Merge branch 'main' into pm-20230105-cleanup-win-configuration

2025-05-17 15:57:23 +00:00 · 2023-01-12 12:26:14 -08:00 · 2023-01-12 12:26:14 -08:00 · d0cebb219f
commit d0cebb219f
parent 0504051599 fd2a17d005
9 changed files with 187 additions and 15 deletions
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@ -38,8 +38,12 @@ items:
      href: edu-stickers.md
    - name: Configure Take a Test in kiosk mode
      href: edu-take-a-test-kiosk-mode.md
    - name: Federated identity
      items:
      - name: Configure federated sign-in
        href: federated-sign-in.md
      - name: Configure federation between Google Workspace and Azure AD
        href: configure-aad-google-trust.md
    - name: Configure Shared PC
      href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
    - name: Use the Set up School PCs app
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@ -0,0 +1,128 @@
 ---
 title: Configure federation between Google Workspace and Azure AD
 description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
 ms.date: 1/12/2023
 ms.topic: how-to
 ---
 # Configure federation between Google Workspace and Azure AD
 This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Azure AD.\
 Once configured, users will be able to sign in to Azure AD with their Google Workspace credentials.
 ## Prerequisites
 To configure Google Workspace as an IdP for Azure AD, the following prerequisites must be met:
 1. An Azure AD tenant, with one or multiple custom DNS domains (that is, domains that aren't in the format \**.onmicrosoft.com*)
    - If the federated domain hasn't yet been added to Azure AD, you must have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace
    - Learn how to [Add your custom domain name using the Azure Active Directory portal](/azure/active-directory/fundamentals/add-custom-domain)
 1. Access to Azure AD with an account with the *Global Administrator* role
 1. Access to Google Workspace with an account with *super admin* privileges
 To test federation, the following prerequisites must be met:
 1. A Google Workspace environment, with users already created
    > [!IMPORTANT]
    > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD
 1. Individual Azure AD accounts already created: each Google Workspace user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
    - School Data Sync (SDS)
    - Azure AD Connect sync for environment with on-premises AD DS
    - PowerShell scripts that call the Microsoft Graph API
    - Provisioning tools offered by the IdP - this capability is offered by Google Workspace through [auto-provisioning](https://support.google.com/a/answer/7365072)
 ## Configure Google Workspace as and IdP for Azure AD
 1. Sign in to the [Google Workspace Admin Console](https://admin.google.com) with an account with *super admin* privileges
 1. Select **Apps > Web and mobile apps**
 1. Select **Add app > Search for apps** and search for *microsoft*
 1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
   :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
 1. On the *Google Identity Provider details* page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
 1. On the *Service provider details* page
      - Select the option **Signed response**
      - Verify that the Name ID format is set to **PERSISTENT**
      - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping. For more information, see (article to write).\
        If using Google auto-provisioning, select **Basic Information > Primary email**
      - Select **Continue**
 1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes
    |Google Directory attributes|Azure AD attributes|
    |-|-|
    |Basic Information: Primary Email|App attributes: IDPEmail|
    > [!IMPORTANT]
    > You must ensure that your the Azure AD user accounts email match those in your Google Workspace.
 1. Select **Finish**
 Now that the app is configured, you must enable it for the users in Google Workspace:
 1. Sign in to the [Google Workspace Admin Console](https://admin.google.com) with an account with *super admin* privileges
 1. Select **Apps > Web and mobile apps**
 1. Select **Microsoft Office 365**
 1. Select **User access**
 1. Select **ON for everyone > Save**
 ## Configure Azure AD as a Service Provider (SP) for Google Workspace
 The configuration of Azure AD consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\
 Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in an elevated PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the *Global Administrator* role.
 ```powershell
 Install-Module -Name MSOnline
 Import-Module MSOnline
 $DomainName = "<your domain name>"
 $xml = [Xml](Get-Content GoogleIDPMetadata.xml)
 $cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
 $issuerUri = $xml.EntityDescriptor.entityID
 $logOnUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
 $LogOffUri = "https://accounts.google.com/logout"
 $brand = "Google Workspace Identity"
 Connect-MsolService
 $DomainAuthParams = @{
    DomainName = $DomainName
    Authentication = "Federated"
    IssuerUri = $issuerUri
    FederationBrandName = $brand
    ActiveLogOnUri = $logOnUri
    PassiveLogOnUri = $logOnUri
    LogOffUri = $LogOffUri
    SigningCertificate = $cert
    PreferredAuthenticationProtocol = "SAMLP"
 }
 Set-MsolDomainAuthentication @DomainAuthParams
 ```
 To verify that the configuration is correct, you can use the following PowerShell command:
 ```powershell
 Get-MsolDomainFederationSettings -DomainName $DomainName
 ```
 ```output
 ActiveLogOnUri                         : https://accounts.google.com/o/saml2/idp?<GUID>
 DefaultInteractiveAuthenticationMethod : 
 FederationBrandName                    : Google Workspace Identity
 IssuerUri                              : https://accounts.google.com/o/saml2?idpid=<GUID>
 LogOffUri                              : https://accounts.google.com/logout
 MetadataExchangeUri                    : 
 NextSigningCertificate                 : 
 OpenIdConnectDiscoveryEndpoint         : 
 PassiveLogOnUri                        : https://accounts.google.com/o/saml2/idp?idpid=<GUID>
 SigningCertificate                     : <BASE64 encoded certificate>
 SupportsMfa                            : 
 ```
 ## Verify federated authentication between Google Workspace and Azure AD
 From a private browser session, navigate to https://portal.azure.com and sign in with a Google Workspace account:
 1. As username, use the email as defined in Google Workspace
 1. The user will be redirected to Google Workspace to sign in
 1. After Google Workspace authentication, the user will be redirected back to Azure AD and signed in
 :::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@ -1,7 +1,7 @@
 ---
 title: Configure federated sign-in for Windows devices
 description: Description of federated sign-in feature for Windows 11 SE and how to configure it via Intune
-ms.date: 09/15/2022
+ms.date: 01/12/2023
 ms.topic: how-to
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
@ -10,7 +10,7 @@ appliesto:
 <!-- MAXADO-6286399 -->
 # Configure federated sign-in for Windows 11 SE
-Starting in **Windows 11 SE, version 22H2**, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called **federated sign-in**. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
+Starting in Windows 11 SE, version 22H2, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called *federated sign-in*. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
 ## Benefits of federated sign-in
@ -25,7 +25,9 @@ To implement federated sign-in, the following prerequisites must be met:
 1. An Azure AD tenant, with one or multiple domains federated to a third-party SAML 2.0 IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
    >[!NOTE]
-    >If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, please contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, please refer to these [guidelines][MSFT-1].
