Merge pull request #9569 from MicrosoftDocs/main

Publish main to live on 2/5 @ 3:30 pm

Author: v-stsavell

.openpublishing.redirection.windows-configuration.json

@@ -34,8 +34,8 @@
         "education",
         "tier2"
       ],
-      "ms.prod": "windows-client",
-      "ms.technology": "itpro-edu",
+      "ms.subservice": "itpro-edu",
+      "ms.service": "windows-client",
       "author": "paolomatarazzo",
       "ms.author": "paoloma",
       "manager": "aaroncz",
@@ -51,10 +51,10 @@
         }
       },
       "titleSuffix": "Windows Education",
-      "contributors_to_exclude": [ 
-        "rjagiewich", 
-        "traya1", 
-        "rmca14", 
+      "contributors_to_exclude": [
+        "rjagiewich",
+        "traya1",
+        "rmca14",
         "claydetels19",
         "Kellylorenebaker",
         "jborsecnik",

browsers/edge/images/config-open-me-with-scenarios-tab.PNG renamed to browsers/edge/images/config-open-me-with-scenarios-tab.png

@@ -26,7 +26,7 @@ To test federation, the following prerequisites must be met:
 1. A Google Workspace environment, with users already created
     > [!IMPORTANT]
     > Users require an email address defined in Google Workspace, which is used to match the users in Microsoft Entra ID.
-    > For more information about identity matching, see [Identity matching in Microsoft Entra ID](federated-sign-in.md#identity-matching-in-azure-ad).
+    > For more information about identity matching, see [Identity matching in Microsoft Entra ID](federated-sign-in.md#identity-matching-in-microsoft-entra-id).
 1. Individual Microsoft Entra accounts already created: each Google Workspace user will require a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example:
     - School Data Sync (SDS)
     - Microsoft Entra Connect Sync for environment with on-premises AD DS

education/docfx.json

@@ -46,7 +46,7 @@ To enable a federated sign-in experience, the following prerequisites must be me
     - PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
     - provisioning tools offered by the IdP
 
-    For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-azure-ad).
+    For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-microsoft-entra-id).
 1. Licenses assigned to the Microsoft Entra user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Microsoft Entra ID, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Microsoft Entra ID][AZ-2]
 1. Enable Federated sign-in or Web sign-in on the Windows devices, depending if the devices are shared or assigned to a single student
 
@@ -201,17 +201,13 @@ The following issues are known to affect student shared devices:
 
 For student shared devices, it's recommended to configure the account management policies to automatically delete the user profiles after a certain period of inactivity or disk levels. For more information, see [Set up a shared or guest Windows device][WIN-3].
 
-<a name='preferred-azure-ad-tenant-name'></a>
-
 ### Preferred Microsoft Entra tenant name
 
 To improve the user experience, you can configure the *preferred Microsoft Entra tenant name* feature.\
 When using preferred Microsoft Entra tenant name, the users bypass the disambiguation page and are redirected to the identity provider sign-in page. This configuration can be especially useful for student shared devices, where the disambiguation page is always shown.
 
 For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4].
 
-<a name='identity-matching-in-azure-ad'></a>
-
 ### Identity matching in Microsoft Entra ID
 
 When a Microsoft Entra user is federated, the user's identity from the IdP must match an existing user object in Microsoft Entra ID.

education/windows/configure-aad-google-trust.md

@@ -6,8 +6,6 @@ brand: windows
 
 metadata:
   ms.topic: hub-page
-  ms.prod: windows-client
-  ms.technology: itpro-edu
   ms.collection:
     - education
     - tier1

education/windows/federated-sign-in.md

@@ -5,7 +5,7 @@ ms.date: 06/02/2023
 ms.topic: reference
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
----  
+---
 
 # What's in my provisioning package?
 
@@ -48,7 +48,7 @@ For a more detailed look at the policies, see the Windows article [Set up shared
 
 This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app.
 
-For a more detailed look of each policy listed, see [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation.  
+For a more detailed look of each policy listed, see [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation.
 
 | Policy name | Default value | Description |
 |--|--|--|
@@ -81,10 +81,10 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client
 
 ## Apps uninstalled from Windows devices
 
-Set up School PCs app uses the Universal app uninstall policy. The policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device. The apps uninstalled from Windows devices are:  
+Set up School PCs app uses the Universal app uninstall policy. The policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device. The apps uninstalled from Windows devices are:
 
 - Mixed Reality Viewer
-- Weather  
+- Weather
 - Desktop App Installer
 - Tips
 - Messaging
@@ -106,11 +106,11 @@ Set up School PCs uses the Universal app install policy to install school-releva
 
 ## Provisioning time estimates
 
-The time it takes to install a package on a device depends on the:  
+The time it takes to install a package on a device depends on the:
 
 - Strength of network connection
 - Number of policies and apps within the package
-- Other configurations made to the device  
+- Other configurations made to the device
 
 Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes preinstalled apps, through CleanPC, will take much longer to provision.
 

education/windows/images/setedupolicies_omauri.PNG renamed to education/windows/images/setedupolicies_omauri.png

@@ -9,7 +9,7 @@ items:
   - name: Deploy applications to Windows 11 SE
     href: tutorial-deploy-apps-winse/toc.yml
 - name: Concepts
-  items: 
+  items:
     - name: Windows 11 SE
       items:
       - name: Overview
@@ -47,7 +47,7 @@ items:
       - name: Configure federation between Google Workspace and Microsoft Entra ID
         href: configure-aad-google-trust.md
     - name: Configure Shared PC
-      href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
+      href: /windows/configuration/shared-pc/set-up-shared-or-guest-pc?context=/education/context/context
     - name: Get and deploy Minecraft Education
       href: get-minecraft-for-education.md
     - name: Use the Set up School PCs app
@@ -65,6 +65,6 @@ items:
     - name: Take a Test technical reference
       href: take-a-test-app-technical.md
     - name: Shared PC technical reference
-      href: /windows/configuration/shared-pc-technical?context=/education/context/context
+      href: /windows/configuration/shared-pc/shared-pc-technical?context=/education/context/context
+
 
-      

education/windows/images/suspcs/suspc_getstarted_050817.PNG renamed to education/windows/images/suspcs/suspc_getstarted_050817.png

@@ -54,7 +54,7 @@ The following XML file contains the device description framework (DDF) for the A
         </AccessType>
         <Description>This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
 
-Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. 
+Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
 
 When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
 

education/windows/images/suspcs/suspc_runpackage_getpcsready.PNG renamed to education/windows/images/suspcs/suspc_runpackage_getpcsready.png

@@ -142,7 +142,7 @@ The following XML file contains the device description framework (DDF) for the B
                          If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.”
                          The format is string.
                          Sample value for this node to enable this policy and set the encryption methods is:
-                         
+                       
 
                          EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
                          EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
@@ -194,7 +194,7 @@ The following XML file contains the device description framework (DDF) for the B
                          Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         
+                       
 
                          ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
                          All of the below settings are for computers with a TPM.
@@ -250,7 +250,7 @@ The following XML file contains the device description framework (DDF) for the B
                          NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         
+                       
 
                          Disabling the policy will let the system choose the default behaviors.
                          If you want to disable this policy use the following SyncML:
@@ -291,7 +291,7 @@ The following XML file contains the device description framework (DDF) for the B
                          Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         
+                       
 
                          The possible values for 'xx' are:
                          0 = Empty
@@ -344,7 +344,7 @@ The following XML file contains the device description framework (DDF) for the B
                          If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         
+                       
 
                          The possible values for 'xx' are:
                          true = Explicitly allow
@@ -402,7 +402,7 @@ The following XML file contains the device description framework (DDF) for the B
                          If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         
+                       
 
                          The possible values for 'xx' are:
                          true = Explicitly allow
@@ -454,7 +454,7 @@ The following XML file contains the device description framework (DDF) for the B
                          If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         
+                       
 
                          Disabling the policy will let the system choose the default behaviors.
                          If you want to disable this policy use the following SyncML:
@@ -495,7 +495,7 @@ The following XML file contains the device description framework (DDF) for the B
                          Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         
+                       
 
                          The possible values for 'xx' are:
                          true = Explicitly allow
@@ -575,7 +575,7 @@ The following XML file contains the device description framework (DDF) for the B
                          require reinstallation of Windows.
                          Note: This policy takes effect only if "RequireDeviceEncryption" policy is set to 1.
                          The format is integer.
-                         The expected values for this policy are: 
+                         The expected values for this policy are:
 
                          1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed.
                          0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, 
@@ -623,7 +623,7 @@ The following XML file contains the device description framework (DDF) for the B
                          If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user
                          is the current logged on user in the system.
 
-                         The expected values for this policy are: 
+                         The expected values for this policy are:
 
                          1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
                          0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy
@@ -741,7 +741,7 @@ The policy only comes into effect when Active Directory backup for a recovery pa
 
 * status\RotateRecoveryPasswordsStatus 
                               * status\RotateRecoveryPasswordsRequestID
-                          
+                        
 
 
 Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\

education/windows/images/wcd/setedupolicies.PNG renamed to education/windows/images/wcd/setedupolicies.png

@@ -934,7 +934,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
               <Replace />
             </AccessType>
             <DefaultValue>False</DefaultValue>
-            <Description>Windows Hello for Business can use certificates to authenticate to on-premise resources. 
+            <Description>Windows Hello for Business can use certificates to authenticate to on-premise resources.
 
 If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
 

education/windows/images/wcd/wcd_settings_assignedaccess.PNG renamed to education/windows/images/wcd/wcd_settings_assignedaccess.png

@@ -37,7 +37,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates. 
+> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates.
 
 This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
 

education/windows/index.yml

@@ -267,7 +267,7 @@ Resource URI for which access is being requested by the Mopria discovery client
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This policy must target ./User, otherwise it fails.
 
-The default value is an empty string. Otherwise, the value should contain a URL. 
+The default value is an empty string. Otherwise, the value should contain a URL.
 
 **Example**:
 

education/windows/set-up-school-pcs-provisioning-package.md

@@ -34,11 +34,11 @@ ms.date: 01/18/2024
 <!-- Description-Source-ADMX -->
 This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot.
 
-This only occurs if the last interactive user didn't sign out before the restart or shutdown. 
+This only occurs if the last interactive user didn't sign out before the restart or shutdown.
 
 If the device is joined to Active Directory or Microsoft Entra ID, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
 
-- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. 
+- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.
 
 After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot .