From 6fe75560490053a09545ccb973aaf58ee36969a5 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 8 Mar 2019 22:23:59 +0000 Subject: [PATCH 001/149] Draft --- ...ecurity-settings-with-tamper-protection.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md new file mode 100644 index 0000000000..4a79a4cae8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -0,0 +1,39 @@ + + + + +Prevent security settings changes with Tamper Protection + +Tamper Protection helps prevent malicious apps from changing important security settings. These settings include: + +• Real-time protection +• Cloud-delivered protection +• IOfficeAntivirus (IOAV) +• Behavior monitoring +• Scheduled scans +• Policy override settings + +With Tamper Protection set to On, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: + +• Mobile device management (MDM) apps like Intune +• Enterprise configuration management apps like System Center Configuration Manager (SCCM) +• Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures +• Windows System Image Manager (Windows SIM) settings DisableAntiSpyware ad DisableAntiMalware (used in Windows unattended setup) +• Group Policy +• Other Windows Management Instrumentation (WMI) apps + +The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app. + +On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting. + +Tamper Protection is On by default. If you set Tamper Protection to Off, you will see a yellow warning in the Windows Security app under Virus & threat protection. + +Configure Tamper Protection + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for Defender. +2. Select Virus & threat protection, then select Virus & threat protection settings. +3. Set Tamper Protection to On or Off. + +Note +If your computer is running Windows 10 Enterprise E5, you can't change the Tamper Protection setting. + From a82e95f29fd3f6c571db912a82298c77061f3d98 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 8 Mar 2019 22:36:13 +0000 Subject: [PATCH 002/149] Formatting --- ...ecurity-settings-with-tamper-protection.md | 65 ++++++++++++------- 1 file changed, 40 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 4a79a4cae8..66d5e0fe86 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -1,39 +1,54 @@ +--- +title: Prevent security settings changes with Tamper Protection +description: Use tamper protection to prevent malicious apps from changing important security settings. +keywords: malware, defender, antivirus, tamper protection +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +--- +# Prevent security settings changes with tamper protection +**Applies to:** +- Windows 10 -Prevent security settings changes with Tamper Protection +Tamper protection helps prevent malicious apps from changing important security settings. These settings include: -Tamper Protection helps prevent malicious apps from changing important security settings. These settings include: +- Real-time protection +- Cloud-delivered protection +- IOfficeAntivirus (IOAV) +- Behavior monitoring +- Scheduled scans +- Policy override settings -• Real-time protection -• Cloud-delivered protection -• IOfficeAntivirus (IOAV) -• Behavior monitoring -• Scheduled scans -• Policy override settings +With tamper protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: -With Tamper Protection set to On, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: +- Mobile device management (MDM) apps like Intune +- Enterprise configuration management apps like System Center Configuration Manager (SCCM) +- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures +- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware ad DisableAntiMalware (used in Windows unattended setup) +- Group Policy +- Other Windows Management Instrumentation (WMI) apps -• Mobile device management (MDM) apps like Intune -• Enterprise configuration management apps like System Center Configuration Manager (SCCM) -• Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures -• Windows System Image Manager (Windows SIM) settings DisableAntiSpyware ad DisableAntiMalware (used in Windows unattended setup) -• Group Policy -• Other Windows Management Instrumentation (WMI) apps +The tamper protection setting doesn't affect how third party antivirus apps register with the Windows Security app. -The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app. +On computers running Windows 10 Enterprise E5, users can't change the tamper protection setting. -On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting. +Tamper protection is On by default. If you set tamper protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & threat protection**. -Tamper Protection is On by default. If you set Tamper Protection to Off, you will see a yellow warning in the Windows Security app under Virus & threat protection. +##Configure tamper protection -Configure Tamper Protection +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +2. Select **Virus & threat protection**, then select **Virus & threat protection settings**. +3. Set **Tamper Protection** to **On** or **Off**. -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for Defender. -2. Select Virus & threat protection, then select Virus & threat protection settings. -3. Set Tamper Protection to On or Off. - -Note -If your computer is running Windows 10 Enterprise E5, you can't change the Tamper Protection setting. +>[!NOTE] +>If your computer is running Windows 10 Enterprise E5, you can't change the tamper protection setting. From 8de2be98e03365fe164d7754f582fa992793dfe1 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 8 Mar 2019 22:37:36 +0000 Subject: [PATCH 003/149] Fixed typo --- ...event-changes-to-security-settings-with-tamper-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 66d5e0fe86..930eb2406a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -33,7 +33,7 @@ With tamper protection set to **On**, you can still change these settings in the - Mobile device management (MDM) apps like Intune - Enterprise configuration management apps like System Center Configuration Manager (SCCM) - Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures -- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware ad DisableAntiMalware (used in Windows unattended setup) +- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup) - Group Policy - Other Windows Management Instrumentation (WMI) apps From 5ce77666e16a6f318781a6703c1506d817189274 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 21 Apr 2019 20:07:28 +0500 Subject: [PATCH 004/149] update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 5bfe2c6ba4..4181785422 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 04/02/2019 Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: From b7fc3ce24c06828000fc4037776a4e8496feb516 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 21 Apr 2019 20:59:33 +0500 Subject: [PATCH 005/149] update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 4181785422..272c13081f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 04/02/2019 Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: From 84e8a5a03ee541c5b5ae4fd9e849308b27308af5 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Sat, 27 Apr 2019 16:35:21 +0200 Subject: [PATCH 006/149] Update assignedaccess-csp.md Added note about assigned access. --- windows/client-management/mdm/assignedaccess-csp.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 13f0987eca..55d8e8b012 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -22,6 +22,9 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u > [!Warning] > You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. +> [!Note] +> If the application runs in assigned access mode, when the app calls KeyCredentialManager.IsSupportedAsync and it returns false on the first run, try invoking the settings screen to have the user select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. This means you can only use Windows Hello if you first leave Assigned Access. The user must then select his/her convenience pin and then go into Assigned Access again. + > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. From aacdf73752e02cbc2bac019ebf26164b78376416 Mon Sep 17 00:00:00 2001 From: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> Date: Mon, 29 Apr 2019 05:29:27 +0200 Subject: [PATCH 007/149] Update windows/client-management/mdm/assignedaccess-csp.md Changed wording. Co-Authored-By: lindspea <45809756+lindspea@users.noreply.github.com> --- windows/client-management/mdm/assignedaccess-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 55d8e8b012..b6470b0c3d 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -23,7 +23,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u > You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. > [!Note] -> If the application runs in assigned access mode, when the app calls KeyCredentialManager.IsSupportedAsync and it returns false on the first run, try invoking the settings screen to have the user select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. This means you can only use Windows Hello if you first leave Assigned Access. The user must then select his/her convenience pin and then go into Assigned Access again. +> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again. > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. From 8d32eea85633ce5d7f70731f7602bc1851ca9c6f Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 30 Apr 2019 16:17:49 -0700 Subject: [PATCH 008/149] Updates per bug 3122154 --- windows/client-management/mdm/devicestatus-csp.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index a20317c21f..568485b1b6 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/26/2018 +ms.date: 04/30/2019 --- # DeviceStatus CSP @@ -157,6 +157,12 @@ Valid values: Supported operation is Get. +If more than one antivirus provider is active, the **DeviceStatus/Antivirus/SignatureStatus** node returns: +- 1 – If every active antivirus provider has a valid signature status +- 0 – If any of the active antivirus providers has an invalid signature status + +The **DeviceStatus/Antivirus/SignatureStatus** node also returns 0 when no antivirus provider is active. + **DeviceStatus/Antivirus/Status** Added in Windows, version 1607. Integer that specifies the status of the antivirus. @@ -186,6 +192,12 @@ Valid values: Supported operation is Get. +If more than one antispyware provider is active, the **DeviceStatus/Antispyware/SignatureStatus** node returns: +- 1 – If every active antispyware provider has a valid signature status +- 0 – If any of the active antispyware providers has an invalid signature status + +The **DeviceStatus/Antispyware/SignatureStatus** node also returns 0 when no antispyware provider is active. + **DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the antispyware. From cc151d53a7e4e511dc8dc79e11499c72e268ac88 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 30 Apr 2019 16:53:19 -0700 Subject: [PATCH 009/149] Updater per bug 3122154 --- .../client-management/mdm/devicestatus-csp.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 568485b1b6..d286f6f918 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -157,11 +157,11 @@ Valid values: Supported operation is Get. -If more than one antivirus provider is active, the **DeviceStatus/Antivirus/SignatureStatus** node returns: -- 1 – If every active antivirus provider has a valid signature status -- 0 – If any of the active antivirus providers has an invalid signature status +If more than one antivirus provider is active, this node returns: +- 1 – If every active antivirus provider has a valid signature status. +- 0 – If any of the active antivirus providers has an invalid signature status. -The **DeviceStatus/Antivirus/SignatureStatus** node also returns 0 when no antivirus provider is active. +This node also returns 0 when no antivirus provider is active. **DeviceStatus/Antivirus/Status** Added in Windows, version 1607. Integer that specifies the status of the antivirus. @@ -192,11 +192,11 @@ Valid values: Supported operation is Get. -If more than one antispyware provider is active, the **DeviceStatus/Antispyware/SignatureStatus** node returns: -- 1 – If every active antispyware provider has a valid signature status -- 0 – If any of the active antispyware providers has an invalid signature status +If more than one antispyware provider is active, this node returns: +- 1 – If every active antispyware provider has a valid signature status. +- 0 – If any of the active antispyware providers has an invalid signature status. -The **DeviceStatus/Antispyware/SignatureStatus** node also returns 0 when no antispyware provider is active. +This node also returns 0 when no antispyware provider is active. **DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the antispyware. From 3020dfae762b7ad5ae675a3346cc1e5f2d580dd3 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 11:48:22 -0400 Subject: [PATCH 010/149] first pass at updating known issues section --- .../microsoft-defender-atp-mac.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index f643a3b454..82acdc4d29 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -464,12 +464,15 @@ Or, from a command line: - ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` ## Known issues -- Microsoft Defender ATP is not yet optimized for performance or disk space. -- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device). -- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only. -- Full Windows Defender ATP integration is not yet available -- Not localized yet -- There might be accessibility issues + +- Not localized yet. +- There might be accessibility issues. +- Not optimized for performance or disk space yet. +- Full Windows Defender ATP integration is not available yet. +- Mac devices that switch networks may appear multiple times in the APT portal. +- Geo preference for telemetry traffic is not supported yet. Cloud traffic is routed to the US only. +- Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. + ## Collecting diagnostic information If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. From c77397e197a5bf176ada23cd8883e8c1946aa22f Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 12:45:00 -0400 Subject: [PATCH 011/149] added what's new section --- .../microsoft-defender-atp-mac.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 82acdc4d29..fd141aaa08 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -25,6 +25,21 @@ ms.topic: conceptual This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +## What’s new in the public preview + +- Fully accessible +- Various bug fixes +- Improved performance +- Improved user experience +- Improved threat handling +- Localized for 37 languages +- Improved anti-tampering protections +- Feedback can now be submitted via the Mac Client UI. +- Product health can now be queried via Jamf or the command line. +- Reduced delay for Mac devices to appear in the ATP console, following deployment. +- Admins can now set their cloud geo preference for any location, not just those in the US. + + ## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. From 5733e9b39311dab6057bd7c8bea356c63838ecbc Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 12:59:11 -0400 Subject: [PATCH 012/149] refining what's new section text --- .../microsoft-defender-atp-mac.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index fd141aaa08..44e8b765e4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -34,10 +34,10 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only - Improved threat handling - Localized for 37 languages - Improved anti-tampering protections -- Feedback can now be submitted via the Mac Client UI. -- Product health can now be queried via Jamf or the command line. +- Feedback and samples can be submitted via the GUI. +- Product health can be queried via Jamf or the command line. - Reduced delay for Mac devices to appear in the ATP console, following deployment. -- Admins can now set their cloud geo preference for any location, not just those in the US. +- Admins can set their cloud preference for any location, not just those in the US. ## Prerequisites From 8162acd4cddfe26b4f61e0c31e295214b6bcba01 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 14:21:07 -0400 Subject: [PATCH 013/149] added atp portal section --- .../microsoft-defender-atp-mac.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 44e8b765e4..eff522741e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -468,6 +468,32 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +## What to expect in the ATP portal + +- Severity +- Scan type +- Antivirus alerts +- Device information: + - Machine identifier + - Tenant identifier + - App version + - Hostname + - OS type + - OS version + - Computer model + - Processor architecture + - Whether the device is a virtual machine +- File information: + - Hashes + - Size + - Path + - Name +- Threat information: + - Type + - State + - Name + + ## Uninstallation ### Removing Microsoft Defender ATP from Mac devices To remove Microsoft Defender ATP from your macOS devices: From 58618eb4e7609e299ce616f5f9294c95910ff2f6 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 07:40:59 -0400 Subject: [PATCH 014/149] added configuring via the command line section & table --- .../microsoft-defender-atp-mac.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index eff522741e..274a348c8b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -468,6 +468,28 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +## Configuring with the command line + +Controlling product settings, triggering on-demand scans, and several other important tasks can be done via the following CLI commands: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | + ## What to expect in the ATP portal - Severity From 3c6938f6d81c091be95028cec8c18598fc7c2b5c Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 07:54:37 -0400 Subject: [PATCH 015/149] fixed inaccuracies in portal section --- .../microsoft-defender-atp-mac.md | 23 ++++++++----------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 274a348c8b..1e0f483f69 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -470,7 +470,7 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ## Configuring with the command line -Controlling product settings, triggering on-demand scans, and several other important tasks can be done via the following CLI commands: +Controlling product settings, triggering on-demand scans, and several other important tasks can be done with the following CLI commands: |Group |Scenario |Command | |-------------|-------------------------------------------|-----------------------------------------------------------------------| @@ -492,9 +492,12 @@ Controlling product settings, triggering on-demand scans, and several other impo ## What to expect in the ATP portal -- Severity -- Scan type -- Antivirus alerts +- AV alerts: + - Severity + - Scan type + - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - File information (name, path, size, and hash) + - Threat information (name, type, and state) - Device information: - Machine identifier - Tenant identifier @@ -505,19 +508,11 @@ Controlling product settings, triggering on-demand scans, and several other impo - Computer model - Processor architecture - Whether the device is a virtual machine -- File information: - - Hashes - - Size - - Path - - Name -- Threat information: - - Type - - State - - Name - ## Uninstallation + ### Removing Microsoft Defender ATP from Mac devices + To remove Microsoft Defender ATP from your macOS devices: - Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. From 1372d3faed690728d953a85eba6a7a9efb1eaeaa Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 10:37:07 -0400 Subject: [PATCH 016/149] refining what's new section --- .../microsoft-defender-atp-mac.md | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 1e0f483f69..52531fa8c9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -27,18 +27,15 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## What’s new in the public preview -- Fully accessible -- Various bug fixes -- Improved performance -- Improved user experience -- Improved threat handling -- Localized for 37 languages -- Improved anti-tampering protections -- Feedback and samples can be submitted via the GUI. -- Product health can be queried via Jamf or the command line. -- Reduced delay for Mac devices to appear in the ATP console, following deployment. -- Admins can set their cloud preference for any location, not just those in the US. +We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP include: +- Full accessibility +- Improved performance +- Localization for 37 languages +- Improved anti-tampering protections +- Feedback and samples can now be submitted via the GUI. +- Product health can be queried with JAMF or the command line. +- Admins can set their cloud preference for any location, not just for those in the US. ## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. From 12bebd56e8258562ec62b79d7bc13e2f90c26a86 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 11:01:29 -0400 Subject: [PATCH 017/149] markdown linting --- .../microsoft-defender-atp-mac.md | 221 ++++++++++-------- 1 file changed, 127 insertions(+), 94 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 52531fa8c9..17df14a9be 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -22,8 +22,8 @@ ms.topic: conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. ## What’s new in the public preview @@ -38,14 +38,17 @@ We've been working hard through the private preview period, and we've heard your - Admins can set their cloud preference for any location, not just for those in the US. ## Prerequisites + You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. You should also have access to Windows Defender Security Center. ### System Requirements + Microsoft Defender ATP for Mac system requirements: + - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) -- Disk space during preview: 1GB +- Disk space during preview: 1GB After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. @@ -57,39 +60,43 @@ The following table lists the services and their associated URLs that your netwo To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: -``` +```bash mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report' OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. ## Installation and configuration overview -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. + +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. In general you'll need to take the following steps: - - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal - - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - * [Microsoft Intune based deployment](#microsoft-intune-based-deployment) - * [JAMF based deployment](#jamf-based-deployment) - * [Manual deployment](#manual-deployment) + +- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal +- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + - [Microsoft Intune based deployment](#microsoft-intune-based-deployment) + - [JAMF based deployment](#jamf-based-deployment) + - [Manual deployment](#manual-deployment) ## Microsoft Intune based deployment ### Download installation and onboarding packages + Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos. + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) -6. From a command prompt, verify that you have the three files. +6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: - - ``` + + ```bash mavel-macmini:Downloads test$ ls -l total 721688 -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil @@ -103,13 +110,14 @@ Download the installation and onboarding packages from Windows Defender Security inflating: jamf/WindowsDefenderATPOnboarding.plist mavel-macmini:Downloads test$ ``` -7. Make IntuneAppUtil an executable: + +7. Make IntuneAppUtil an executable: ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` 8. Create the wdav.pkg.intunemac package from wdav.pkg: - ``` + ```bash mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" Microsoft Intune Application Utility for Mac OS X Version: 1.0.0.0 @@ -124,6 +132,7 @@ Download the installation and onboarding packages from Windows Defender Security ``` ### Client Machine Setup + You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). 1. You'll be asked to confirm device management. @@ -143,17 +152,18 @@ You can enroll additional machines. Optionally, you can do it later, after syste ![Add Devices screenshot](images/MDATP_5_allDevices.png) ### Create System Configuration profiles -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. + +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -7. Repeat these steps with the second profile. -8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -9. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +6. Repeat these steps with the second profile. +7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: @@ -161,16 +171,16 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ### Publish application -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) 6. Select **OK** and **Add**. - + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) 7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. @@ -187,7 +197,8 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) ### Verify client machine state -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) @@ -195,30 +206,33 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t 2. Verify the three profiles listed there: ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) ## JAMF based deployment -### Prerequsites -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. +### Prerequsites + +You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. ### Download installation and onboarding packages + Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) -5. From a command prompt, verify that you have the two files. +5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: - - ``` + + ```bash mavel-macmini:Downloads test$ ls -l total 721160 -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip @@ -230,18 +244,19 @@ Download the installation and onboarding packages from Windows Defender Security inflating: intune/WindowsDefenderATPOnboarding.xml inflating: jamf/WindowsDefenderATPOnboarding.plist mavel-macmini:Downloads test$ - ``` + ``` ### Create JAMF Policies + You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. #### Configuration Profile + The configuration profile contains one custom settings payload that includes: -- Microsoft Defender ATP for Mac onboarding information +- Microsoft Defender ATP for Mac onboarding information - Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - 1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. >[!NOTE] @@ -252,15 +267,17 @@ The configuration profile contains one custom settings payload that includes: #### Approved Kernel Extension To approve the kernel extension: -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. + +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. ![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) -#### Configuration Profile's Scope +#### Configuration Profile's Scope + Configure the appropriate scope to specify the machines that will receive this configuration profile. -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. ![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) @@ -269,14 +286,16 @@ Save the **Configuration Profile**. Use the **Logs** tab to monitor deployment status for each enrolled machine. #### Package + 1. Create a package in **Settings > Computer Management > Packages**. ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) -2. Upload wdav.pkg to the Distribution Point. +2. Upload wdav.pkg to the Distribution Point. 3. In the **filename** field, enter the name of the package. For example, wdav.pkg. #### Policy + Your policy should contain a single package for Microsoft Defender. ![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) @@ -286,34 +305,38 @@ Configure the appropriate scope to specify the computers that will receive this After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. ### Client machine setup + You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. > [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. ![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) ![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) -After some time, the machine's User Approved MDM status will change to Yes. +After some time, the machine's User Approved MDM status will change to Yes. ![MDM status screenshot](images/MDATP_23_MDMStatus.png) You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. ### Deployment + Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. #### Status on server + You can monitor the deployment status in the Logs tab: - - **Pending** means that the deployment is scheduled but has not yet happened - - **Completed** means that the deployment succeeded and is no longer scheduled + +- **Pending** means that the deployment is scheduled but has not yet happened +- **Completed** means that the deployment succeeded and is no longer scheduled ![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - #### Status on client machine + After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. ![Status on client screenshot](images/MDATP_25_StatusOnClient.png) @@ -324,7 +347,7 @@ After the policy is applied, you'll see the Microsoft Defender icon in the macOS You can monitor policy installation on a machine by following the JAMF's log file: -``` +```bash mavel-mojave:~ testuser$ tail -f /var/log/jamf.log Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... @@ -336,7 +359,8 @@ Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. ``` You can also check the onboarding status: -``` + +```bash mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 @@ -349,6 +373,7 @@ orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. ### Uninstalling Microsoft Defender ATP for Mac + #### Uninstalling with a script Create a script in **Settings > Computer Management > Scripts**. @@ -357,7 +382,7 @@ Create a script in **Settings > Computer Management > Scripts**. For example, this script removes Microsoft Defender ATP from the /Applications directory: -``` +```bash echo "Is WDAV installed?" ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null @@ -371,6 +396,7 @@ echo "Done!" ``` #### Uninstalling with a policy + Your policy should contain a single script: ![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) @@ -381,7 +407,7 @@ Configure the appropriate scope in the **Scope** tab to specify the machines tha You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: -``` +```bash sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' ``` @@ -390,18 +416,20 @@ This script returns 0 if Microsoft Defender ATP is registered with the Windows D ## Manual deployment ### Download installation and onboarding packages + Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) -5. From a command prompt, verify that you have the two files. +5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: - - ``` + + ```bash mavel-macmini:Downloads test$ ls -l total 721152 -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip @@ -409,9 +437,10 @@ Download the installation and onboarding packages from Windows Defender Security mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip Archive: WindowsDefenderATPOnboardingPackage.zip inflating: WindowsDefenderATPOnboarding.py - ``` + ``` ### Application installation + To complete this process, you must have admin privileges on the machine. 1. Navigate to the downloaded wdav.pkg in Finder and open it. @@ -431,36 +460,38 @@ To complete this process, you must have admin privileges on the machine. ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - The installation will proceed. > [!NOTE] > If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. ### Client configuration -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. The client machine is not associated with orgId. Note that the orgid is blank. - ``` + ```bash mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : ``` -2. Install the configuration file on a client machine: - ``` +2. Install the configuration file on a client machine: + + ```bash mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) ``` -3. Verify that the machine is now associated with orgId: +3. Verify that the machine is now associated with orgId: - ``` + ```bash mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 ``` + After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) @@ -490,7 +521,7 @@ Controlling product settings, triggering on-demand scans, and several other impo ## What to expect in the ATP portal - AV alerts: - - Severity + - Severity - Scan type - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - File information (name, path, size, and hash) @@ -528,37 +559,39 @@ Or, from a command line: - Geo preference for telemetry traffic is not supported yet. Cloud traffic is routed to the US only. - Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. - ## Collecting diagnostic information + If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. 1) Increase logging level: -``` - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded ``` 2) Reproduce the problem 3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - ``` + ```bash mavel-mojave:~ testuser$ mdatp --diagnostic Creating connection to daemon Connection established "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - + ``` + 4) Restore logging level: -``` + + ```bash mavel-mojave:~ testuser$ mdatp log-level --info Creating connection to daemon Connection established Operation succeeded -``` + ``` - ### Installation issues + If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. From 78cf0150a08587a7321277c9fe4090762cdf6a53 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 14:22:37 -0400 Subject: [PATCH 018/149] updated known issues + small refinements to other owned sections --- .../microsoft-defender-atp-mac.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index a145ddc2d6..e159d86a94 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -27,7 +27,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## What’s new in the public preview -We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP include: +We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP for Mac include: - Full accessibility - Improved performance @@ -501,7 +501,7 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ## Configuring with the command line -Controlling product settings, triggering on-demand scans, and several other important tasks can be done with the following CLI commands: +Controlling product settings, triggering on-demand scans, and several other important tasks can be done from the command line with the following commands: |Group |Scenario |Command | |-------------|-------------------------------------------|-----------------------------------------------------------------------| @@ -554,12 +554,9 @@ Or, from a command line: ## Known issues -- Not localized yet. -- There might be accessibility issues. -- Not optimized for performance or disk space yet. +- Not fully optimized for performance or disk space yet. - Full Windows Defender ATP integration is not available yet. - Mac devices that switch networks may appear multiple times in the APT portal. -- Geo preference for telemetry traffic is not supported yet. Cloud traffic is routed to the US only. - Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. ## Collecting diagnostic information From 31978baa1a4bb4a0c509349a7d91026e98e8a5c3 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 08:25:55 -0700 Subject: [PATCH 019/149] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...system-components-to-microsoft-services.md | 22 +++---------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index b46666da35..096932fb04 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1824,9 +1824,6 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. - Create a new REG_SZ registry setting named **Teredo_State** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**. - -or- - -- From an elevated command prompt, run **netsh interface teredo set state disabled** ### 23. Wi-Fi Sense @@ -1847,13 +1844,6 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha - Create a new REG_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a **value of 0 (zero)**. - -or- - -- Change the Windows Provisioning setting, WiFISenseAllowed, to **0 (zero)**. For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). - - -or- - -- Use the Unattended settings to set the value of WiFiSenseAllowed to **0 (zero)**. For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. @@ -1863,21 +1853,15 @@ You can disconnect from the Microsoft Antimalware Protection Service. - **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop down box named **Join Microsoft MAPS** - -or- +-OR- - Use the registry to set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to **0 (zero)**. - -or- -- Delete the registry setting **named** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Updates**. - - -or- +-OR- - For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -and- - - From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** You can stop sending file samples back to Microsoft. @@ -2076,7 +2060,7 @@ On Windows Server 2016, this will block Microsoft Store calls from Universal Win You can turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app. -**Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers** +- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers** -or- From d8f450c1868cb2de5322447ee0c4e8f21af92ea9 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 08:39:32 -0700 Subject: [PATCH 020/149] Create manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 492 ++++++++++++++++++ 1 file changed, 492 insertions(+) create mode 100644 windows/privacy/manage-windows-19H1-endpoints.md diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md new file mode 100644 index 0000000000..211c59c07e --- /dev/null +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -0,0 +1,492 @@ +--- +title: Connection endpoints for Windows 10, version 19H1 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: danihalfin +ms.author: v-medgar +manager: sanashar +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 5/3/2019 +--- +# Manage connection endpoints for Windows 10, version 1809 + +**Applies to** + +- Windows 10, version 19H1 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Enterprise connection endpoints + +## Apps + +The following endpoint is used to download updates to the Weather app Live Tile. +If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | + +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | + +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | + +The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | + +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | + +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | + +The following endpoint is used by the Groove Music app for update HTTP handler status. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | + +The following endpoints are used when using the Whiteboard app. +To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wbd.ms | +| | HTTPS | int.whiteboard.microsoft.com | +| | HTTPS | whiteboard.microsoft.com | +| | HTTP / HTTPS | whiteboard.ms | + +## Cortana and Search + +The following endpoint is used to get images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | + +The following endpoint is used to update Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | + +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | + +The following endpoint is used by Cortana to report diagnostic and diagnostic data information. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | + +## Certificates + +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. + +Additionally, it is used to download certificates that are publicly known to be fraudulent. +These settings are critical for both Windows security and the overall security of the Internet. +We do not recommend blocking this endpoint. +If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +## Device authentication + +The following endpoint is used to authenticate a device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | + +## Device metadata + +The following endpoint is used to retrieve device metadata. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | +| | HTTP | dmd.metaservices.microsoft.com | + +## Diagnostic Data + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | + +The following endpoints are used by Windows Error Reporting. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | + +## Font streaming + +The following endpoints are used to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | + +## Licensing + +The following endpoint is used for online activation and some app licensing. +To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | + +## Location + +The following endpoint is used for location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | +| | HTTPS | inference.location.live.net | + +## Maps + +The following endpoint is used to check for updates to maps that have been downloaded for offline use. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | + +## Microsoft account + +The following endpoints are used for Microsoft accounts to sign in. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | +| | | us.configsvc1.live.com.akadns.net | + +## Microsoft Store + +The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | *.wns.windows.com | + +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | + +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | +| backgroundtransferhost | HTTPS | store-images.microsoft.com | + +The following endpoints are used to communicate with Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP \ HTTPS | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| +| svchost | HTTPS | displaycatalog.mp.microsoft.com | + +## Network Connection Status Indicator (NCSI) + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | + +## Office + +The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | +| | HTTPS | ocos-office365-s2s.msedge.net | +| | HTTPS | nexusrules.officeapps.live.com | +| | HTTPS | officeclient.microsoft.com | + +The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | + +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| + +The following endpoint is used to connect the Office To-Do app to it's cloud service. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| |HTTPS|to-do.microsoft.com| + +## OneDrive + +The following endpoint is a redirection service that’s used to automatically update URLs. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | + +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | + +## Settings + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | + +## Skype + +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | +| | HTTPS | browser.pipe.aria.microsoft.com | +| | | skypeecs-prod-usw-0-b.cloudapp.net | + +## Windows Defender + +The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | + +The following endpoints are used for Windows Defender definition updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | + +The following endpoints are used for Windows Defender Smartscreen reporting and notifications. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | ars.smartscreen.microsoft.com | +| | HTTPS | unitedstates.smartscreen-prod.microsoft.com | +| | | smartscreen-sn3p.smartscreen.microsoft.com | + +## Windows Spotlight + +The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | + +## Windows Update + +The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | + +The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| svchost | HTTP | *.dl.delivery.mp.microsoft.com | + +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.update.microsoft.com | +| svchost | HTTPS | *.delivery.mp.microsoft.com | + +The following endpoint is used for content regulation. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | + + +## Microsoft forward link redirection service (FWLink) + +The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. + +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) + + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) From 3ca8fa560ee97febf256538e64c249e9bbaa23fd Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 09:03:55 -0700 Subject: [PATCH 021/149] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 211c59c07e..8c7ac6dde4 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -14,7 +14,7 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 5/3/2019 --- -# Manage connection endpoints for Windows 10, version 1809 +# Manage connection endpoints for Windows 10, version 19H1 **Applies to** From 7a6fb2cc5e15c53934f2d0f9d27df7bc8b53feba Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 09:17:11 -0700 Subject: [PATCH 022/149] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 552 ++++-------------- 1 file changed, 124 insertions(+), 428 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 8c7ac6dde4..57e41a1616 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -44,435 +44,131 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 Enterprise connection endpoints +## Windows 10 19H1 Enterprise connection endpoints + +| Area | Description | Protocol | Destination | + +|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com +||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||HTTPS|cdn.onenote.net/livetile/?Language=en-US +||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||HTTPS|*.twimg.com* +||The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +|||star-mini.c10r.facebook.com +||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||TLS v1.2|candycrushsoda.king.com +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net +||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||HTTPS|wallet.microsoft.com +||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. +||HTTPS|mediaredirect.microsoft.com +||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store. +|HTTPS|int.whiteboard.microsoft.com| +|||HTTPS|wbd.ms +|||HTTPS|whiteboard.microsoft.com +|||HTTP / HTTPS|whiteboard.ms| +|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com +|| |HTTPS|ris-prod-atm.trafficmanager.net +|| |HTTPS|validation-v2.sls.trafficmanager.net +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.| +|Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com +|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. +||HTTPS|store-images.*microsoft.com +|Cortana and Search2|The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client +|| |HTTPS|www.bing.com +|||HTTPS|www.bing.com/proactive +|||HTTPS|www.bing.com/threshold/xls.aspx +|||HTTP|exo-ring.msedge.net +|||HTTP|fp.msedge.net +|||HTTP|fp-vp.azureedge.net +|||HTTP|odinvzc.azureedge.net +|||HTTP|spo-ring.msedge.net +|Device authentication +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com* +||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com +|Diagnostic Data +||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com +|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1 +|||HTTP|www.microsoft.com +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com +|| |HTTP|cs11.wpc.v0cdn.net +|| |HTTPS|cs1137.wpc.gammacdn.net +|||TLS v1.2|modern.watson.data.microsoft.com* +|||HTTPS|watson.telemetry.microsoft.com +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. +||HTTPS|*licensing.mp.microsoft.com* +|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net +|||HTTP|location-inference-westus.cloudapp.net +|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net +|| |HTTP|*maps.windows.com* +|Microsoft account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. +||HTTP|login.msa.akadns6.net| +|||HTTP|us.configsvc1.live.com.akadns.net +|Microsoft Edge| This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. +|If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com +|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +||HTTP|storecatalogrevocation.storequality.microsoft.com +||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com* +|||HTTPS|store-images.microsoft.com +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +||TLS v1.2|*.md.mp.microsoft.com* +|||HTTPS|*displaycatalog.mp.microsoft.com +|||HTTP \ HTTPS|pti.store.microsoft.com +|||HTTP|storeedgefd.dsx.mp.microsoft.com +|| |HTTP|markets.books.microsoft.com +|| |HTTP |share.microsoft.com +|Network Connection Status Indicator (NCSI) +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|Office +||Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net +|||HTTPS|*.e-msedge.net +|||HTTPS|*.s-msedge.net +|||HTTPS|nexusrules.officeapps.live.com +|||HTTPS|ocos-office365-s2s.msedge.net +|||HTTPS|officeclient.microsoft.com +|||HTTPS|outlook.office365.com +|||HTTPS|client-office365-tas.msedge.net +|| |HTTPS|www.office.com +|| |HTTPS|onecollector.cloudapp.aria +|| |HTTP|v10.events.data.microsoft.com/onecollector/1.0/ +|| |HTTPS|self.events.data.microsoft.com +||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. +|HTTPS|to-do.microsoft.com +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/* +|| |HTTP|msagfx.live.com +|||HTTPS +||oneclient.sfx.ms +|Settings +||The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||cy2.settings.data.microsoft.com.akadns.net +|||HTTPS|settings.data.microsoft.com +|||HTTPS|settings-win.data.microsoft.com +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com +|||HTTP|config.edge.skype.com +|| |HTTP|s2s.config.skype.com +|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com +|||HTTPS|definitionupdates.microsoft.com| +|||HTTPS|go.microsoft.com +||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com +|||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com| +|||HTTPS|unitedstates.smartscreen-prod.microsoft.com +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight. +|TLS v1.2|*.search.msn.com +|||HTTPS|arc.msn.com +|||HTTPS|g.msn.com* +|||HTTPS|query.prod.cms.rt.microsoft.com +|||HTTPS|ris.api.iris.microsoft.com +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com +|| |HTTP|cs9.wac.phicdn.net +|| |HTTP|emdl.ws.microsoft.com +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com +|||HTTP|*.windowsupdate.com* +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com +|||HTTPS|*.update.microsoft.com +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| -## Apps - -The following endpoint is used to download updates to the Weather app Live Tile. -If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | - -The following endpoint is used for OneNote Live Tile. -To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | - -The following endpoints are used for Twitter updates. -To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | wildcard.twimg.com | -| svchost.exe | | oem.twimg.com/windows/tile.xml | - -The following endpoint is used for Facebook updates. -To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | star-mini.c10r.facebook.com | - -The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. -To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | - -The following endpoint is used for Candy Crush Saga updates. -To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | TLS v1.2 | candycrushsoda.king.com | - -The following endpoint is used for by the Microsoft Wallet app. -To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | - -The following endpoint is used by the Groove Music app for update HTTP handler status. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | - -The following endpoints are used when using the Whiteboard app. -To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | wbd.ms | -| | HTTPS | int.whiteboard.microsoft.com | -| | HTTPS | whiteboard.microsoft.com | -| | HTTP / HTTPS | whiteboard.ms | - -## Cortana and Search - -The following endpoint is used to get images that are used for Microsoft Store suggestions. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui | HTTPS |store-images.s-microsoft.com | - -The following endpoint is used to update Cortana greetings, tips, and Live Tiles. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | - -The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | - -The following endpoint is used by Cortana to report diagnostic and diagnostic data information. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | - -## Certificates - -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. - -Additionally, it is used to download certificates that are publicly known to be fraudulent. -These settings are critical for both Windows security and the overall security of the Internet. -We do not recommend blocking this endpoint. -If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | ctldl.windowsupdate.com | - -## Device authentication - -The following endpoint is used to authenticate a device. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | login.live.com/ppsecure | - -## Device metadata - -The following endpoint is used to retrieve device metadata. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | dmd.metaservices.microsoft.com.akadns.net | -| | HTTP | dmd.metaservices.microsoft.com | - -## Diagnostic Data - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | - -The following endpoints are used by Windows Error Reporting. -To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| wermgr | | watson.telemetry.microsoft.com | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | - -## Font streaming - -The following endpoints are used to download fonts on demand. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | fs.microsoft.com | -| | | fs.microsoft.com/fs/windows/config.json | - -## Licensing - -The following endpoint is used for online activation and some app licensing. -To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | - -## Location - -The following endpoint is used for location data. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | location-inference-westus.cloudapp.net | -| | HTTPS | inference.location.live.net | - -## Maps - -The following endpoint is used to check for updates to maps that have been downloaded for offline use. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *g.akamaiedge.net | - -## Microsoft account - -The following endpoints are used for Microsoft accounts to sign in. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | login.msa.akadns6.net | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | -| | | us.configsvc1.live.com.akadns.net | - -## Microsoft Store - -The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | *.wns.windows.com | - -The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | - -The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | -| backgroundtransferhost | HTTPS | store-images.microsoft.com | - -The following endpoints are used to communicate with Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | -| | HTTP \ HTTPS | pti.store.microsoft.com | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| -| svchost | HTTPS | displaycatalog.mp.microsoft.com | - -## Network Connection Status Indicator (NCSI) - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | - -## Office - -The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.a-msedge.net | -| hxstr | | *.c-msedge.net | -| | | *.e-msedge.net | -| | | *.s-msedge.net | -| | HTTPS | ocos-office365-s2s.msedge.net | -| | HTTPS | nexusrules.officeapps.live.com | -| | HTTPS | officeclient.microsoft.com | - -The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | - -The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| - -The following endpoint is used to connect the Office To-Do app to it's cloud service. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| |HTTPS|to-do.microsoft.com| - -## OneDrive - -The following endpoint is a redirection service that’s used to automatically update URLs. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | - -The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). -To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTPS | oneclient.sfx.ms | - -## Settings - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | HTTPS | settings.data.microsoft.com | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | settings-win.data.microsoft.com | - -## Skype - -The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | -| | HTTPS | browser.pipe.aria.microsoft.com | -| | | skypeecs-prod-usw-0-b.cloudapp.net | - -## Windows Defender - -The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | wdcp.microsoft.com | - -The following endpoints are used for Windows Defender definition updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | definitionupdates.microsoft.com | -|MpCmdRun.exe|HTTPS|go.microsoft.com | - -The following endpoints are used for Windows Defender Smartscreen reporting and notifications. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | ars.smartscreen.microsoft.com | -| | HTTPS | unitedstates.smartscreen-prod.microsoft.com | -| | | smartscreen-sn3p.smartscreen.microsoft.com | - -## Windows Spotlight - -The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | arc.msn.com | -| backgroundtaskhost | | g.msn.com.nsatc.net | -| |TLS v1.2| *.search.msn.com | -| | HTTPS | ris.api.iris.microsoft.com | -| | HTTPS | query.prod.cms.rt.microsoft.com | - -## Windows Update - -The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | - -The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | *.windowsupdate.com | -| svchost | HTTP | *.dl.delivery.mp.microsoft.com | - -The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.update.microsoft.com | -| svchost | HTTPS | *.delivery.mp.microsoft.com | - -The following endpoint is used for content regulation. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | - - -## Microsoft forward link redirection service (FWLink) - -The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. - -If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Various|HTTPS|go.microsoft.com| ## Other Windows 10 editions From d3d97220593b00a1c9e77bf451e98e741ca68ef8 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 13:11:09 -0400 Subject: [PATCH 023/149] added intune back into known issues --- .../windows-defender-antivirus/microsoft-defender-atp-mac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index e159d86a94..e05ea856f0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -557,7 +557,7 @@ Or, from a command line: - Not fully optimized for performance or disk space yet. - Full Windows Defender ATP integration is not available yet. - Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. ## Collecting diagnostic information From 1e492c00a924c78d29efd9912856f8a0f89a92ec Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:43:29 -0700 Subject: [PATCH 024/149] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 57e41a1616..2cea2a6414 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -46,7 +46,18 @@ We used the following methodology to derive these network endpoints: ## Windows 10 19H1 Enterprise connection endpoints +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + + + | Area | Description | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + |Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com ||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com From 3365319a053d60121ae02354a13ea09510b672c1 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:44:16 -0700 Subject: [PATCH 025/149] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 2cea2a6414..0e54f28d7c 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -54,6 +54,7 @@ We used the following methodology to derive these network endpoints: | Area | Description | Protocol | Destination | +| Source process | Protocol | Destination | |----------------|----------|------------| | explorer | HTTP | tile-service.weather.microsoft.com | | | HTTP | blob.weather.microsoft.com | From d1972eab4ad293b3188b6c32774bbaeb7e2fa834 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:46:01 -0700 Subject: [PATCH 026/149] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 0e54f28d7c..05f810e388 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -53,7 +53,6 @@ We used the following methodology to derive these network endpoints: -| Area | Description | Protocol | Destination | | Source process | Protocol | Destination | |----------------|----------|------------| | explorer | HTTP | tile-service.weather.microsoft.com | @@ -198,3 +197,6 @@ To view endpoints for non-Enterprise Windows 10 editions, see: - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) - [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) + + +| Area | Description | Protocol | Destination | From 239cdbaf7f96775c18f174580a6910c7943f375b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:56:28 -0700 Subject: [PATCH 027/149] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 05f810e388..8017f3a4eb 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -44,21 +44,15 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. +| Area | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | + ## Windows 10 19H1 Enterprise connection endpoints -| Source process | Protocol | Destination | + +| Area | Protocol | Destination | |----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | - - - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | - - |Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com ||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. @@ -199,4 +193,3 @@ To view endpoints for non-Enterprise Windows 10 editions, see: - [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) -| Area | Description | Protocol | Destination | From 66895adc528149860e62e31d07e425e8fc5e624d Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 15:50:26 -0400 Subject: [PATCH 028/149] created separate mdatp for mac logging page --- ...rosoft-defender-atp-mac-diagnostic-logging | 64 +++++++++++++++++++ ...oft-defender-atp-mac-diagnostic-logging.md | 0 2 files changed, 64 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging new file mode 100644 index 0000000000..d2ccd7fac2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging @@ -0,0 +1,64 @@ +--- +title: Collecting diagnostic information from Microsoft Defender ATP for Mac +description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: #w10 +ms.mktglfcycl: #deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Collecting diagnostic information + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +## Installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md new file mode 100644 index 0000000000..e69de29bb2 From e66b83c15d43c5529561cd9942e01ea69b3e4649 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 15:52:37 -0400 Subject: [PATCH 029/149] removed logging section from mdatp for mac --- .../microsoft-defender-atp-mac.md | 39 +------------------ 1 file changed, 1 insertion(+), 38 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index e05ea856f0..08918bc9be 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -557,41 +557,4 @@ Or, from a command line: - Not fully optimized for performance or disk space yet. - Full Windows Defender ATP integration is not available yet. - Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. - -## Collecting diagnostic information - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded - ``` - -### Installation issues - -If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file From f98baf2b4b9fd113299ad33c7a0aa3cb1e44ace0 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 16:00:01 -0400 Subject: [PATCH 030/149] added text to mdatp for mac diagnostic logging --- ...rosoft-defender-atp-mac-diagnostic-logging | 64 ------------------- ...oft-defender-atp-mac-diagnostic-logging.md | 64 +++++++++++++++++++ 2 files changed, 64 insertions(+), 64 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging deleted file mode 100644 index d2ccd7fac2..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Collecting diagnostic information from Microsoft Defender ATP for Mac -description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: #w10 -ms.mktglfcycl: #deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Collecting diagnostic information - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded - ``` - -## Installation issues - -If an error occurs during installation, the installer will only report a general failure. - -The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md index e69de29bb2..d2ccd7fac2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md @@ -0,0 +1,64 @@ +--- +title: Collecting diagnostic information from Microsoft Defender ATP for Mac +description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: #w10 +ms.mktglfcycl: #deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Collecting diagnostic information + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +## Installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file From 6a3fd9878885f1dc686aba622fa1c065ff870d05 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 16:26:32 -0400 Subject: [PATCH 031/149] created uninstallation for mdatp-mac page --- ...microsoft-defender-atp-mac-uninstalling.md | 66 +++++++++++++++++++ .../microsoft-defender-atp-mac.md | 43 ------------ 2 files changed, 66 insertions(+), 43 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md new file mode 100644 index 0000000000..5004b31c5b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md @@ -0,0 +1,66 @@ +--- +title: Uninstalling Microsoft Defender ATP for Mac +description: Describes how to uninstall Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: #w10 +ms.mktglfcycl: #deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Uninstalling + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. See [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) for updates on development. + +## Within the GUI + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +## From the command line: + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +## With a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +```bash +echo "Is WDAV installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Uninstalling WDAV..." +rm -rf '/Applications/Microsoft Defender ATP.app' + +echo "Is WDAV still installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Done!" +``` + +## With a JAMF policy + +If you are running JAMF, your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 08918bc9be..42b5eb2508 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -375,37 +375,6 @@ orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. -### Uninstalling Microsoft Defender ATP for Mac - -#### Uninstalling with a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -```bash -echo "Is WDAV installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Uninstalling WDAV..." -rm -rf '/Applications/Microsoft Defender ATP.app' - -echo "Is WDAV still installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Done!" -``` - -#### Uninstalling with a policy - -Your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. - ### Check onboarding status You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: @@ -540,18 +509,6 @@ Controlling product settings, triggering on-demand scans, and several other impo - Processor architecture - Whether the device is a virtual machine -## Uninstallation - -### Removing Microsoft Defender ATP from Mac devices - -To remove Microsoft Defender ATP from your macOS devices: - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -Or, from a command line: - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - ## Known issues - Not fully optimized for performance or disk space yet. From 875aeade4e6f57d886733a9edb192206720ede3d Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 16:40:02 -0400 Subject: [PATCH 032/149] rm'd 2 previous pages split from mdatp-mac & collated them into resources page alongside known issues --- ...oft-defender-atp-mac-diagnostic-logging.md | 64 ---------- .../microsoft-defender-atp-mac-resources.md | 112 ++++++++++++++++++ ...microsoft-defender-atp-mac-uninstalling.md | 66 ----------- .../microsoft-defender-atp-mac.md | 9 +- 4 files changed, 113 insertions(+), 138 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md deleted file mode 100644 index d2ccd7fac2..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Collecting diagnostic information from Microsoft Defender ATP for Mac -description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: #w10 -ms.mktglfcycl: #deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Collecting diagnostic information - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded - ``` - -## Installation issues - -If an error occurs during installation, the installer will only report a general failure. - -The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md new file mode 100644 index 0000000000..7f2b515f99 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -0,0 +1,112 @@ +--- +title: Microsoft Defender ATP for Mac Resources +description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, and known issues with the product. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +## Collecting diagnostic information + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +### Installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. + +## Uninstalling + +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. + +### Within the GUI + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +### From the command line: + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +### With a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +```bash + echo "Is WDAV installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Uninstalling WDAV..." + rm -rf '/Applications/Microsoft Defender ATP.app' + + echo "Is WDAV still installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Done!" +``` + +### With a JAMF policy + +If you are running JAMF, your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. + +## Known issues + +- Not fully optimized for performance or disk space yet. +- Full Windows Defender ATP integration is not available yet. +- Mac devices that switch networks may appear multiple times in the APT portal. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md deleted file mode 100644 index 5004b31c5b..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Uninstalling Microsoft Defender ATP for Mac -description: Describes how to uninstall Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: #w10 -ms.mktglfcycl: #deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Uninstalling - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. See [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) for updates on development. - -## Within the GUI - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -## From the command line: - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - -## With a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -```bash -echo "Is WDAV installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Uninstalling WDAV..." -rm -rf '/Applications/Microsoft Defender ATP.app' - -echo "Is WDAV still installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Done!" -``` - -## With a JAMF policy - -If you are running JAMF, your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 42b5eb2508..fe62a0b6a7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -507,11 +507,4 @@ Controlling product settings, triggering on-demand scans, and several other impo - OS version - Computer model - Processor architecture - - Whether the device is a virtual machine - -## Known issues - -- Not fully optimized for performance or disk space yet. -- Full Windows Defender ATP integration is not available yet. -- Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file + - Whether the device is a virtual machine \ No newline at end of file From 139958d30b4647f590ab94f33bafabf199634531 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 17:11:23 -0400 Subject: [PATCH 033/149] added seperate mdatp-mac installation pages --- ...osoft-defender-atp-mac-install-manually.md | 130 ++++++ ...ft-defender-atp-mac-install-with-intune.md | 158 +++++++ ...soft-defender-atp-mac-install-with-jamf.md | 195 ++++++++ .../microsoft-defender-atp-mac.md | 428 +----------------- 4 files changed, 495 insertions(+), 416 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md new file mode 100644 index 0000000000..4fbed04668 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -0,0 +1,130 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Manual deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +## Application installation + +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +## Client configuration + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` + +2. Install the configuration file on a client machine: + + ```bash + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` + +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Configuring from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md new file mode 100644 index 0000000000..5cd1e22a19 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -0,0 +1,158 @@ +--- +title: Installing Microsoft Defender ATP for Mac with Microsoft Intune +description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Microsoft Intune-based deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +6. From a command prompt, verify that you have the three files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721688 + -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +7. Make IntuneAppUtil an executable: + + ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` + +8. Create the wdav.pkg.intunemac package from wdav.pkg: + + ```bash + mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" + Microsoft Intune Application Utility for Mac OS X + Version: 1.0.0.0 + Copyright 2018 Microsoft Corporation + + Creating intunemac file for /Users/test/Downloads/wdav.pkg + Composing the intunemac file output + Output written to ./wdav.pkg.intunemac. + + IntuneAppUtil successfully processed "wdav.pkg", + to deploy refer to the product documentation. + ``` + +## Client Machine Setup + +You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). + +1. You'll be asked to confirm device management. + +![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) + +Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: + +![Management profile screenshot](images/MDATP_4_ManagementProfile.png) + +2. Select the **Continue** button and complete the enrollment. + +You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. + +3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: + +![Add Devices screenshot](images/MDATP_5_allDevices.png) + +## Create System Configuration profiles + +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. + + ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) + +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +6. Repeat these steps with the second profile. +7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. + +After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: + +![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) + +## Publish application + +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. + + ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) + +6. Select **OK** and **Add**. + + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) + +7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. + + ![Client apps screenshot](images/MDATP_10_ClientApps.png) + +8. Change **Assignment type=Required**. +9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. + + ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) + +10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: + + ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) + +## Verify client machine state + +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + + ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) + ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) + +2. Verify the three profiles listed there: + ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) + +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md new file mode 100644 index 0000000000..82aaf8ffe2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -0,0 +1,195 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# JAMF-based deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Prerequsites + +You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721160 + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +## Create JAMF Policies + +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. + +### Configuration Profile + +The configuration profile contains one custom settings payload that includes: + +- Microsoft Defender ATP for Mac onboarding information +- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run + +1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. + + >[!NOTE] + > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. + + ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) + +### Approved Kernel Extension + +To approve the kernel extension: + +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. + +![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) + +#### Configuration Profile's Scope + +Configure the appropriate scope to specify the machines that will receive this configuration profile. + +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. + +![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) + +Save the **Configuration Profile**. + +Use the **Logs** tab to monitor deployment status for each enrolled machine. + +### Package + +1. Create a package in **Settings > Computer Management > Packages**. + + ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) + +2. Upload wdav.pkg to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, wdav.pkg. + +### Policy + +Your policy should contain a single package for Microsoft Defender. + +![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) + +Configure the appropriate scope to specify the computers that will receive this policy. + +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. + +## Client machine setup + +You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. + +> [!NOTE] +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). + +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + +![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) +![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) + +After some time, the machine's User Approved MDM status will change to Yes. + +![MDM status screenshot](images/MDATP_23_MDMStatus.png) + +You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. + +## Deployment + +Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. + +### Status on server + +You can monitor the deployment status in the Logs tab: + +- **Pending** means that the deployment is scheduled but has not yet happened +- **Completed** means that the deployment succeeded and is no longer scheduled + +![Status on server screenshot](images/MDATP_24_StatusOnServer.png) + +### Status on client machine + +After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. + +![Status on client screenshot](images/MDATP_25_StatusOnClient.png) + +After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + +![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +You can monitor policy installation on a machine by following the JAMF's log file: + +```bash +mavel-mojave:~ testuser$ tail -f /var/log/jamf.log +Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. +Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... +Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV +Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. +``` + +You can also check the onboarding status: + +```bash +mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py +uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 +orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +``` + +- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. + +- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. + +## Check onboarding status + +You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: + +```bash +sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +``` + +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index fe62a0b6a7..3eb0b476e4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -37,7 +37,18 @@ We've been working hard through the private preview period, and we've heard your - Product health can be queried with JAMF or the command line. - Admins can set their cloud preference for any location, not just for those in the US. -## Prerequisites +## Installing and configuring + +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +In general you'll need to take the following steps: + +- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal +- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + - [Microsoft Intune-based deployment](separate-page-url) + - [JAMF-based deployment](seperate-page-url) + - [Manual deployment](seperate-page-url) + +### Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. @@ -71,424 +82,9 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. -## Installation and configuration overview -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. -In general you'll need to take the following steps: -- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal -- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune based deployment](#microsoft-intune-based-deployment) - - [JAMF based deployment](#jamf-based-deployment) - - [Manual deployment](#manual-deployment) -## Microsoft Intune based deployment - -### Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -6. From a command prompt, verify that you have the three files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721688 - -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -7. Make IntuneAppUtil an executable: - - ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` - -8. Create the wdav.pkg.intunemac package from wdav.pkg: - - ```bash - mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" - Microsoft Intune Application Utility for Mac OS X - Version: 1.0.0.0 - Copyright 2018 Microsoft Corporation - - Creating intunemac file for /Users/test/Downloads/wdav.pkg - Composing the intunemac file output - Output written to ./wdav.pkg.intunemac. - - IntuneAppUtil successfully processed "wdav.pkg", - to deploy refer to the product documentation. - ``` - -### Client Machine Setup - -You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). - -1. You'll be asked to confirm device management. - -![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) - -Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: - -![Management profile screenshot](images/MDATP_4_ManagementProfile.png) - -2. Select the **Continue** button and complete the enrollment. - -You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. - -3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: - -![Add Devices screenshot](images/MDATP_5_allDevices.png) - -### Create System Configuration profiles - -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. - - ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) - -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -6. Repeat these steps with the second profile. -7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. - -After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: - -![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) - -### Publish application - -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. - - ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) - -6. Select **OK** and **Add**. - - ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) - -7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. - - ![Client apps screenshot](images/MDATP_10_ClientApps.png) - -8. Change **Assignment type=Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - - ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) - -10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: - - ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) - -### Verify client machine state - -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. - - ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) - ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) - -2. Verify the three profiles listed there: - ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) - -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## JAMF based deployment - -### Prerequsites - -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. - -### Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721160 - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -### Create JAMF Policies - -You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. - -#### Configuration Profile - -The configuration profile contains one custom settings payload that includes: - -- Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - -1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. - - >[!NOTE] - > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. - - ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) - -#### Approved Kernel Extension - -To approve the kernel extension: - -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. - -![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) - -#### Configuration Profile's Scope - -Configure the appropriate scope to specify the machines that will receive this configuration profile. - -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. - -![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) - -Save the **Configuration Profile**. - -Use the **Logs** tab to monitor deployment status for each enrolled machine. - -#### Package - -1. Create a package in **Settings > Computer Management > Packages**. - - ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) - -2. Upload wdav.pkg to the Distribution Point. -3. In the **filename** field, enter the name of the package. For example, wdav.pkg. - -#### Policy - -Your policy should contain a single package for Microsoft Defender. - -![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) - -Configure the appropriate scope to specify the computers that will receive this policy. - -After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. - -### Client machine setup - -You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. - -> [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). - -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - -![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) -![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) - -After some time, the machine's User Approved MDM status will change to Yes. - -![MDM status screenshot](images/MDATP_23_MDMStatus.png) - -You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - -### Deployment - -Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. - -#### Status on server - -You can monitor the deployment status in the Logs tab: - -- **Pending** means that the deployment is scheduled but has not yet happened -- **Completed** means that the deployment succeeded and is no longer scheduled - -![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - -#### Status on client machine - -After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. - -![Status on client screenshot](images/MDATP_25_StatusOnClient.png) - -After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - -![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -You can monitor policy installation on a machine by following the JAMF's log file: - -```bash -mavel-mojave:~ testuser$ tail -f /var/log/jamf.log -Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. -Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... -Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV -Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. -``` - -You can also check the onboarding status: - -```bash -mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py -uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 -orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -``` - -- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. - -- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. - -### Check onboarding status - -You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: - -```bash -sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' -``` - -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. - -## Manual deployment - -### Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` - -### Application installation - -To complete this process, you must have admin privileges on the machine. - -1. Navigate to the downloaded wdav.pkg in Finder and open it. - - ![App install screenshot](images/MDATP_28_AppInstall.png) - -2. Select **Continue**, agree with the License terms, and enter the password when prompted. - - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) - - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - - ![App install screenshot](images/MDATP_30_SystemExtension.png) - -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - -The installation will proceed. - -> [!NOTE] -> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. - -### Client configuration - -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. - - The client machine is not associated with orgId. Note that the orgid is blank. - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : - ``` - -2. Install the configuration file on a client machine: - - ```bash - mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) - ``` - -3. Verify that the machine is now associated with orgId: - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 - ``` - -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Configuring with the command line - -Controlling product settings, triggering on-demand scans, and several other important tasks can be done from the command line with the following commands: - -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | -|Health |Check the product's health |`mdatp --health` | -|Protection |Scan a path |`mdatp scan --path [path]` | -|Protection |Do a quick scan |`mdatp scan --quick` | -|Protection |Do a full scan |`mdatp scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | ## What to expect in the ATP portal From 8b9f0da22d48315f1cddffdc025b92e2a8805288 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 17:17:28 -0400 Subject: [PATCH 034/149] moved what to expect from mdatp-mac to mdatp-mac resources --- .../microsoft-defender-atp-mac-resources.md | 19 +++++++++++++ .../microsoft-defender-atp-mac.md | 27 ++----------------- 2 files changed, 21 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 7f2b515f99..4de5bdb96c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -104,6 +104,25 @@ If you are running JAMF, your policy should contain a single script: Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. +## What to expect in the ATP portal + +- AV alerts: + - Severity + - Scan type + - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - File information (name, path, size, and hash) + - Threat information (name, type, and state) +- Device information: + - Machine identifier + - Tenant identifier + - App version + - Hostname + - OS type + - OS version + - Computer model + - Processor architecture + - Whether the device is a virtual machine + ## Known issues - Not fully optimized for performance or disk space yet. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 3eb0b476e4..5132b03e9b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -37,7 +37,7 @@ We've been working hard through the private preview period, and we've heard your - Product health can be queried with JAMF or the command line. - Admins can set their cloud preference for any location, not just for those in the US. -## Installing and configuring +## Installing and configuring There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. In general you'll need to take the following steps: @@ -80,27 +80,4 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap ``` We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. -SIP is a built-in macOS security feature that prevents low-level tampering with the OS. - - - - - -## What to expect in the ATP portal - -- AV alerts: - - Severity - - Scan type - - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - - File information (name, path, size, and hash) - - Threat information (name, type, and state) -- Device information: - - Machine identifier - - Tenant identifier - - App version - - Hostname - - OS type - - OS version - - Computer model - - Processor architecture - - Whether the device is a virtual machine \ No newline at end of file +SIP is a built-in macOS security feature that prevents low-level tampering with the OS. \ No newline at end of file From 955791a7d49eadacb73925da42d610b25a837ad0 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:34:45 -0700 Subject: [PATCH 035/149] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 221 ++++++++---------- 1 file changed, 98 insertions(+), 123 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 8017f3a4eb..1bc006fe0b 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -44,137 +44,112 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -| Area | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | - ## Windows 10 19H1 Enterprise connection endpoints - -| Area | Protocol | Destination | -|----------------|----------|------------| -|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com -||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||HTTPS|cdn.onenote.net/livetile/?Language=en-US -||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||HTTPS|*.twimg.com* -||The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -|||star-mini.c10r.facebook.com -||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||TLS v1.2|candycrushsoda.king.com -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net -||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||HTTPS|wallet.microsoft.com -||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. -||HTTPS|mediaredirect.microsoft.com -||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store. -|HTTPS|int.whiteboard.microsoft.com| -|||HTTPS|wbd.ms -|||HTTPS|whiteboard.microsoft.com +|Area|Description|Protocol|Destination| +|----------------|----------|----------|------------| +|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com| +|||HTTP|tile-service.weather.microsoft.com +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US +||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| +||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com| +||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.|HTTPS|mediaredirect.microsoft.com| +||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store.|HTTPS|int.whiteboard.microsoft.com| +|||HTTPS|wbd.ms| +|||HTTPS|whiteboard.microsoft.com| |||HTTP / HTTPS|whiteboard.ms| -|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com -|| |HTTPS|ris-prod-atm.trafficmanager.net -|| |HTTPS|validation-v2.sls.trafficmanager.net -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.| -|Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com -|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. -||HTTPS|store-images.*microsoft.com -|Cortana and Search2|The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client -|| |HTTPS|www.bing.com -|||HTTPS|www.bing.com/proactive -|||HTTPS|www.bing.com/threshold/xls.aspx -|||HTTP|exo-ring.msedge.net -|||HTTP|fp.msedge.net -|||HTTP|fp-vp.azureedge.net -|||HTTP|odinvzc.azureedge.net -|||HTTP|spo-ring.msedge.net -|Device authentication -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com* -||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com -|Diagnostic Data -||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com -|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1 -|||HTTP|www.microsoft.com -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com -|| |HTTP|cs11.wpc.v0cdn.net -|| |HTTPS|cs1137.wpc.gammacdn.net -|||TLS v1.2|modern.watson.data.microsoft.com* -|||HTTPS|watson.telemetry.microsoft.com -|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. -||HTTPS|*licensing.mp.microsoft.com* -|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net -|||HTTP|location-inference-westus.cloudapp.net -|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net -|| |HTTP|*maps.windows.com* -|Microsoft account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. -||HTTP|login.msa.akadns6.net| -|||HTTP|us.configsvc1.live.com.akadns.net -|Microsoft Edge| This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com -|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. -|If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com -|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com -||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -||HTTP|storecatalogrevocation.storequality.microsoft.com -||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com* -|||HTTPS|store-images.microsoft.com -||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -||TLS v1.2|*.md.mp.microsoft.com* -|||HTTPS|*displaycatalog.mp.microsoft.com -|||HTTP \ HTTPS|pti.store.microsoft.com -|||HTTP|storeedgefd.dsx.mp.microsoft.com -|| |HTTP|markets.books.microsoft.com -|| |HTTP |share.microsoft.com -|Network Connection Status Indicator (NCSI) -||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|Office -||Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net -|||HTTPS|*.e-msedge.net -|||HTTPS|*.s-msedge.net -|||HTTPS|nexusrules.officeapps.live.com -|||HTTPS|ocos-office365-s2s.msedge.net -|||HTTPS|officeclient.microsoft.com -|||HTTPS|outlook.office365.com -|||HTTPS|client-office365-tas.msedge.net -|| |HTTPS|www.office.com -|| |HTTPS|onecollector.cloudapp.aria -|| |HTTP|v10.events.data.microsoft.com/onecollector/1.0/ -|| |HTTPS|self.events.data.microsoft.com -||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. -|HTTPS|to-do.microsoft.com -|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/* -|| |HTTP|msagfx.live.com -|||HTTPS -||oneclient.sfx.ms -|Settings -||The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||cy2.settings.data.microsoft.com.akadns.net -|||HTTPS|settings.data.microsoft.com -|||HTTPS|settings-win.data.microsoft.com -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com -|||HTTP|config.edge.skype.com -|| |HTTP|s2s.config.skype.com -|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com +|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| +|||HTTPS|ris-prod-atm.trafficmanager.net| +|||HTTPS|validation-v2.sls.trafficmanager.net| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com| +|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. |HTTPS|store-images.*microsoft.com| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client| +|||HTTPS|www.bing.com| +|||HTTPS|www.bing.com/proactive| +|||HTTPS|www.bing.com/threshold/xls.aspx| +|||HTTP|exo-ring.msedge.net| +|||HTTP|fp.msedge.net| +|||HTTP|fp-vp.azureedge.net| +|||HTTP|odinvzc.azureedge.net| +|||HTTP|spo-ring.msedge.net| +|Device authentication| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com| +|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1| +|||HTTP|www.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com| +|||HTTP|cs11.wpc.v0cdn.net| +|||HTTPS|cs1137.wpc.gammacdn.net| +|||TLS v1.2|modern.watson.data.microsoft.com*| +|||HTTPS|watson.telemetry.microsoft.com| +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| +|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| +|||HTTP|location-inference-westus.cloudapp.net| +|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| +|||HTTP|*maps.windows.com*| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| +|||HTTP|us.configsvc1.live.com.akadns.net| +|Microsoft Edge|This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| +|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*| +|||HTTPS|*displaycatalog.mp.microsoft.com| +|||HTTP \ HTTPS|pti.store.microsoft.com| +|||HTTP|storeedgefd.dsx.mp.microsoft.com| +|| |HTTP|markets.books.microsoft.com| +|| |HTTP |share.microsoft.com| +|Network Connection Status Indicator (NCSI)| +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*| +Office|Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| +|||HTTPS|*.e-msedge.net| +|||HTTPS|*.s-msedge.net| +|||HTTPS|nexusrules.officeapps.live.com| +|||HTTPS|ocos-office365-s2s.msedge.net| +|||HTTPS|officeclient.microsoft.com| +|||HTTPS|outlook.office365.com| +|||HTTPS|client-office365-tas.msedge.net| +|||HTTPS|www.office.com| +|||HTTPS|onecollector.cloudapp.aria| +|||HTTP|v10.events.data.microsoft.com/onecollector/1.0/| +|||HTTPS|self.events.data.microsoft.com| +||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store.|HTTPS|to-do.microsoft.com +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*| +|||HTTP|msagfx.live.com| +|||HTTPS|oneclient.sfx.ms| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.|HTTPS|cy2.settings.data.microsoft.com.akadns.net| +|||HTTPS|settings.data.microsoft.com| +|||HTTPS|settings-win.data.microsoft.com| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com| +|||HTTP|config.edge.skype.com| +|||HTTP|s2s.config.skype.com| +|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com| |||HTTPS|definitionupdates.microsoft.com| -|||HTTPS|go.microsoft.com -||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com +|||HTTPS|go.microsoft.com| +||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com| |||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com| -|||HTTPS|unitedstates.smartscreen-prod.microsoft.com -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight. -|TLS v1.2|*.search.msn.com -|||HTTPS|arc.msn.com -|||HTTPS|g.msn.com* -|||HTTPS|query.prod.cms.rt.microsoft.com -|||HTTPS|ris.api.iris.microsoft.com -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com -|| |HTTP|cs9.wac.phicdn.net -|| |HTTP|emdl.ws.microsoft.com -||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com -|||HTTP|*.windowsupdate.com* -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com -|||HTTPS|*.update.microsoft.com +|||HTTPS|unitedstates.smartscreen-prod.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.|TLS v1.2|*.search.msn.com| +|||HTTPS|arc.msn.com| +|||HTTPS|g.msn.com*| +|||HTTPS|query.prod.cms.rt.microsoft.com| +|||HTTPS|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| +|||HTTP|cs9.wac.phicdn.net| +|||HTTP|emdl.ws.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| +|||HTTP|*.windowsupdate.com*| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com| +|||HTTPS|*.update.microsoft.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| + ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: From c393427dfa4550a6b03b458b1f144bbc9872f01a Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:37:06 -0700 Subject: [PATCH 036/149] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 1bc006fe0b..fb5b96a836 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -139,7 +139,7 @@ Office|Online. For more info, see Office 365 URLs and IP address ranges. You can |||HTTPS|g.msn.com*| |||HTTPS|query.prod.cms.rt.microsoft.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| +|Windows Update|The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| |||HTTP|cs9.wac.phicdn.net| |||HTTP|emdl.ws.microsoft.com| ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| From bb3e6d988c6d6798f707c70ba024e20c8683d1ac Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:43:56 -0700 Subject: [PATCH 037/149] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index fb5b96a836..31c2253611 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -76,7 +76,7 @@ We used the following methodology to derive these network endpoints: |||HTTP|spo-ring.msedge.net| |Device authentication| ||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| -||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| +||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| |Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com| |||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1| |||HTTP|www.microsoft.com| @@ -88,7 +88,7 @@ We used the following methodology to derive these network endpoints: |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| |Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| |||HTTP|location-inference-westus.cloudapp.net| -|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| |||HTTP|*maps.windows.com*| |Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| |||HTTP|us.configsvc1.live.com.akadns.net| @@ -96,16 +96,16 @@ We used the following methodology to derive these network endpoints: |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| |Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| -||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| ||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*| |||HTTPS|*displaycatalog.mp.microsoft.com| |||HTTP \ HTTPS|pti.store.microsoft.com| |||HTTP|storeedgefd.dsx.mp.microsoft.com| -|| |HTTP|markets.books.microsoft.com| -|| |HTTP |share.microsoft.com| +|||HTTP|markets.books.microsoft.com| +|||HTTP |share.microsoft.com| |Network Connection Status Indicator (NCSI)| ||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*| -Office|Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| +Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| |||HTTPS|*.e-msedge.net| |||HTTPS|*.s-msedge.net| |||HTTPS|nexusrules.officeapps.live.com| @@ -139,14 +139,15 @@ Office|Online. For more info, see Office 365 URLs and IP address ranges. You can |||HTTPS|g.msn.com*| |||HTTPS|query.prod.cms.rt.microsoft.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| |||HTTP|cs9.wac.phicdn.net| |||HTTP|emdl.ws.microsoft.com| ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| |||HTTP|*.windowsupdate.com*| ||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com| |||HTTPS|*.update.microsoft.com| -||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| + From ddf0bd016b7174f81cead24b4fb591778ac0ce86 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:44:53 -0700 Subject: [PATCH 038/149] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 31c2253611..6b9ec17db4 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -51,7 +51,7 @@ We used the following methodology to derive these network endpoints: |Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com| |||HTTP|tile-service.weather.microsoft.com ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US -||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| +||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| ||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net| ||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com| From 6cb4a435aaea4c3712b6abd8d236abdd228e2bc6 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:47:18 -0700 Subject: [PATCH 039/149] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 6b9ec17db4..b213bc094d 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -86,7 +86,7 @@ We used the following methodology to derive these network endpoints: |||TLS v1.2|modern.watson.data.microsoft.com*| |||HTTPS|watson.telemetry.microsoft.com| |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| -|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| +|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| |||HTTP|location-inference-westus.cloudapp.net| |Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| |||HTTP|*maps.windows.com*| From a2f4e5a593d9b703c7346db701bed920ad5dc240 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 16:27:43 -0700 Subject: [PATCH 040/149] Update and rename manage-windows-19H1-endpoints.md to manage-windows-1903-endpoints.md --- ...19H1-endpoints.md => manage-windows-1903-endpoints.md} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename windows/privacy/{manage-windows-19H1-endpoints.md => manage-windows-1903-endpoints.md} (98%) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md similarity index 98% rename from windows/privacy/manage-windows-19H1-endpoints.md rename to windows/privacy/manage-windows-1903-endpoints.md index b213bc094d..6378fa5507 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -1,5 +1,5 @@ --- -title: Connection endpoints for Windows 10, version 19H1 +title: Connection endpoints for Windows 10, version 1903 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 ms.prod: w10 @@ -14,11 +14,11 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 5/3/2019 --- -# Manage connection endpoints for Windows 10, version 19H1 +# Manage connection endpoints for Windows 10, version 1903 **Applies to** -- Windows 10, version 19H1 +- Windows 10, version 1903 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: @@ -44,7 +44,7 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 19H1 Enterprise connection endpoints +## Windows 10 1903 Enterprise connection endpoints |Area|Description|Protocol|Destination| |----------------|----------|----------|------------| From 16447d2b9dac76aed5074d143d5c2203c1702374 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 16:29:08 -0700 Subject: [PATCH 041/149] Update manage-windows-1903-endpoints.md --- windows/privacy/manage-windows-1903-endpoints.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 6378fa5507..c1ded7a689 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -154,6 +154,7 @@ Office|The following endpoints are used to connect to the Office 365 portal's sh ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) - [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) - [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) From c59973a405c7fca8cc68bcf2428ce0549fe918aa Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 22:09:38 -0700 Subject: [PATCH 042/149] Update manage-windows-1903-endpoints.md --- windows/privacy/manage-windows-1903-endpoints.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index c1ded7a689..f73b24241a 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -149,8 +149,6 @@ Office|The following endpoints are used to connect to the Office 365 portal's sh ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| - - ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: From d021bb36b9833a9a9fc59259cbf5a43ce385b958 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 5 May 2019 22:13:12 +0200 Subject: [PATCH 043/149] Delivery Optimization settings: copy-paste error The description content of this line has inadvertently been copy-pasted from the next line and therefore contains a wrong keyword: background Correction: background -> foreground Updates issue ticket #3416 (**Cut and paste error in the article**) --- .../deployment/update/waas-delivery-optimization-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 582639b74e..57bdd0311c 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -79,7 +79,7 @@ Additional options available that control the impact Delivery Optimization has o - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. -- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. +- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. From 021a00f05bc8004caa3637638f9f082abec460e5 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 5 May 2019 23:23:24 +0200 Subject: [PATCH 044/149] Reboot CSP: sentence end closing HTML tag restored Excerpt from the docs.microsoft.com page before restoring the HTML tag: > The supported operations are Execute and Get. **Schedule** Ref. closed issue ticket #3471 (**How to set null**) --- windows/client-management/mdm/reboot-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 77dea602cf..f5d0d53a0f 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -30,7 +30,7 @@ The following diagram shows the Reboot configuration service provider management > [!Note]   > If this node is set to execute during a sync session, the device will reboot at the end of the sync session. -

The supported operations are Execute and Get. +

The supported operations are Execute and Get.

**Schedule**

The supported operation is Get.

From 81c924a15f51467a0816b9b0e974c0af8087fceb Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 15:38:54 +0500 Subject: [PATCH 045/149] update waas-restart.md --- windows/deployment/update/waas-restart.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 13c1dce96d..fb98782087 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -42,6 +42,9 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. +>[!NOTE] +>In case of using Remote Desktop connection, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. + You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). @@ -159,8 +162,9 @@ In the Group Policy editor, you will see a number of policy settings that pertai >[!NOTE] >You can only choose one path for restart behavior. -> >If you set conflicting restart policies, the actual restart behavior may not be what you expected. +>In case of using RDP, only active RDP sessions are considered as logged on users. + ## Registry keys used to manage restart The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10. From 4545c71e37eb683049c2c256523a5b425876fe22 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 15:44:44 +0500 Subject: [PATCH 046/149] update waas-restart.md --- windows/deployment/update/waas-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index fb98782087..6d11b20ee9 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -43,7 +43,7 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. >[!NOTE] ->In case of using Remote Desktop connection, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. +>In case of using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. From 0b8a2c84a141eee6516ae775782e75760e44de38 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 6 May 2019 10:52:59 -0400 Subject: [PATCH 047/149] cross links within mdatp-mac pages --- ...osoft-defender-atp-mac-install-manually.md | 17 ++++++++++++++++- ...ft-defender-atp-mac-install-with-intune.md | 19 +++++++++++++++++-- ...soft-defender-atp-mac-install-with-jamf.md | 19 ++++++++++++++++--- .../microsoft-defender-atp-mac-resources.md | 13 +++++++++---- .../microsoft-defender-atp-mac.md | 12 ++++++++---- 5 files changed, 66 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 4fbed04668..27b3a8f924 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -26,6 +26,13 @@ ms.topic: #conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + ## Download installation and onboarding packages Download the installation and onboarding packages from Windows Defender Security Center: @@ -127,4 +134,12 @@ Important tasks, such as controlling product settings and triggering on-demand s |Protection |Do a quick scan |`mdatp scan --quick` | |Protection |Do a full scan |`mdatp scan --full` | |Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | \ No newline at end of file +|Protection |Request a definition update |`mdatp --signature-update` | + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 5cd1e22a19..8af90fded1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -22,10 +22,17 @@ ms.topic: #conceptual **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - + >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + ## Download installation and onboarding packages Download the installation and onboarding packages from Windows Defender Security Center: @@ -155,4 +162,12 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t 4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. 5. You should also see the Microsoft Defender icon in the top-right corner: - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) \ No newline at end of file + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 82aaf8ffe2..8837b3bcc5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -26,9 +26,14 @@ ms.topic: #conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -## Prerequsites +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + +In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. ## Download installation and onboarding packages @@ -192,4 +197,12 @@ You can check that machines are correctly onboarded by creating a script. For ex sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' ``` -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. \ No newline at end of file +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 4de5bdb96c..09a4dcceae 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: #conceptual --- -## Collecting diagnostic information +# Resources **Applies to:** @@ -26,6 +26,11 @@ ms.topic: #conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +This topic describes how to use, and details about, Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Collecting diagnostic information + If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. 1) Increase logging level: @@ -57,7 +62,7 @@ If you can reproduce a problem, please increase the logging level, run the syste Operation succeeded ``` -### Installation issues +## Logging installation issues If an error occurs during installation, the installer will only report a general failure. @@ -65,13 +70,13 @@ The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If y ## Uninstalling -There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. ### Within the GUI - Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. -### From the command line: +### From the command line - ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 5132b03e9b..af6205c2ca 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -44,9 +44,9 @@ In general you'll need to take the following steps: - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune-based deployment](separate-page-url) - - [JAMF-based deployment](seperate-page-url) - - [Manual deployment](seperate-page-url) + - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune) + - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf) + - [Manual deployment](microsoft-defender-atp-mac-install-manually) ### Prerequisites @@ -80,4 +80,8 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap ``` We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. -SIP is a built-in macOS security feature that prevents low-level tampering with the OS. \ No newline at end of file +SIP is a built-in macOS security feature that prevents low-level tampering with the OS. + +## Resources + +For further information on logging, uninstalling, the ATP portal, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. \ No newline at end of file From 5dda164f30955b84fc13ffcbb76b2d072d58f6d9 Mon Sep 17 00:00:00 2001 From: cbelcher00 <32375431+cbelcher00@users.noreply.github.com> Date: Mon, 6 May 2019 12:36:24 -0500 Subject: [PATCH 048/149] Added Note to Auto-login section --- windows/configuration/kiosk-prepare.