From 1fa13d7a8ef95e9998642707fc60340affa8e516 Mon Sep 17 00:00:00 2001
From: jsuther1974 <jsuther@microsoft.com>
Date: Fri, 26 Aug 2022 11:38:22 -0700
Subject: [PATCH 1/6] Update
 use-windows-defender-application-control-with-intelligent-security-graph.md

---
 ...control-with-intelligent-security-graph.md | 71 +++++++------------
 1 file changed, 26 insertions(+), 45 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 0adc4cb74e..4903413ee2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -30,31 +30,33 @@ ms.technology: windows-sec
 
 Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy.
 
-Beginning with Windows 10, version 1709, you can set an option to automatically allow applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The ISG option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services).
+To reduce end-user friction and helpdesk calls, you can set Windows Defender Application Control (WDAC) to automatically allow applications that Microsoft's Intelligent Security Graph (ISG) recognizes as having known good reputation. The ISG option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem. To learn more about the ISG, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services).
 
-## How does the integration between WDAC and the Intelligent Security Graph work?
+> [!WARNING]
+> Binaries that are critical to boot the system must be allowed using explicit rules in your WDAC policy. Do not rely on the ISG to authorize these files.
+>
+> The ISG option is not the recommended way to allow apps that are business critical. You should always authorize business critical apps using explicit allow rules or by installing them with a [managed installer](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer).
 
-The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with Windows Defender Application Control (WDAC) enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file.
+## How does WDAC work with the ISG?
 
-If your WDAC policy doesn't have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC won't make a call to the cloud.
+The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources, and processed every 24 hours. As a result, the decision from the cloud can change.
 
-If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer.
+WDAC only checks the ISG for binaries that aren't explicitly allowed or denied by your policy, and that weren't installed by a managed installer. When such a binary runs on a system with WDAC enabled with the ISG option, WDAC will check the file's reputation by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, then the file will be allowed to run. Otherwise, it will be blocked by WDAC.
 
-WDAC periodically re-queries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
+If the file with good reputation is an application installer, the installer's reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer. Files authorized based on the installer's reputation will have the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) written to the file.
 
->[!NOTE]
->Admins should make sure there is a Windows Defender Application Control policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager Intune can be used to create and push a WDAC policy to your client machines.  
+WDAC periodically requeries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
 
-## Configuring Intelligent Security Graph authorization for Windows Defender Application Control
+## Configuring ISG authorization for your WDAC policy
 
-Setting up the ISG is easy using any management solution you wish. Configuring the Microsoft Intelligent Security Graph option involves these basic steps:
+Setting up the ISG is easy using any management solution you wish. Configuring the ISG option involves these basic steps:
 
-- [Ensure that the Microsoft Intelligent Security Graph option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml)
-- [Enable the necessary services to allow WDAC to use the Microsoft Intelligent Security Graph correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
+- [Ensure that the **Enabled:Intelligent Security Graph authorization** option is set in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml)
+- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
 
-### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML
+### Ensure that the ISG option is set in the WDAC policy XML
 
-To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the Windows Defender Application Control policy. This step can be done with the Set-RuleOption cmdlet. You should also enable the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option isn't recommended for devices that don't have regular access to the internet. The following example shows both options being set.
+To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This step can be done with the Set-RuleOption cmdlet. You should also set the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option isn't recommended for devices that don't have regular access to the internet. The following example shows both options set.
 
 ```xml
 <Rules> 
@@ -84,50 +86,29 @@ To allow apps and binaries based on the Microsoft Intelligent Security Graph, th
 
 ### Enable the necessary services to allow WDAC to use the ISG correctly on the client
 
-In order for the heuristics used by the ISG to function properly, many components in Windows must be enabled. You can configure these components by running the appidtel executable in `c:\windows\system32`.
+In order for the heuristics used by the ISG to function properly, other components in Windows must be enabled. You can configure these components by running the appidtel executable in `c:\windows\system32`.
 
 ```console
 appidtel start
 ```
 
-This step isn't required for Windows Defender Application Control policies deployed over MDM, as the CSP will enable the necessary components. This step is also not required when the ISG is configured using Configuration Manager's WDAC integration.
+This step isn't required for WDAC policies deployed over MDM, as the CSP will enable the necessary components. This step is also not required when the ISG is configured using Configuration Manager's WDAC integration.
 
-## Security considerations with the Intelligent Security Graph
+## Security considerations with the ISG option
 
-Since the Microsoft Intelligent Security Graph is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. It's best suited where users operate with standard user rights and where a security monitoring solution like Microsoft Defender for Endpoint is used.
+Since the ISG is a heuristic-based mechanism, it doesn't provide the same security guarantees as explicit allow or deny rules. It's best suited where users operate with standard user rights and where a security monitoring solution like Microsoft Defender for Endpoint is used.
 
-Processes running with kernel privileges can circumvent WDAC by setting the ISG extended file attribute to make a binary appear to have known good reputation. Also, since the ISG option passes along reputation from application installers to the binaries they write to disk, it can over-authorize files in some cases where the installer launches the application upon completion.
+Processes running with kernel privileges can circumvent WDAC by setting the ISG extended file attribute to make a binary appear to have known good reputation.
 
-## Using fsutil to query SmartLocker EA
-Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events.
+Also, since the ISG option passes along reputation from app installers to the binaries they write to disk, it can over-authorize files in some cases. For example, if the installer launches the app upon completion, any files the app writes during that first run will also be allowed.
 
-#### Example
+## Known limitations with using the ISG
 
-```console
-fsutil file queryEA C:\Users\Temp\Downloads\application.exe
+Since the ISG only allows binaries that are "known good", there are cases where the ISG may be unable to predict whether legitimate software is safe to run. If that happens, the software will be blocked by WDAC. In this case, you need to allow the software with a rule in your WDAC policy, deploy a catalog signed by a certificate trusted in the WDAC policy, or install the software from a WDAC managed installer. Installers or applications that dynamically create binaries at runtime, and self-updating applications, may exhibit this symptom.
 
-Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe:
-
-Ea Buffer Offset: 410
-Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM
-Ea Value Length: 7e
-0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
-0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. *
-0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\......
-0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:.
-0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T.
-0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n...
-0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l.
-0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e
-```
-
-## Known limitations with using the Intelligent Security Graph
-
-Since the ISG only allows binaries that are known good, there are cases where legitimate software may be unknown to the ISG and will be blocked by Windows Defender Application Control (WDAC). In this case, you need to allow the software with a rule in your WDAC policy, deploy a catalog signed by a certificate trusted in the WDAC policy, or install the software from a WDAC managed installer. Installers or applications that dynamically create binaries at runtime, and self-updating applications, may exhibit this symptom.
-
-Packaged apps aren't supported with the Microsoft Intelligent Security Graph heuristics and will need to be separately authorized in your WDAC policy. Since packaged apps have a strong app identity and must be signed, it's straightforward to authorize these apps with your WDAC policy.
+Packaged apps aren't supported with the ISG and will need to be separately authorized in your WDAC policy. Since packaged apps have a strong app identity and must be signed, it's straightforward to [authorize packaged apps](/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) with your WDAC policy.
 
 The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.  
 
 > [!NOTE]
-> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
+> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).

From 7fd3e92a8292c7af5fc92d2fa2f2bdfc06565880 Mon Sep 17 00:00:00 2001
From: jsuther1974 <jsuther@microsoft.com>
Date: Fri, 26 Aug 2022 11:58:01 -0700
Subject: [PATCH 2/6] Fixed broken links and improved acrolinx scores

---
 .../create-wdac-deny-policy.md                   |  2 +-
 ...te-wdac-policy-for-lightly-managed-devices.md | 16 ++++++++--------
 ...on-control-with-intelligent-security-graph.md |  2 +-
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
index cd197228e8..c15d853296 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
@@ -45,7 +45,7 @@ To create effective Windows Defender Application Control deny policies, it's cru
 5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
 
 > [!NOTE]
-> If your Windows Defender Application Control policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](use-windows-defender-application-control-with-intelligent-security-graph.md#how-does-the-integration-between-wdac-and-the-intelligent-security-graph-work).
+> If your Windows Defender Application Control policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#how-does-wdac-work-with-the-isg).
 
 ## Interaction with Existing Policies
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 9cb8de44f4..2ef75b15be 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -30,14 +30,14 @@ ms.technology: windows-sec
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 
-This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later topics.
+This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later articles.
 
 > [!NOTE]
 > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
 
-As in the [previous topic](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+As in the [previous article](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
 
-**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she'll need to take an incremental approach to application control and use different policies for different workloads.
+**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing that Lamna currently has loose application usage policies and a culture of maximum app flexibility for users, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads.
 
 For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value.
 
@@ -112,7 +112,7 @@ Alice follows these steps to complete this task:
       Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
       ```
 
-6. Add rules to allow windir and Program Files directories:
+6. Add rules to allow the Windows and Program Files directories:
 
       ```powershell
       $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
@@ -133,7 +133,7 @@ Alice follows these steps to complete this task:
    ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
    ```
 
-9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/), or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
 
 At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
 
@@ -142,7 +142,7 @@ At this point, Alice now has an initial policy that is ready to deploy in audit
 In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
 
 - **Users with administrative access**<br>
-    By far the most impactful security trade-off, this trade-off allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+    This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
 
     Possible mitigations:
   - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
@@ -161,10 +161,10 @@ In order to minimize user productivity impact, Alice has defined a policy that m
   - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
   - Limit who can elevate to administrator on the device.
 - **Intelligent Security Graph (ISG)**<br>
-    See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
+    See [security considerations with the Intelligent Security Graph](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#security-considerations-with-the-isg-option)
 
     Possible mitigations:
-  - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
+  - Implement policies requiring that apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
   - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
 - **Supplemental policies**<br>
     Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 4903413ee2..e430a2a554 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -51,7 +51,7 @@ WDAC periodically requeries the reputation data on a file. Additionally, enterpr
 
 Setting up the ISG is easy using any management solution you wish. Configuring the ISG option involves these basic steps:
 
