Data** from the left-hand navigation in Power BI.
-
-    ![Cortana at work, showing the Get Data link.](../images/cortana-powerbi-getdata.png)
-
-4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
-
-    ![Cortana at work, showing Samples link](../images/cortana-powerbi-getdata-samples.png)
-
-5. Click **Retail Analysis Sample**, and then click **Connect**.
-
-    ![Cortana at work, showing the Samples link.](../images/cortana-powerbi-retail-analysis-sample.png)
- 
-    The sample data is imported and you’re returned to the **Power BI** screen.
-
-6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**.
-
-    ![Cortana at work, showing a dashboard view of the sample data.](../images/cortana-powerbi-retail-analysis-dashboard.png)    
- 
-7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**.
-
-    ![Cortana at work, showing where to find the Settings option.](../images/cortana-powerbi-settings.png) 
-
-8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list.
-
-9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**.
-
-    ![Cortana at work, showing where to find the dataset options.](../images/cortana-powerbi-retail-analysis-dataset.png)
-
-    >[!NOTE]
-    >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows, or otherwise restarting Cortana, causes the new content to appear immediately.<p>If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana.
-
-## Create a custom Answer Page for Cortana
-You must create special reports, known as _Answer Pages_, to display the most commonly asked answers in Cortana. For example, if you want Cortana to quickly show sales data to your employees, you can create a 2016 sales data Answer Page that shows sales data, with various pivots, in Cortana.
-
-After you’ve finished creating your Answer Page, you can continue to the included testing scenarios.
-
->[!NOTE]
->It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows, or otherwise restarting Cortana, causes the new content to appear immediately.
-
-**To create a custom sales data Answer Page for Cortana**
-1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**.
-
-    ![Cortana at work, showing where to create the new report.](../images/cortana-powerbi-create-report.png)
- 
-2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**.
-
-    A blank report page appears.
-
-3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list.
-
-    ![Cortana at work, showing the Visualizations options.](../images/cortana-powerbi-pagesize.png)
-
-4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**.
-
-    ![Cortana at work, showing the Field options.](../images/cortana-powerbi-field-selection.png)
- 
-    The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders.
-
-5. In the **Visualizations** pane, click the paint roller icon again, expand **Page Information**, type _Sales data 2016_ into the **Name** box, turn on **Q&A**, and then add alternate report names (separated by commas) into the text box.
-
-    The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns.
-
-    ![Cortana at work, showing the page info for your specific report.](../images/cortana-powerbi-report-qna.png)
-    
-6. Click **File**, click **Save as**, and save the report as _Sales data 2016_. 
-
-    Because this is part of the Retail Analysis Sample, it will automatically be included as part of the dataset you included for Cortana. However, you will still need to log in and out of Windows, or otherwise restart Cortana, before the new content appears.
-
-## Test Scenario: Use Cortana to show info from Power BI in your organization
-Now that you’ve set up your device, you can use Cortana to show your info from within Power BI.
-
-**To use Cortana with Power BI**
-1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
-2. Type _This year in sales_.
-
-    Cortana shows you the available results.
-
-    ![Cortana at work, showing the best matches based on the Power BI data.](../images/cortana-powerbi-search.png)
- 	 
-3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**.
-
- 	Cortana returns your custom report.
-
-    ![Cortana at work, showing your custom report from Power BI.](../images/cortana-powerbi-myreport.png)
- 	 
->[!NOTE]
->For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).

windows/configuration/customize-start-menu-layout-windows-11.md

@@ -1,15 +1,15 @@
 ---
-title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs
+title: Add or remove pinned apps on the Start menu in Windows 11
 description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
 manager: aaroncz
+author: lizgt2000
 ms.author: lizlong
 ms.reviewer: ericpapa
 ms.prod: windows-client
-author: lizgt2000
 ms.localizationpriority: medium
 ms.collection: highpri
 ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/10/2023
 ms.topic: article
 ---
 
@@ -31,9 +31,11 @@ This article shows you how to export an existing Start menu layout, and use the
 
 ## Before you begin
 
-- When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. You can't prevent users from changing the layout.
+- When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. When a user signs in or Explorer restarts, Windows reapplies the MDM policy. This action restores the specified layout and doesn't retain any user changes.
 
-- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
+  To prevent users from making any changes to the Start menu layout, see the [NoChangeStartMenu](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-nochangestartmenu) policy.
+
+- It's recommended to use a mobile device management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
 
   In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: