Merge branch 'main' into release-win11-22h2

2025-06-21 13:23:36 +00:00 · 2022-08-30 14:23:36 -04:00
parent 8c35d0b192 456ec5670f
commit 11b8506502
22 changed files with 285 additions and 141 deletions
--- a/windows/client-management/images/quick-assist-get.png
+++ b/windows/client-management/images/quick-assist-get.png
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@ -18,13 +18,13 @@ The table below shows the applicability of Windows:
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
-|Pro|No|Yes|
-|Windows SE|No|Yes|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
 |Business|No|No|
-|Enterprise|No|Yes|
-|Education|No|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|

-The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users.
+The Language Pack Management CSP allows a way to easily add languages and related language features and manage settings like System Preferred UI Language, System Locale, Input method (Keyboard), Locale, Speech Recognizer, User Preferred Language List. This CSP can be accessed using the new [LanguagePackManagement](/powershell/module/languagepackmanagement) PowerShell module.

 1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:

@ -95,4 +95,4 @@ The Language Pack Management CSP allows a direct way to provision languages remo

 ## Related topics

-[Configuration service provider reference](configuration-service-provider-reference.md)
+[Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@ -33,6 +33,9 @@ manager: aaroncz
    <a href="#remotedesktopservices-donotallowpasswordsaving">RemoteDesktopServices/DoNotAllowPasswordSaving</a>
  </dd>
  <dd>
+  <dd>
+    <a href="#remotedesktopservices-donotallowwebauthnredirection">RemoteDesktopServices/DoNotAllowWebAuthnRedirection</a>
+  </dd>
    <a href="#remotedesktopservices-promptforpassworduponconnection">RemoteDesktopServices/PromptForPasswordUponConnection</a>
  </dd>
  <dd>
@ -130,7 +133,7 @@ ADMX Info:

 <!--/Scope-->
 <!--Description-->
-Specifies whether it require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.
+Specifies whether it requires the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.

 If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:

@ -257,6 +260,56 @@ ADMX Info:

 <hr/>

+<!--Policy-->
+<a href="" id="remotedesktopservices-donotallowwebauthnredirection"></a>**RemoteDesktopServices/DoNotAllowWebAuthnRedirection**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other).
+
+By default, Remote Desktop allows redirection of WebAuthn requests.
+
+If you enable this policy setting, users can’t use their local authenticator inside the Remote Desktop session.
+
+If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session.
+
+If you don't configure this policy setting, users can use local authenticators inside the Remote Desktop session.
+<!--/Description-->
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP Friendly name: *Do not allow WebAuthn redirection*
+-   GP name: *TS_WEBAUTHN*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
+-   GP ADMX file name: *terminalserver.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="remotedesktopservices-promptforpassworduponconnection"></a>**RemoteDesktopServices/PromptForPasswordUponConnection**  

@ -367,4 +420,4 @@ ADMX Info:

 ## Related topics

-[Policy configuration service provider](policy-configuration-service-provider.md)
+[Policy configuration service provider](policy-configuration-service-provider.md)
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -138,6 +138,9 @@ ms.collection: highpri
  </dd>
  <dd>
    <a href="#update-managepreviewbuilds">Update/ManagePreviewBuilds</a>
+  </dd> 
+  <dd>
+    <a href="#update-NoUpdateNotificationDuringActiveHours">Update/NoUpdateNotificationDuringActiveHours</a>
  </dd>
  <dd>
    <a href="#update-pausedeferrals">Update/PauseDeferrals</a>
@ -2382,6 +2385,55 @@ The following list shows the supported values:

 <hr/>

+<!--Policy-->
+<a href="" id="update-NoUpdateNotificationDuringActiveHours"></a>**Update/NoUpdateNotificationDuringActiveHours**  
+
+<!--SupportedSKUs-->
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached.  Note - if no active hour period is configured then this will apply to the intelligent active hours window calculated on the device.
+
+Supported value type is a boolean.
+
+0 (Default) This configuration will provide the default behavior (notifications may display during active hours) 
+1: This setting will prevent notifications from displaying during active hours.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+- GP Friendly name: *Display options for update notifications*
+- GP name: *NoUpdateNotificationDuringActiveHours*
+- GP element: *NoUpdateNotificationDuringActiveHours*
+- GP path: *Windows Components\WindowsUpdate\Manage end user experience*
+- GP ADMX file name: *WindowsUpdate.admx*
+<!--/ADMXMapped-->
+
+<!--/Policy-->
+<hr/>
+
+
 <!--Policy-->
 <a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**  

--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@ -10,6 +10,7 @@ ms.author: vinpa
 manager: aaroncz
 ms.reviewer: pmadrigal
 ms.collection: highpri
+ms.date: 08/26/2022
 ---

 # Use Quick Assist to help users
@ -18,7 +19,7 @@ Quick Assist is a Microsoft Store application that enables a person to share the

 ## Before you begin

-All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
+All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.

 > [!NOTE]
 > In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
@ -35,24 +36,30 @@ Both the helper and sharer must be able to reach these endpoints over port 443:

 | Domain/Name | Description |
 |--|--|
-| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
-| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) |
-| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist |
-| `*.aria.microsoft.com` | Used for accessibility features within the app |
 | `*.api.support.microsoft.com` | API access for Quick Assist |
-| `*.vortex.data.microsoft.com` | Used for diagnostic data |
+| `*.aria.microsoft.com` | Used for accessibility features within the app |
+| `*.cc.skype.com` | Azure Communication Service for chat and connection between parties |
 | `*.channelservices.microsoft.com` | Required for chat services within Quick Assist |
+| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist |
+| `*.edgeassetservice.azureedge.net` | Used for diagnostic data |
+| `*.flightproxy.skype.com` | Azure Communication Service for chat and connection between parties |
+| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) |
+| `*.monitor.azure.com` | Service Performance Monitoring |
+| `*.registrar.skype.com` | Azure Communication Service for chat and connection between parties. |
 | `*.remoteassistanceprodacs.communication.azure.com` | Azure Communication Services (ACS) technology the Quick Assist app uses. |
+| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
+| `*.trouter.skype.com` | Azure Communication Service for chat and connection between parties. |
 | `*.turn.azure.com` | Protocol used to help endpoint. |
+| `*.vortex.data.microsoft.com` | Used for diagnostic data |
 | `browser.pipe.aria.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
-| `browser.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
-| `ic3.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
+| `edge.skype.com` | Azure Communication Service for chat and connection between parties. |
+| `events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |

 ## How it works

 1. Both the helper and the sharer start Quick Assist.

-2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.
+2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.

 3. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session.

@ -89,10 +96,11 @@ Either the support staff or a user can start a Quick Assist session.
 1. Support staff ("helper") starts Quick Assist in any of a few ways:

    - Type *Quick Assist* in the search box and press ENTER.
-    - From the Start menu, select **Windows Accessories**, and then select **Quick Assist**.
-    - Type CTRL+Windows+Q
+    - Press **CTRL** + **Windows** + **Q**
+    - For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**.
+    - For **Windows 11** users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**.

-2. In the **Give assistance** section, helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.
+2. In the **Give assistance** section, the helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.

 3. Helper shares the security code with the user over the phone or with a messaging system.

@ -102,9 +110,51 @@ Either the support staff or a user can start a Quick Assist session.

 6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button.

-## If Quick Assist is missing
+## Install Quick Assist

-If for some reason a user doesn't have Quick Assist on their system or it's not working properly, try to uninstall and reinstall it. For more information, see [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
+### Install Quick Assist from the Microsoft Store
+
+1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5).
+1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, you'll see **Get** change to **Open**.</br> :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner.":::
+
+For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
+
+### Install Quick Assist with Intune
+
+Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
+
+1. Go to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/) and navigate to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
+1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com).
+1. Select **Manage** / **Settings** and turn on **Show offline apps**.
+1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not.
+1. Search for **Quick Assist** and select it from the Search results.
+1. Choose the **Offline** license and select **Get the app**
+1. From the Intune portal (Endpoint Manager admin center) choose **Sync**.
+1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list.
+1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link.
+1. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
+
+> [!NOTE]
+> Assigning the app to a device or group of devices instead of a user is important because it's the only way to install a store app in device context.
+
+Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows) for more information.
+
+### Install Quick Assist Offline
+
+To install Quick Assist offline, you'll need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
+
+1. Start **Windows PowerShell** with Administrative privileges.
+1. In PowerShell, change the directory to the location you've saved the file to in step 1. (CD &#x3C;*location of package file*&#x3E;)
+1. Run the following command to install Quick Assist: </br>*Add-appxprovisionedpackage -online -PackagePath "MicrosoftCorporationII.QuickAssist_2022.509.2259.0_neutral___8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"*
+1. After Quick Assist has installed, run this command: </br>_Get-appxpackage \*QuickAssist* -alluser_
+
+After running the command, you'll see Quick Assist 2.X is installed for the user.
+
+## Microsoft Edge WebView2
+
+The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist app is written using this control and is required. For Windows 11 users, this runtime control is built in. For Windows 10 users, the Quick Assist Store app will detect if WebView2 is present on launch and if necessary, it will be installed automatically. If an error message or prompt is shown indicating WebView2 isn't present, it will need to be installed separately.
+
+For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution)

 ## Next steps