-- [Ensure that the **Enabled:Intelligent Security Graph authorization** option is set in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml)
+- [Ensure that the **Enabled:Intelligent Security Graph authorization** option is set in the WDAC policy XML](#ensure-that-the-isg-option-is-set-in-the-wdac-policy-xml)
 - [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
 
 ### Ensure that the ISG option is set in the WDAC policy XML

From 5928f5434daa6bc0c4972332e2d1eb989e50a4a6 Mon Sep 17 00:00:00 2001
From: Nick White <104782157+nicholasswhite@users.noreply.github.com>
Date: Fri, 26 Aug 2022 15:16:20 -0400
Subject: [PATCH 3/6] Updated per Task 6179346

---
 .../images/quick-assist-get.png               | Bin 0 -> 6296 bytes
 windows/client-management/quick-assist.md     |  78 ++++++++++++++----
 2 files changed, 64 insertions(+), 14 deletions(-)
 create mode 100644 windows/client-management/images/quick-assist-get.png

diff --git a/windows/client-management/images/quick-assist-get.png b/windows/client-management/images/quick-assist-get.png
new file mode 100644
index 0000000000000000000000000000000000000000..fc7ccdd1a400415e70391b6d06280aabcf8025fc
GIT binary patch
literal 6296
zcmZ{pWmME%^zR301O}vQV2}_2DHVwyozfvlcZakv14udyNC?s}w4}5k7Tqy)qY{!s
zIn0pC<+<y=xOc7peR0;_>wEUzZ}$GIbIv+QeO+}b3RVgb2t=i+p<)OE-2y-$0yZ+j
z8->KMH}*#OtFLXWdVPJ3#bR$nkU45^Z;y?Qjg^%Zq!ft5;pko7CnqO^9@`8J4Vjyp
zf9RS@PfwTePOq=8fBW_=hiPm_M~Abs^V!*1Qc{w%wDj}nvXGFF(ZvlrJG)1Z9<8pf
z9vmEQ`GS^~mIAVxsi~<`K6ICrmEFI8KR-Vo4u@Y}UVi%Y>F?jaGcz-8Zf=^Int_3V
zb#-+nCMFXT6D1`j@$vCrN0)y6`sMHMPia#8?c2AwxHx`({)>wXuzvdP?(X{fI*rbo
z+1XiY<6Nb&v;L)BNlD3-l@%)8)TpQ^H8r*Q`2|YD9BQrjTeoh>591m}S1T$i6ciN5
z$;pX{iPv|JAUT`fMFY*v%{#AHR3|RQzZ`#@{HYn7&!`hitsbtrcqKW2|MTb1*47qN
z#ulXbH(lB~4dNF#`6p$}@@?BnRAC7sIqQyb8l6EByIK&3k`EmnoyN-b>FFt`^iZ@F
zbGLkVWMqWOs#MB7pVlNx&@PciGloaj{*ONQtIwe8HjvcN*`vM_-l~1B(yfe~LguFt
z*iWxmH9|QRJfLzej*gBDl^4o$=aL<G0{8-jLp|8M0Q@|cQ7@h?WBt?U8c)#@;j1Nz
z$VKvy!PCiFLaRa+StnCdQ(ax%?O-a*pVLR*PZqb1@6{db@9(Fz%^Ky+XlG7xc~tV-
z=du@VtgWp<(wC>Fr+fPby1Todr+(K-_{`z+iPX7OKB}drriRMC1V4~ZYnXA;kwp0{
z{;{r~x3~ABr(RZ8R?5oCA|fJstJgpuM*8cXK;_os%HIqrE5lREjYG@KsHMuD1(L8?
z)3WK>#@3dW7D=xXQ&=ITbAC!j9wIT_{pD+6<47?B7^|wak&%&ryn(lx9w#T~*O^V9
zh9&Xh1vDB>6M=4T@2LCOo>|*oQeH#vSgh=uL-agL%swMDCQ-!l^`8cR7D>y4Tx}f_
z)d}3c`x95a`xm@JxS#9WhRs{u!_%IqaoRXEdGd&V)^}OIitvOYc~_*LpP#+Gy^gsy
zsqC9{5QxD<Q$^7@coDM*cq}Qf_aDobNzw<9c_Ch7*~SwF_U=`D>1-5WdE*A*gXU5r
zKRR#E*Weh}nZ|`VQYV!%lXy$PMn%dy*9VT1#=J8h-{lP+CVW6B|B&1M7rg^fdc}6a
zwXMhz1)<j;kN#(X4vUe!)C5B}82&H0kTj4Crmvs~zIXwH$Ond9Xpn{Mo-5TN3do^g
z;E*w)cQ`sa{FSWS)rGCN6kovU<eooT51r7f=&<D@mrY4RTqKie!jcUW$4*bpXQQ*n
z3h%iqy{yxAqJroFf5WeR3_Tev&eOiu?&XDR_Ba{}^u~KX`0bKg`pctPOpG(3-vS*h
z`*UR_>`QCwsWckfSf)<Hglz7<Oum<tUlJoCkQ(#2R9p2;zbV@PM>B~B;ACbZ45-~I
z+bO__W_*NHo`Zl~W1c&I=DNH68fJ~2&D59mGmqcbM9S0OhHCb5b3=)K@^7NvNvS!<
zw&#pEs02ZwO)6IwyrbRm`YAZaV)0jitT0n_TAKP#5s~EAmReu|9pAN+p2qA*jRs>D
zy6$?Hr&F6NO&LOi!bg$@l<G@ML{s`H+1dO?Km5^R>w~SWtv36IhwUs>>Lo2Go<P!n
z1949_OBu{KQqdVHCUYl8=~h1N`itLMpLjY$`+}FZG1V^m)4$Ep0T1(Aa49|ki?FO1
z#>t(xb2w&6Q`o?6C!Bx0xzpj?RS!_jx7o=ab8eqVqtKZPda#1AM22<jTQ*EMr2A~%
zYc?4j<K2hxkP(}S+%?^-E+50X2lQB3vX45;$an$TX?YMrO^xb)?a>B+FUVbYaCgGn
zT{jq53zU3Rt@g~bK#gsd3Z{!~ta&Ya_~w1z*jPNxZq?QTVrVU!Rd!iYsiFk3=?@DE
z3J?Eo`M|V#<_`dkxn|_vR&3?`pQb1ZG7a5UBp?QEh6+(gN=*O%4La}q!LbOUBow8=
zkSuVqa9<vpR5te*BCD4b*SFrs!SuldIDHkM0ucebR}7g}RsiS?z`M{wNPGn;jz%A>
zIvouot3Yt?Dgs2)%Cxvb$gSO?IM|c-sE_@jiRh^vCVx!e@hQw3f3VVv<VqqudoJ|c
z(d<3>Fr&;oWlR`7NspD^eN9?X`<J}}!3ZhNc>x0zHqH-=X9MYe#a#agTI9e6v_vvC
zv9aGonz52im;UG335`PJFQtESOL{xMVmz<M4v%!6CsENa$2Ex^|5_1;g$C<2wyR$6
zSf$}UsFyPKQ7u#%d>YzzGf#<01T)rW4}PA#Yfr_WaY5=*%^ScgQlg&uX5OajcZEqO
zkeOY>2JEJ_(0vOxOG!!8BnP0zF)xV)3s{%?wPzC`s(syhR%_;lI$)t#9fiR}l<aj4
z1Von>US^^Ro;@it_B`1zi-tw1h4FmgvMoy;$D5dEWOjE1Elhy#h4P(OTJPla@~lSD
zDSF&u|9MO4&2rBmbAoa(Pm#lE=%>{3K5f1#{`s>V+z)Qk0P6&`omj1;&_|qg2#XM(
zRMgrnh&fS!>aK}jnoj?7%N~us?d%-X>_7DI@YYzqO!(E=IW{4o)y2g{<n;2zW1<>u
z&j5n}MTe6@LKZ2M5MP;3Y|tXNM^;-@T*BLx8mX3>D(v9{4_7N|#14WPEd$sKvbBxT
z4f)9rAzm)NjFX3_VA(HXQUL5xe9W!2Ri0WK%_rJJw6UN0f)wO99DFThVnxHy%_l@`
zlJeYO)b}p`UkfdL8z;e~bS7y^QWrBrV<M{K%Cvx^HZH3+#2pq@IN?6ii&W2MFZ4Gf
z#%MoJ)~cw`<2Wj<&NGa=V&S2U873}qX!J9)c0JKn*VAur@ON_hJ&bKN4MfSd5r$kb
zW7wqwno1!rN<EVLcPBED5Twiyz3p3~Qvy(&UZ1M3d`q)Hi3=-?Rr33bXFGuhD>AT?
z?W?P+*tWK@U&qja&PLc11_JiUJ1|er?41RE60aFqt=K6sMwjBsL!{1631Z-buzWKr
zTlclgL6>ED(`Bb*Y<V*T+6h_^ro67;FACEm3MCR?zHe-{w$`lVL)=sDFil9FE`Z+7
z{))PI&qSg3<qI2TdyD$l0uT%iYDQ7;GX(GMS8?QqM!@PdxnU|-mnKD~BeaYekz_SU
zhiRjZbTu^n2}T95B|W+)<HAUC*g3Y^U51N${+9gso$<x_9IvS>g$j6XazGM)bULff
zom!(!8Tcx{@9`ir&T%ePDfv9T!EL)uzF<Mh-+2|&+c{~MZsCNh7xggqBo~?Qy~pRh
z+mpcqdtO=#cWf0kD0b!iJ@x8|cNLzr=m|#&M9}XJYLmmX;vZ?h1bj4Y%HMExC-Bf_
