updates

education/windows/edu-federated-authentication.md

@@ -0,0 +1,110 @@
+---
+title: Federated authentication for Windows 11 SE
+description: Description of federated authentication feature for Windows 11 SE and how to configure it via Intune
+ms.date: 09/15/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: how-to
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ <b>Windows 11 SE 22H2</b>
+---
+
+# Configure federated authentication for Windows 11 SE
+
+Starting in **Windows 11 SE, version 22H2**, you can configure federated authentication, enabling your users to sign in using a third-party identity provider (IdP).
+
+With federated authentication, the sign-in experience on Windows SE devices can be simplified based on the options offered by the IdP. For example, rather than logging in with a traditional username and password, students and educators can use picture passwords or QR badges.
+
+## Benefits of federated authentication
+
+With federated authentication, you can have faster starts to class. Features like QR code scanning allow students to log in in less time, and with less friction.
+With fewer credentials for students to remember and a simplified log-in processes, students are more engaged and focused on learning.
+
+## Prerequisites
+
+To implement federated authentication, the following prerequisites must be met:
+1. You must have an Azure Active Directory (Azure AD) tenant, with one or multiple domains federated to a third-party IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
+1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
+1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These account are usually created through automation using a provisioning process offered by the IdP
+1. Licenses assigned to the Azure AD accounts. It is recommended to assign licenses to a dynamic group, so that when new users are provisioned in Azure AD, the licenses are automatically assigned to the users member of the group
+1. Enable federated authentication on the Windows devices that the users will be using
+    > [!IMPORTANT]
+    > This feature is exclusively available for Windows 11 SE, version 22H2.
+
+## Enable federated authentication on Windows devices
+
+Can be done in Intune or with a provisioning package.
+
+IT administrators can configure federated authentication on Windows devices using Microsoft Intune, through a [custom profile][MEM-1]:
+
+1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank">Microsoft Endpoint Manager admin center</a>
+1. Select **Devices** > **Configuration profiles** > **Create profile**
+1. Enter the following properties:
+    - **Platform**: select **Windows 10 and later**
+    - **Profile type**: select **Templates**
+    - **Template name**: select **Custom**
+1. Select **Create**
+1. In **Basics**, enter the following properties:
+    - **Name**: enter a descriptive name for the profile
+    - **Description**: enter a description for the profile. This setting is optional, but recommended
+1. Select **Next**
+1. In **Configuration settings**, select **Add**
+1. In **Add Row**, enter the following properties:
+    - Name: enter a name, for example `EnableWebSignInForPrimaryUser`
+    - OMA-URI: `./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser`
+    - Data type: **Integer**
+    - Value: **1**
+1. Select **Save**
+1. Select **Add**
+1. In **Add Row**, enter the following properties:
+    - Name: enter a name, for example `ConfigureWebSignInAllowedUrls`
+    - OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`
+    - Data type: **String**
+    - Value: semicolon separated list of domains, for example `samlidp.clever.com;clever.com;mobile-redirector.clever.com`
+1. Select **Add**
+1. In **Add Row**, enter the following properties:
+    - Name: enter a name, for example `IsEducationEnvironment`
+    - OMA-URI: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`
+    - Data type: **Integer**
+    - Value: **1**
+1. Select **Add**
+1. In **Add Row**, enter the following properties:
+    - Name: enter a name, for example `ConfigureWebCamAccessDomainNames`
+    - OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`
+    - Data type: **String**
+    - Value: semicolon separated list of domains, for example `clever.com`
+    > [!NOTE]
+    > This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process.
+1. Select **Save**
+1. Select **Next**
+1. In **Scope tags**, assign any applicable tags (optional)
+1. Select **Next**
+1. In **Assignments**, select the security groups that will receive the policy
+1. Select **Next**
+1. In **Applicability Rules**, select **Next**
+1. In **Review + create**, review your settings and select **Create**
+
+## How to use federated authentication
+
+Once the devices are configured, a new sign-in experience becomes available.
+
+:::image type="content" source="./images/federated-auth.gif" alt-text="Windows 11 SE login using federated authentication through Clever and QR badge." border="true":::
+
+
+## Known issues
+- Network and Accessibility menus are not available in the Web Sign-In flow.  They can be accessed on the standard Windows Logon page. While in the federated sign-in, press <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> and the classic Windows Logon UI will be shown, along with the buttons that launch those menus.  
+- This feature will not work without access to network, as the authentication is done via a 3rd party provider over the network. Always make sure that there is a valid network connection, before trying to launch the federated sign-in flow.
+
+## Troubleshooting
+- The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows Logon screen.
+- The *Other User* button can be pressed, and standard username/password credentials can be used to log into the device.
+
+[MEM-1]: /mem/intune/configuration/custom-settings-configure
+
+[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp

education/windows/edu-federated-signin.md

@@ -1,70 +0,0 @@
----
-title: Education themes for Windows 11 SE
-description: Description of education themes for Windows 11 SE and how to configure them via MDM
-ms.date: 09/15/2022
-ms.prod: windows
-ms.technology: windows
-ms.topic: how-to
-ms.localizationpriority: medium
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer:
-manager: aaroncz
-ms.collection: education
-appliesto:
-- ✅ <b>Windows 11 SE 22H2</b>
----
-
-# Configure education themes for Windows 11 SE
-
-Starting in **Windows 11 SE, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school.
-
-:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true":::
-
-Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings.
-Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it. This is great news for schools looking to give that same device to a new student the next year.
-
-## Enable education themes
-
-Education themes aren't enabled by default. IT administrators can configure devices to download the education themes using Microsoft Intune.
-
-1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
-1. Select **Devices** > **Configuration profiles** > **Create profile**
-1. Enter the following properties:
-    - **Platform**: select **Windows 10 and later**
-    - **Profile type**: select **Templates**
-    - **Template name**: select **Custom**
-1. Select **Create**
-1. In **Basics**, enter the following properties:
-    - **Name**: enter a descriptive name for the profile
-    - **Description**: enter a description for the profile. This setting is optional, but recommended
-1. Select **Next**
-1. In **Configuration settings**, select **Add**
-1. In **Add Row**, enter the following properties:
-    - Name: enter **EnableEduThemes**
-    - OMA-URI: `./Vendor/MSFT/Policy/Config/Stickers/EnableEduThemes`
-    - Data type: **Integer**
-    - Value: **1**
-1. Select **Save**
-1. Select **Add**
-1. In **Add Row**, enter the following properties:
-    - Name: enter **IsEducationEnvironment**
-    - OMA-URI: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`
-    - Data type: **Integer**
-    - Value: **1**
-1. Select **Save**
-1. Select **Next**
-1. In **Scope tags**, assign any applicable tags (optional)
-1. Select **Next**
-1. In **Assignments**, select the security groups that will receive the policy
-1. Select **Next**
-1. In **Applicability Rules**, select **Next**
-1. In **Review + create**, review your settings and select **Create**
-
-## How to use the education themes
-
-Once the education themes are enabled, the device will download them as soon as a user signs in to the device.
-
-To change the theme, select **Settings** > **Personalization** > **Themes** > **Select a theme**
-
-:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 SE desktop contextual menu to open the sticker editor" border="true":::

education/windows/edu-stickers.md

@@ -53,13 +53,6 @@ Stickers aren't enabled by default. IT administrators can allow students to pers
     - Data type: **Integer**
     - Value: **1**
 1. Select **Save**
-1. Select **Add**
-1. In **Add Row**, enter the following properties:
-    - Name: enter **IsEducationEnvironment**
-    - OMA-URI: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`
-    - Data type: **Integer**
-    - Value: **1**
-1. Select **Save**
 1. Select **Next**
 1. In **Scope tags**, assign any applicable tags (optional)
 1. Select **Next**

education/windows/edu-themes.md

@@ -1,6 +1,6 @@
 ---
-title: Education themes for Windows 11 SE
-description: Description of education themes for Windows 11 SE and how to configure them via MDM
+title: Configure education themes for Windows 11
+description: Description of education themes for Windows 11 and how to configure them via MDM
 ms.date: 09/15/2022
 ms.prod: windows
 ms.technology: windows
@@ -12,14 +12,14 @@ ms.reviewer:
 manager: aaroncz
 ms.collection: education
 appliesto:
-- ✅ <b>Windows 11 SE 22H2</b>
+- ✅ <b>Windows 11 22H2</b>
 ---
 
-# Configure education themes for Windows 11 SE
+# Configure education themes for Windows 11
 
-Starting in **Windows 11 SE, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school.
+Starting in **Windows 11, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school.
 
-:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true":::
+:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 desktop with 3 stickers" border="true":::
 
 Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings.
 Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it. This is great news for schools looking to give that same device to a new student the next year.
@@ -46,13 +46,6 @@ Education themes aren't enabled by default. IT administrators can configure devi
     - Data type: **Integer**
     - Value: **1**
 1. Select **Save**
-1. Select **Add**
-1. In **Add Row**, enter the following properties:
-    - Name: enter **IsEducationEnvironment**
-    - OMA-URI: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`
-    - Data type: **Integer**
-    - Value: **1**
-1. Select **Save**
 1. Select **Next**
 1. In **Scope tags**, assign any applicable tags (optional)
 1. Select **Next**
@@ -67,4 +60,4 @@ Once the education themes are enabled, the device will download them as soon as
 
 To change the theme, select **Settings** > **Personalization** > **Themes** > **Select a theme**
 
-:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 SE desktop contextual menu to open the sticker editor" border="true":::
+:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 education themes selection" border="true":::