+    >If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1].
    >
    >For a step-by-step guide on how to configure Google Workspace as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md).
 1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
 1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
    - [School Data Sync (SDS)][SDS-1]
--- a/education/windows/images/google/google-admin-search-app.png
+++ b/education/windows/images/google/google-admin-search-app.png
--- a/education/windows/images/google/google-sso.gif
+++ b/education/windows/images/google/google-sso.gif
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@ -19,24 +19,27 @@ msreviewer: hathind
 You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
-## Premier and Unified support options
+## Submit a new support request
-As a customer with a **Premier** or **Unified** support contract, you can specify the severity of your issue, and schedule a support callback for a specific day and time. These options are available when you open or submit a new issue and when you edit an active support case.
+Support requests are triaged and responded to as they're received.
 ### Premier and Unified support options
 If you have a **Premier** or **Unified** support contract, when you submit a new request, or edit an active support request, you can:
 - Specify the severity of your issue
 - Schedule a support callback for a specific day and time
 Depending on your support contract, the following severity options are available:
 > [!NOTE]
 > Selecting either severity **A** or **Critical** issue limits you to a phone support case. This is the fastest support option.
 | Support contract | Severity options |
 | ----- | ----- |
 | Premier | Severity A, B or C |
 | Unified | Critical or non-critical |
 > [!NOTE]
 > Selecting either severity **A** or **Critical** issue limits you to a phone support case. This is the fastest support option.
 ## Submit a new support request  
 Support requests are triaged and responded to as they're received.
 **To submit a new support request:**
 1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu.
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@ -1,7 +1,7 @@
 ---
 title: Fix issues found by the Readiness assessment tool
 description: This article details how to fix issues found by the Readiness assessment tool
-ms.date: 11/17/2022
+ms.date: 01/12/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -16,6 +16,9 @@ msreviewer: hathind
 Seeing issues with your tenant? This article details how to remediate issues found with your tenant.
 > [!NOTE]
 > If you need more assistance with tenant enrollment, you can [submit a tenant enrollment support request](#submit-a-tenant-enrollment-support-request).
 ## Check results
 For each check, the tool will report one of four possible results:
@ -70,3 +73,29 @@ Windows Autopatch requires the following licenses:
 | Result | Meaning |
 | ----- | ----- |
 | Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
 ## Submit a tenant enrollment support request
 > [!IMPORTANT]
 > Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues.
 If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
 **To submit a new tenant enrollment support request:**
 1. If the Readiness assessment tool fails, remediation steps can be found by selecting **View details** under **Management settings** and then selecting the individual checkbox. The **Contact Support** button will be available below remediation instructions in the fly-in-pane.
 2. Enter your question(s) and/or a description of the problem.
 3. Review all the information you provided for accuracy.
 4. When you're ready, select **Create**.
 ### Manage an active tenant enrollment support request
 The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated.
 If you have a question about the case, the best way to get in touch is to reply directly to one of the emails. If we have questions about your request or need more details, we'll email the primary contact listed in the support request.
 **To view all your active tenant enrollment support requests:**
 1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
 1. In the **Windows Autopatch** section, select **Tenant Enrollment**.
 1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details.
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@ -24,6 +24,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 | Article | Description |
 | ----- | ----- |
 | [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment. |
 | [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section |
 ### January service release
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@ -120,3 +120,8 @@ For more information, see [Supported configuration service provider (CSP) polici
 Windows 11, version 22H2, includes additional improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).
 For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros).
 ## High Efficiency Video Coding (HEVC) support
 <!--7475101-->
 Starting in Windows 11, version 22H2, support for High Efficiency Video Coding (HEVC) is now available. You can play HEVC videos in any video app on your Windows 11 device. HEVC is designed to take advantage of hardware capabilities on some newer devices to support 4K and Ultra HD content.
 For devices that don't have hardware support for HEVC videos, software support is provided, but the playback experience might vary based on the video resolution and your devices performance.