zpg<;K>*CKO%@O7Bo*j3w)dTU!;L^j+%9GNrP8|7*H-okQ6m*RmV*|`MTTKhmI4|A%
ze0Ak32m7Dv*dX<U!FX9qR%*mtZ4t_l95?7xV_lE*wP(go7)`Q5T#HejA?qa{sB0s9
z5~@8*eZVXZ$M3GpYc%ZCJa6h$mVY>r9bgi!Zz4UBC6>+9*E|0e#UP&c2o(=o%!W8^
z)wD=3M?g9VVYf^YleM!37j*-HZ`P;#UAGolghU<y--yod-!gd%76SM@q|<RH3h3IY
z^3%UV)tTx^?B_?JQw<T>SL>Bkq(>to0WWv*W~Ff6m;e4Q#dKmhON&v~hX*Sx8m&t!
zMYmqdUEtJ8XqjcN6|3@%^QMDR^fHo{*hV(W)kq3mGmH;ph4wq>l9SO!UnZs{3_+@b
z4>#tlM@S;IL>}0DzgoMKwbIr7#M~{BUSVQal<l17@>%u9GP~*nYj?9fC%#tq^lu#N
zt`idWpfW+DNG&5N%&gpqyPFi2OLL@8&B(ubgGDNWqI#{DozvwbNYP}$wNj!B^a$@S
zZ1V8_dRuFsPWVII8&QSCZ>2f*s$5);bAmybJh6BcD2<AZ?Yw~^M@M1N&bRBojCl-v
zi|3+)NBv9{kxnPujD+opFZUOi3Jb8ZXR)CpoUG{}jhOR-0QnDIwRbjs^x(1)cE|As
z<D*LCC6R)agsmU>*|zEHvh0`W$U7Rg?zet)Vf<Bz;Aqj8xo1J+@y<$n$qf$55qiD<
z+FdW!>L_zK2(jN5q`hy#Bv9};=q~&<-vk(L4!TnTrR&ad1Lh!9j3|9Y-U@|p{$^h+
z6YUGwRfAJUS0CfA8ZG+o(R7Q_fLeWao)(f;(2!kUN2-@*@$_?)YS4~&uXZI>QKo9|
zidLdh%V)>m4(NflRg-ntrFx5J(g$m>)?Ti=mGQ1CO%Y~l;NsiiyKgPawe<3El=3?)
z2uML-E=qJh6QYmygS}>bkT#4TOgE-K*y-Ik!%9aycK0*e@#VUx(E_L*L_pHCDqH}d
z0$+dF(xg`*U0B7Dvj6y}h4(0qU7`APGL86IChT?9u!(HzCI~0=eycJr@|<nA2sIZ2
zW8Ss%j)7${#r{9udA$~b=;qZ$8GX?j9y?4v03wBxHITxe%qzzM^WB{gB}^xT8c$;n
z#{1MGXyEmTXdq@j8eqpjdmxxqTQC%F3;r(!(ctp9&8u61`S0T{PfHku_ft9z%BZ8U
z6(Z|1h;{I4+6L&mvLv9EBEbNtJYuIb?luv^k=h!`-76+WZh)|&cV$LVeMC7xV!SK<
z;g4@XU7hQ6zq~#AIIb00>w++^5Xy_Zo<Lz?VSUV`TkN_cm>qE&Z9rdKb-A0?pvQ3&
z;ZXER#y5Dmi?q#%VP?K*IUtvpBEf6Ui&Nw&8Wz?=cAkA60IJ9S6Bo{lP|2c{as=Nc
zUbgdoB3DTq{uwytzH&x0>s?ys05Ra|-o~Y_V5wI&r=jxgzZm}&u8$p_Ekc43l{7Tp
z*y;AO*>sP3Bb?DTb`yYNFirI5A`G+S?eQeLg|0Z@9r7-eNI_STjXrB2(|nyQmWJD@
z34z=w&g;x3`#~!fnw=Mrn7w)?q>QI_vde%P-4iw{n4to=E{PmNs+M&XG<<%v)JDf+
zLM*)?wxR!seh<$nqUvmXVjZ5hcrVb&7P_Sp7RG^iNWQ)~sx2)`;nn<HID_KWCo&r3
zR}e2qcp-I5qI-}v?q!_)ZA3WbJtpV+PrG4lqy>*Q|7aM)1NNNJ&sKLH-)83g!b=jS
zw$Tt^*5VUy`eM{CGp_|SHc*rHm3@<Jr<n%i9OH?va3TxYj)cA&G$<dT<k#d;d?UP9
zG0`AYRkibalgv*aUYJ`AG~{#{r2)wae_JHNGFB*<PsBp{rUFwvIef_ZIRvVJY*jAD
zU9sdfbOG$iyG{%g8i_3fd{kJPy5Bw$s3K?0nq|Dx=<SXtqojKJ0`bt(ihO4N?tJy1
zDtMIG*9-RkNvFK!C47W}!hM#AurF&P3z&vkv3WW!%Z0lsxtzMC^gd>A(E!~h{>&j)
zMYl|BFUoFDx?%$5RH;Zf+jg+feTpGxH;zyM@fOPaaov*}L}J7n_zp4vU96ORp1!t^
zkK-XglX;hZB_)(xt*)eky8L5*OKsWNv_0DX<IiD9eAtUI=P%nKMDLg?Wei_g`$Ruk
zfN0Ut5=SNJC(!TuPJY0Mdyux-C6DEECOKGXn2y&sXTmz<q+fK#c`skn!kg6jO_YT3
zvYuZKu#jF<Z9Q|is~qYQ>$|bFxyA9W8%ux{Z4FO5_W2?6aUM%j_cP!MA8&y{nVo-x
zp_pH#Li5}ghtXHB@XNfPZT=OM-nB7$a?N_!iRx4NKhWG5@`rF%h6#+@jiI~2=zj46
zHrh(MnShxjg6sW3dw|<7VilMz+7<(?NBl=_BtUrsI~m6A26kmzu<{M;QRVPoV{Kc}
zg8%dOKm6F%M<iGLx`dI;v^j0}<Vn3@={)c2&u*-&0lhS?O58+KM2iWTC)<_5N67;P
zT*BNG)>p*4iajuTFp5}@`~I0^#jlq^jXDlf&QnAjO^3>#v%iMGFOPog1?5r^EGRRp
z=)w6e5OlOfnE+iY-{o({9XbZsqJ+SOQz`~Y0mW1fgmb~URmk8xGFgtWj6iX9yb3}Q
zll|n{-7=3GUOfDEf5As?nrI&SpO4XeuSGmjJbRO(b$xSbxxH==)^gNy+(Dxp#};al
zx-EmK)$!odlTSsmAu{y<(xOa~p&_{~*AXr1DjVhtAJO-24;C*3kjce@xkfi?@TvWX
zt@T%qdb}s{Z*ZL)Z-qZqY<Zsvq<5d6aM6e%f7(>SB`uEA8C`7bgI<q+KVo4>yX8wh
zv=^N0a95-$&q7Dwwr`jTojS%$c7QW1DVb$7nqWWs!{NRuKYDcc=(iwZk&aYWu>1(h
zKU{A|OK{uSas4=|*$<VuK99y$ojg5m6!O>-@<Mz6+jjT_^piG{TGDulO9yzm`Fii^
z!#~+uWn7gIvaQKh2$J<Q#8pp57x+;h-;rCZQG(X<-wEWWz&|M-rR>{AWIFFwQCc0?
zfsZIGO|#@Nm444cr`5;_h`)B49mQkB;v@GLD&nkm(Kca}vxo4-5{pdJ%}A=x{?I}b
z-fY$POpaAeM?+}<pI9Ma`z)Yr!NJ{nTIaU>5F|DSu7Hfr<F}&_xvNDxhu`?t3m8d^
z0@rz+`$%N%z{aYPfBI!0zo7ruN5q$byr%f~=1v+;jMDDl;%6I}&1AW|FZ2uowtSPv
z%3L6IgCYIPY3k1=p({)H5#af|Z+8M~@78y9<V51@C5r{ie&B0{YifcPOWv6Mq%ymB
z`M`0fiRNek_0LZ5NsX1qaLjKI<rFG)Uft>aN&OrSC2N9GS*MUTeYTXA8QY@IYu15-
ztn`*rbMfD_<h28OB}0gB5vv~{e!AM1PBWJy++Oi8FxPM!`P`J%3;bL}%dAhlo_`Da
zzr*d(5-ndWv261kfe(8io5;uObq{p+T)D&I|BX4t0H=p7fO)in+6-hf{xKf)rT4yS
zV?Q(eK%7!uP|*FO^E<$(I8j@)1>QPeR*TPLVRShkkf4X_d(qF?f{m6Xhfp!}UU|UF
z1cnNHmMwZd|1uJody|{PVnMS~`6312n{Vo?J;&P~YcDm~rvOa71UDRL*OM}Z(z_FN
zEpce0N&b%YzTZ-LIpmnkf)D6qhR=IUr0d9N;!}Wc7)@lD@z;W6k*R5I{7Fl>0UgJ*
z$$Br(3WFX#rk>RE<?@Q<?~_*;N4;QphDt)nsX<g^^uDId6UVd8`Qb|?7KW#)t3mY|
zi~eOv%NM$y*^woSQ<aD`xdBM#O9!cLb#V87h$tnzV|R0Ji;ARc(V@(9X^o|SGbz!1
zeX-VQDe3ooMuOLp?rK>v`=z&S^4>hl0k`~zAPydx2aMq;ucgop=9z1fyaOIdu`sd~
zOv8EOu!MkXOk-qW9m25xcjY@9_)%Bw?<1!#PRW0SNB^=<-|b&@!^}&+;PF6z5pf{F
z{@%B_o*n*Oi0>enN!54sWa@u-LRS1?EWI-$?P;q_<{rXon`rX+{XNTk$yEGNok)8k
z%TR0P+<6M7a;|$Zx{~=>xfhsGF1rOtVwi?}wV>8L?}mI;umv-gNT2%rJHI4XK0nUp
zoI#CF5nz?*^O_R-(x;e+f|JIvW%E(=_SRnI8TNG^9C+LBkyMcYY@n09WHF_r#JyS3
zJpS%fodU;4(nzP<xGJyYF@JTRgL6)DsYgs<6!wCHslC<Y8DC@Q9!O*edW!~mTGohX
z++%cM$*mg4p|)uzArsua^O)SBkv4xx_wN9<_)k`Yu#=uaoK9bGA_hqf-A6|9`Gt#(
z2eU8L?kzUa`@dfhtHikV*l#VUq<!C)QHp8iCosH)F_uiF+~CC+_=ZZ`L<6vV%kp+(
zl{h&WQ#)tpaR0zNZ#}F1y{w%u%GLfMaUv<e1hf<|EATaN^5kyviEh}?9ftU__T7UY
zI5knPF%6)$$G2X(PV>32XrRJ`Z@~*wZ^P-Q5-lE&0<_#Qfc=BQs2Z4^hsULZDu|;J
zJvyU8?D2JOhg|Dz6bh|6-b8>5FWO4I6Rm(&;k$^yKq;dz&;bZHkt5iS#u2QDr-5?8
z$)ayoBZBO|bAxC>IR)skrSt|Xo~YY`71;?I5zHw+SFt>Y%>|+1|9viKs_LrLD%nQ;
EF9kR~xc~qF

literal 0
HcmV?d00001

diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index b648d8d7c1..860093a2ff 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -10,6 +10,7 @@ ms.author: vinpa
 manager: aaroncz
 ms.reviewer: pmadrigal
 ms.collection: highpri
+ms.date: 08/26/2022
 ---
 
 # Use Quick Assist to help users
@@ -18,7 +19,7 @@ Quick Assist is a Microsoft Store application that enables a person to share the
 
 ## Before you begin
 
-All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
+All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
 
 > [!NOTE]
 > In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
@@ -35,24 +36,30 @@ Both the helper and sharer must be able to reach these endpoints over port 443:
 
 | Domain/Name | Description |
 |--|--|
-| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
-| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) |
-| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist |
-| `*.aria.microsoft.com` | Used for accessibility features within the app |
 | `*.api.support.microsoft.com` | API access for Quick Assist |
-| `*.vortex.data.microsoft.com` | Used for diagnostic data |
+| `*.aria.microsoft.com` | Used for accessibility features within the app |
+| `*.cc.skype.com` | Azure Communication Service for chat and connection between parties |
 | `*.channelservices.microsoft.com` | Required for chat services within Quick Assist |
+| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist |
+| `*.edgeassetservice.azureedge.net` | Used for diagnostic data |
+| `*.flightproxy.skype.com` | Azure Communication Service for chat and connection between parties |
+| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) |
+| `*.monitor.azure.com` | Service Performance Monitoring |
+| `*.registrar.skype.com` | Azure Communication Service for chat and connection between parties. |
 | `*.remoteassistanceprodacs.communication.azure.com` | Azure Communication Services (ACS) technology the Quick Assist app uses. |
+| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
+| `*.trouter.skype.com` | Azure Communication Service for chat and connection between parties. |
 | `*.turn.azure.com` | Protocol used to help endpoint. |
+| `*.vortex.data.microsoft.com` | Used for diagnostic data |
 | `browser.pipe.aria.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
-| `browser.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
-| `ic3.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
+| `edge.skype.com` | Azure Communication Service for chat and connection between parties. |
+| `events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
 
 ## How it works
 
 1. Both the helper and the sharer start Quick Assist.
 
-2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.
+2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.
 
 3. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session.
 
@@ -89,10 +96,11 @@ Either the support staff or a user can start a Quick Assist session.
 1. Support staff ("helper") starts Quick Assist in any of a few ways:
 
     - Type *Quick Assist* in the search box and press ENTER.
-    - From the Start menu, select **Windows Accessories**, and then select **Quick Assist**.
-    - Type CTRL+Windows+Q
+    - Press **CTRL** + **Windows** + **Q**
+    - For Windows 10 users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**.
+    - For Windows 11 users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**.
 
-2. In the **Give assistance** section, helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.
+2. In the **Give assistance** section, the helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.
 
 3. Helper shares the security code with the user over the phone or with a messaging system.
 
@@ -102,9 +110,51 @@ Either the support staff or a user can start a Quick Assist session.
 
 6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button.
 
-## If Quick Assist is missing
+## Install Quick Assist
 
-If for some reason a user doesn't have Quick Assist on their system or it's not working properly, try to uninstall and reinstall it. For more information, see [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
+### Install Quick Assist from the Microsoft Store
+
+1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5).
+1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, you'll see **Get** change to **Open**.</br> :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner.":::
+
+For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
+
+### Install Quick Assist with Intune
+
+Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
+
