From 9749ffdb044a2492181c0078246dfbfc2864ec5e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 12 Sep 2023 09:46:14 -0400
Subject: [PATCH] web sign-in

---
 includes/configure/provisioning-package-1.md  |  9 ++++
 includes/configure/provisioning-package-2.md  |  9 ++++
 .../hello-for-business/passwordless.md        |  6 +--
 .../identity-protection/web-sign-in/index.md  | 41 ++++++++-----------
 4 files changed, 39 insertions(+), 26 deletions(-)
 create mode 100644 includes/configure/provisioning-package-1.md
 create mode 100644 includes/configure/provisioning-package-2.md

diff --git a/includes/configure/provisioning-package-1.md b/includes/configure/provisioning-package-1.md
new file mode 100644
index 0000000000..c183be2c09
--- /dev/null
+++ b/includes/configure/provisioning-package-1.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+Use the following settings to [create a provisioning package](../../windows/configuration/provisioning-packages/provisioning-create-package.md):
diff --git a/includes/configure/provisioning-package-2.md b/includes/configure/provisioning-package-2.md
new file mode 100644
index 0000000000..1f037c0fc1
--- /dev/null
+++ b/includes/configure/provisioning-package-2.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+[Apply the provisioning package](../../windows/configuration/provisioning-packages/provisioning-apply-package.md) to the devices that you want to configure.
diff --git a/windows/security/identity-protection/hello-for-business/passwordless.md b/windows/security/identity-protection/hello-for-business/passwordless.md
index 550f288698..d616f8ff68 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless.md
@@ -13,7 +13,7 @@ ms.topic: how-to
 ## Overview
 
 Starting in Windows 11, version 22H2 with [KB5030310][KB-1], *Windows Hello for Business passwordless* is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.\
-When the policy is enabled, certain Windows authentication scenarios don't offer the users the option to use a password, helping organizations and preparing users to gradually move away from passwords.
+When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords.
 
 With Windows Hello for Business passwordless, users who sign in with Windows Hello or a FIDO2 security key:
 
@@ -30,7 +30,7 @@ The password credential provider is hidden only for the last signed in user who
 This article explains how to enable Windows Hello for Business passwordless and describes the user experiences.
 
 >[!TIP]
-> Windows Hello for Business users can achieve passwordless sign-in from the first sign-in using the Web sign-in feature. For more information about Web sign-in, see [Article to complete](https://learn.microsoft.com).
+> Windows Hello for Business users can achieve passwordless sign-in from the first sign-in using the Web sign-in feature. For more information about Web sign-in, see [Web sign-in for Windows devices](../web-sign-in/index.md).
 
 ## System requirements
 
@@ -92,7 +92,7 @@ When Windows Hello for Business passwordless is enabled, users can't use the pas
 - User Account Control (UAC) elevation, except if a local user account is used for elevation
 
 >[!NOTE]
-> RDP sign in defaults to the credential provider used during sign-in. However, a suers can select the option *Use a different account* to sign in with a password.
+> RDP sign in defaults to the credential provider used during sign-in. However, a user can select the option *Use a different account* to sign in with a password.
 >
 > *Run as different user* is not impacted by Windows Hello for Business passwordless.
 
diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md
index 8859d5ce7a..87317fde45 100644
--- a/windows/security/identity-protection/web-sign-in/index.md
+++ b/windows/security/identity-protection/web-sign-in/index.md
@@ -1,5 +1,5 @@
 ---
-title: Configure Web sign-in for Windows devices
+title: Web sign-in for Windows devices
 description: Learn how Web sign-in in Windows works and how to configure it.
 ms.date: 09/11/2023
 ms.topic: how-to
@@ -9,15 +9,15 @@ ms.collection:
   - tier1
 ---
 
-# Configure Web sign-in for Windows devices
+# Web sign-in for Windows devices
 
 Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable your users to sign-in using a web experience on Microsoft Entra joined devices.
 This feature is called *Web sign-in*.\
 
-Web sign in is a new sign-in experience that allows users to sign in to their Windows devices using a web browser experience, opening new sign in scenarios.
+Web sign-in is a Windows credential provider that allows users to sign in to their Windows devices using a web interface, opening new sign in scenarios.
 
 >[!Note:]
->Web sign-in was initially realeased in windows 10 for TAP-only scenarios. Windows 11 is the first version where Web sign-in capabilities are extended.
+>Web sign-in was initially realeased in Windows 10, supporting Temporary Access Pass only. Windows 11 is the first version where Web sign-in capabilities are expanded.
 
 ## Benefits of web sign-in
 
@@ -33,11 +33,6 @@ To use web sign-in, the following prerequisites must be met:
 
 ## Configure web sign-in
 
-You can configure federated sign-in for student assigned (1:1) devices or student shared devices:
-
-- When federated sign-in is configured for **student assigned (1:1) devices**, the first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen
-- When federated sign-in is configured for **student shared devices**, there's no primary user. The sign-in screen displays, by default, the last user who signed in to the device
-
 To use web sign-in, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
 
 #### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
@@ -47,30 +42,30 @@ To use web sign-in, your devices must be configured with different policies. Rev
 | Category | Setting name | Value |
 |--|--|--|
 | Authentication | Enable Web Sign In | Enabled |
-| Authentication | Configure Web Sign In Allowed Urls | This setting is optional, and it contains a semicolon-separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` |
-| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` |
+| Authentication | Configure Web Sign In Allowed Urls | This setting is optional, and it contains a semicolon-separated list of domains, for example: `idp.example.com;example.com` |
+| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `example.com` |
 
 [!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
 
 Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
 
-| Setting |
-|--------|
-| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`<br>**Data type**: Integer<br>**Value**: `1`|
-| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`<br>**Data type**: String <br>**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
-| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`<br>**Data type**: String <br>**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
+| OMA-URI | More information |
+|-|-|
+| `./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`| [EnableWebSignIn](../../../client-management/mdm/policy-csp-authentication.md#enablewebsignin) |
+| `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`|[ConfigureWebSignInAllowedUrls](../../../client-management/mdm/policy-csp-authentication.md#configurewebsigninallowedurls)|
+| `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`|[ConfigureWebcamAccessDomainNames](../../../client-management/mdm/policy-csp-authentication.md#configurewebcamaccessdomainnames)|
 
 #### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
-To configure web sign-in using a provisioning package, use the following settings:
+[!INCLUDE [provisioning-package-1](../../../../includes/configure/provisioning-package-1.md)]
 
-| Setting |
-|--------|
-| <li> Path: **`Policies/Authentication/EnableWebSignIn`**<br>Value: **Enabled**|
-| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`**<br>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**|
-| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`**<br>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**|
+| Path | Setting name | Value |
+|--|--|--|
+| `Policies/Authentication` | `EnableWebSignIn` | Enabled |
+| `Policies/Authentication` | `ConfigureWebSignInAllowedUrls` | This setting is optional, and it contains a semicolon-separated list of domains, for example: `idp.example.com;example.com` |
+| `Policies/Authentication` | `ConfigureWebCamAccessDomainNames` | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `example.com` |
 
-Apply the provisioning package to the shared devices that require web sign-in.
+[!INCLUDE [provisioning-package-2](../../../../includes/configure/provisioning-package-2.md)]
 
 ---