+1. Go to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/) and navigate to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
+1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com).
+1. Select **Manage** / **Settings** and turn on **Show offline apps**.
+1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not.
+1. Search for **Quick Assist** and select it from the Search results.
+1. Choose the **Offline** license and select **Get the app**
+1. From the Intune portal (Endpoint Manager admin center) choose **Sync**.
+1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list.
+1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link.
+1. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
+
+> [!NOTE]
+> Assigning the app to a device or group of devices instead of a user is important because it's the only way to install a store app in device context.
+
+Visit [Add Microsoft Store apps to Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/store-apps-windows) for more information.
+
+### Install Quick Assist Offline
+
+To install Quick Assist offline, you'll need to download your APPXBUNDLE and unecoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](https://docs.microsoft.com/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
+
+1. Start **Windows PowerShell** with Administrative privileges.
+1. In PowerShell, change the directory to the location you've saved the file to in step 1. (CD &#x3C;*location of package file*&#x3E;)
+1. Run the following command to install Quick Assist: </br>*Add-appxprovisionedpackage -online -PackagePath "MicrosoftCorporationII.QuickAssist_2022.509.2259.0_neutral___8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"*
+1. After Quick Assist has installed, run this command: </br>_Get-appxpackage \*QuickAssist* -alluser_
+
+After running the command, you'll see Quick Assist 2.X is installed for the user.
+
+## Microsoft Edge WebView2
+
+The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist app is written using this control and is required. For Windows 11 users, this runtime control is built in. For Windows 10 users, the Quick Assist Store app will detect if WebView2 is present on launch and if necessary, it will be installed automatically. If an error message or prompt is shown indicating WebView2 isn't present, it will need to be installed separately.
+
+For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](https://docs.microsoft.com/microsoft-edge/webview2/concepts/distribution)
 
 ## Next steps
 

From 7ca8d3eeecd6c900fe528bb148ad0942b4714df1 Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Fri, 26 Aug 2022 13:47:39 -0700
Subject: [PATCH 4/6] Added user-based license clarity.

---
 .../prepare/windows-autopatch-prerequisites.md                  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index abbe0e525e..f5d9508b37 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -29,7 +29,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
 
 ## More about licenses
 
-Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The following are the other licenses that grant entitlement to Windows Autopatch:
+Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch:
 
 | License | ID | GUID number |
 | ----- | ----- | ------|

From b3821403ba0c50e2201518660f4c47ada3fe4f92 Mon Sep 17 00:00:00 2001
From: jsuther1974 <jsuther@microsoft.com>
Date: Fri, 26 Aug 2022 15:11:13 -0700
Subject: [PATCH 5/6] Update
 configure-authorized-apps-deployed-with-a-managed-installer.md

---
 ...d-apps-deployed-with-a-managed-installer.md | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index 3bb07036ab..cb5391c9a3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: dansimp
 manager: dansimp
-ms.date: 05/12/2022
+ms.date: 08/26/2022
 ms.technology: windows-sec
 ---
 
@@ -29,21 +29,21 @@ ms.technology: windows-sec
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 
-Windows 10 (version 1703) introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
+Windows Defender Application Control (WDAC) includes an option called **managed installer** that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM) or Microsoft Intune.
 
 ## How does a managed installer work?
 
-Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and processes it launches) and watches for files being written to disk. As files are written, they're tagged as originating from a managed installer.
+Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and any child processes it launches) and watches for files being written to disk. As files are written, they're tagged as originating from a managed installer.
 
 You can then configure WDAC to trust files that are installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules for the binary, WDAC will allow it to run based purely on its managed installer origin.
 
 ## Security considerations with managed installer
 
-Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. The managed installer is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager.
+Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees as explicit allow or deny rules do. Managed installer is best suited where users operate as standard user, and where all software is deployed and installed by a software distribution solution such as MEMCM.
 
-Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
+Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of your WDAC policies when the managed installer option is allowed.
 
-If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
+If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of your WDAC policies.
 
 Some application installers may automatically run the application at the end of the installation process. If the application runs automatically, and the installer was run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This extension could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation.
 
@@ -62,9 +62,13 @@ To turn on managed installer tracking, you must:
 - Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs.
 - Enable AppLocker's Application Identity and AppLockerFltr services.
 
+> [!NOTE]
+> MEMCM will automatically configure itself as a managed installer, and enable the required AppLocker components, if you deploy one of its inbox WDAC policies. If you are configuring MEMCM as a managed installer using any other method, additional setup is required. Use the [**ManagedInstaller** cmdline switch in your ccmsetup.exe setup](/mem/configmgr/core/clients/deploy/about-client-installation-properties#managedinstaller). Or you can deploy one of the MEMCM inbox audit mode policies alongside your custom policy.
+
 ### Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs
 
-Currently, both the AppLocker policy creation UI in GPO Editor and the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection.
+The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdlets can't be directly used to create rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection.
+
 > [!NOTE]
 > Only EXE file types can be designated as managed installers.
 

From 410bf5fd35d243d522c9d9e275da964c1a6286bd Mon Sep 17 00:00:00 2001
From: Angela Fleischmann <v-angelaf@microsoft.com>
Date: Fri, 26 Aug 2022 17:00:46 -0600
Subject: [PATCH 6/6] Update quick-assist.md

Lines 140, 144, and 157: Replace absolute links with relative links.
---
 windows/client-management/quick-assist.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index 860093a2ff..725cf5eda7 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -137,11 +137,11 @@ Before installing Quick Assist, you'll need to set up synchronization between In
 > [!NOTE]
 > Assigning the app to a device or group of devices instead of a user is important because it's the only way to install a store app in device context.
 
-Visit [Add Microsoft Store apps to Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/store-apps-windows) for more information.
+Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows) for more information.
 
 ### Install Quick Assist Offline
 
-To install Quick Assist offline, you'll need to download your APPXBUNDLE and unecoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](https://docs.microsoft.com/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
+To install Quick Assist offline, you'll need to download your APPXBUNDLE and unecoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
 
 1. Start **Windows PowerShell** with Administrative privileges.
 1. In PowerShell, change the directory to the location you've saved the file to in step 1. (CD &#x3C;*location of package file*&#x3E;)
@@ -154,7 +154,7 @@ After running the command, you'll see Quick Assist 2.X is installed for the user
 
 The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist app is written using this control and is required. For Windows 11 users, this runtime control is built in. For Windows 10 users, the Quick Assist Store app will detect if WebView2 is present on launch and if necessary, it will be installed automatically. If an error message or prompt is shown indicating WebView2 isn't present, it will need to be installed separately.
 
-For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](https://docs.microsoft.com/microsoft-edge/webview2/concepts/distribution)
+For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution)
 
 ## Next steps