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 436a96f0a8..79761a6c5d 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -57,6 +57,9 @@ Logs can help you [troubleshoot issues](multi-app-kiosk-troubleshoot.md) kiosk i In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. +>[!NOTE] +>If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile. + >[!TIP] >If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. From 42695d0f6c9c8160c0f7a2d5a0305d457a0d98a1 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 23:34:21 +0500 Subject: [PATCH 049/149] update waas-restart.md --- windows/deployment/update/waas-restart.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 6d11b20ee9..e7e1866acc 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -42,8 +42,8 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. ->[!NOTE] ->In case of using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. +> [!NOTE] +> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users, or active RDP sessions, will be restarted. You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. @@ -163,7 +163,7 @@ In the Group Policy editor, you will see a number of policy settings that pertai >[!NOTE] >You can only choose one path for restart behavior. >If you set conflicting restart policies, the actual restart behavior may not be what you expected. ->In case of using RDP, only active RDP sessions are considered as logged on users. +>When using RDP, only active RDP sessions are considered as logged on users. ## Registry keys used to manage restart From 3f848033697c90f18b6efc4065e5c5fc76126284 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 23:36:43 +0500 Subject: [PATCH 050/149] update waas-restart.md --- windows/deployment/update/waas-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index e7e1866acc..ee8f3c4fde 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -43,7 +43,7 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. > [!NOTE] -> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users, or active RDP sessions, will be restarted. +> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted. You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. From c45366c82056f6caecedabec9a79feb00dbab7e2 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 6 May 2019 11:43:34 -0700 Subject: [PATCH 051/149] Added 19H1 Power policies --- .../policy-configuration-service-provider.md | 60 ++ .../client-management/mdm/policy-csp-power.md | 975 +++++++++++++++++- 2 files changed, 1029 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a27926a537..a565731cbb 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2413,6 +2413,14 @@ The following diagram shows the Policy configuration service provider in tree fo
Power/DisplayOffTimeoutPluggedIn
+
+ Power/EnergySaverBatteryThresholdOnBattery +
+
+ Power/EnergySaverBatteryThresholdPluggedIn +
Power/HibernateTimeoutOnBattery
@@ -2425,12 +2433,52 @@ The following diagram shows the Policy configuration service provider in tree fo
Power/RequirePasswordWhenComputerWakesPluggedIn
+
+ Power/SelectLidCloseActionOnBattery +
+
+ Power/SelectLidCloseActionPluggedIn +
+
+ Power/SelectPowerButtonActionOnBattery +
+
+ Power/SelectPowerButtonActionPluggedIn +
+
+ Power/SelectSleepButtonActionOnBattery +
+
+ Power/SelectSleepButtonActionPluggedIn +
Power/StandbyTimeoutOnBattery
Power/StandbyTimeoutPluggedIn
+
+ Power/TurnOffHybridSleepOnBattery +
+
+ Power/TurnOffHybridSleepPluggedIn +
+
+ Power/UnattendedSleepTimeoutOnBattery +
+
+ Power/UnattendedSleepTimeoutPluggedIn +
### Printers policies @@ -4069,12 +4117,24 @@ The following diagram shows the Policy configuration service provider in tree fo - [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) - [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) - [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) - [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) - [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) - [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) +- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery) +- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin) +- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery) +- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin) +- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery) +- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin) - [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) - [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery) +- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin) +- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery) +- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) - [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) - [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) - [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 51f9efc4a5..376605a87a 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -6,12 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/16/2018 +ms.date: 05/03/2019 --- # Policy CSP - Power - +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -31,6 +32,12 @@ ms.date: 04/16/2018
Power/DisplayOffTimeoutPluggedIn
+
+ Power/EnergySaverBatteryThresholdOnBattery +
+
+ Power/EnergySaverBatteryThresholdPluggedIn +
Power/HibernateTimeoutOnBattery
@@ -43,12 +50,42 @@ ms.date: 04/16/2018
Power/RequirePasswordWhenComputerWakesPluggedIn
+
+ Power/SelectLidCloseActionOnBattery +
+
+ Power/SelectLidCloseActionPluggedIn +
+
+ Power/SelectPowerButtonActionOnBattery +
+
+ Power/SelectPowerButtonActionPluggedIn +
+
+ Power/SelectSleepButtonActionOnBattery +
+
+ Power/SelectSleepButtonActionPluggedIn +
Power/StandbyTimeoutOnBattery
Power/StandbyTimeoutPluggedIn
+
+ Power/TurnOffHybridSleepOnBattery +
+
+ Power/TurnOffHybridSleepPluggedIn +
+
+ Power/UnattendedSleepTimeoutOnBattery +
+
+ Power/UnattendedSleepTimeoutPluggedIn +
@@ -306,6 +343,153 @@ ADMX Info:
+ +**Power/EnergySaverBatteryThresholdOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on. + +If you enable this policy setting, you must specify a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + +If you disable or do not configure this policy setting, users control this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Energy Saver Battery Threshold (on battery)* +- GP name: *EsBattThresholdDC* +- GP element: *EnterEsBattThreshold* +- GP path: *System/Power Management/Energy Saver Settings* +- GP ADMX file name: *power.admx* + + + +Supported values: 0-100. The default is 70. + + + + + + + + + +
+ + +**Power/EnergySaverBatteryThresholdPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on. + +If you enable this policy setting, you must provide a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + +If you disable or do not configure this policy setting, users control this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Energy Saver Battery Threshold (plugged in)* +- GP name: *EsBattThresholdAC* +- GP element: *EnterEsBattThreshold* +- GP path: *System/Power Management/Energy Saver Settings* +- GP ADMX file name: *power.admx* + + + +Supported values: 0-100. The default is 70. + + + + + + + + + +
+ **Power/HibernateTimeoutOnBattery** @@ -558,6 +742,480 @@ ADMX Info:
+ +**Power/SelectLidCloseActionOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the lid switch action (on battery)* +- GP name: *DCSystemLidAction_2* +- GP element: *SelectDCSystemLidAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported lid close switch actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectLidCloseActionPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the lid switch action (plugged in)* +- GP name: *ACSystemLidAction_2* +- GP element: *SelectACSystemLidAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported lid close switch actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectPowerButtonActionOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Power button action (on battery)* +- GP name: *DCPowerButtonAction_2* +- GP element: *SelectDCPowerButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Power button actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectPowerButtonActionPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Power button action (plugged in)* +- GP name: *ACPowerButtonAction_2* +- GP element: *SelectACPowerButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Power button actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectSleepButtonActionOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Sleep button action (on battery)* +- GP name: *DCSleepButtonAction_2* +- GP element: *SelectDCSleepButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Sleep button actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectSleepButtonActionPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Sleep button action (plugged in)* +- GP name: *ACSleepButtonAction_2* +- GP element: *SelectACSleepButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Sleep button actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ **Power/StandbyTimeoutOnBattery** @@ -683,14 +1341,319 @@ ADMX Info: +
-Footnote: + +**Power/TurnOffHybridSleepOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep. + +If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). + +If you set this policy setting to 1 or do not configure this policy setting, users control this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off hybrid sleep (on battery)* +- GP name: *DCStandbyWithHiberfileEnable_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported values for Hybrid sleep (on battery): +- 0 - no hibernation file for sleep (default) +- 1 - hybrid sleep + + + + + + + + + + +
+ + +**Power/TurnOffHybridSleepPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep. + +If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). + +If you set this policy setting to 1 or do not configure this policy setting, users control this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off hybrid sleep (plugged in)* +- GP name: *ACStandbyWithHiberfileEnable_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported values for Hybrid sleep (plugged in): +- 0 - no hibernation file for sleep (default) +- 1 - hybrid sleep + + + + + + + + + + +
+ + +**Power/UnattendedSleepTimeoutOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. + +If you disable or do not configure this policy setting, users control this setting. + +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the unattended sleep timeout (on battery)* +- GP name: *UnattendedSleepTimeOutDC* +- GP element: *EnterUnattendedSleepTimeOut* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + +Default value for unattended sleep timeout (on battery): +300 + + + + + + + + + +
+ + +**Power/UnattendedSleepTimeoutPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. + +If you disable or do not configure this policy setting, users control this setting. + +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the unattended sleep timeout (plugged in)* +- GP name: *UnattendedSleepTimeOutAC* +- GP element: *EnterUnattendedSleepTimeOut* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + +Default value for unattended sleep timeout (plugged in): +300 + + + + + + + + + + +
+ +Footnotes: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - - - +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From 2956823beaf3cb062fc8c9f285fa13c825b67d7b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 6 May 2019 12:07:09 -0700 Subject: [PATCH 052/149] removed extra space --- windows/client-management/mdm/policy-csp-power.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 376605a87a..c1696a003a 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -67,7 +67,7 @@ ms.date: 05/03/2019
Power/SelectSleepButtonActionPluggedIn -
+
Power/StandbyTimeoutOnBattery
From 7d5154f5375c15ad8daa97fad59e6e2bd2f0f4cb Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Mon, 6 May 2019 22:10:39 +0200 Subject: [PATCH 053/149] Update increase-scheduling-priority.md Fixes https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3156 --- .../increase-scheduling-priority.md | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 7cd6b91162..565e032adb 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -38,26 +38,11 @@ Constant: SeIncreaseBasePriorityPrivilege ### Best practices -- Allow the default value, Administrators and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities. +- Retain the default value and allow Administrators, and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities. ### Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment - -### Default values - -By default this setting is Administrators on domain controllers and on stand-alone servers. - -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - -| Server type or GPO | Default value | -| - | - | -| Default Domain Policy| Not defined| -| Default Domain Controller Policy| Not defined| -| Stand-Alone Server Default Settings | Administrators and Window Manager/Window Manager Group| -| Domain Controller Effective Default Settings | Administrators and Window Manager/Window Manager Group| -| Member Server Effective Default Settings | Administrators and Window Manager/Window Manager Group| -| Client Computer Effective Default Settings | Administrators and Window Manager/Window Manager Group|   ## Policy management @@ -97,3 +82,4 @@ None. Restricting the **Increase scheduling priority** user right to members of ## Related topics - [User Rights Assignment](user-rights-assignment.md) +- [Increase scheduling priority for Windows Server 2012 and earlier](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11)) From 3c65e9363bfae0eba476a72fd8f0b48d98b36fd3 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 00:17:21 +0200 Subject: [PATCH 054/149] Update upgrade-readiness-data-sharing.md Typo and format fixes https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3523 --- .../deployment/upgrade/upgrade-readiness-data-sharing.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index 3eff878d63..b7b51ae981 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -29,10 +29,10 @@ In order to use the direct connection scenario, set the parameter **ClientProxy= This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication. In order to set the WinHTTP proxy system-wide on your computers, you need to -•Use the command netsh winhttp set proxy \:\ -•Set ClientProxy=System in runconfig.bat +- Use the command netsh winhttp set proxy \:\ +- Set ClientProxy=System in runconfig.bat -The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3. +The WinHTTP scenario is most appropriate for customers who use a single proxy. If you have more advanced proxy requirements, refer to Scenario 3. If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/). From 113fbb13600b75d42459155e378d5d6c8ef52730 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 6 May 2019 18:45:02 -0400 Subject: [PATCH 055/149] added links to see also section of trusted-platform-module-overview.md --- .../tpm/trusted-platform-module-overview.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 3f858bbcb9..fc03050770 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -87,5 +87,12 @@ Some things that you can check on the device are: ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM) +- [TPM Base Services Portal](https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal) +- [TPM Base Services API](https://docs.microsoft.com/en-us/windows/desktop/api/_tbs/) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/en-us/blog/device-provisioning-identity-attestation-with-tpm/) +- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/en-us/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) +- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) +- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) \ No newline at end of file From e656ed40b56379912671eb3fdcd7e9527da41c69 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 6 May 2019 16:03:07 -0700 Subject: [PATCH 056/149] Update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 272c13081f..9e11ba030f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 04/02/2019 Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: From ec38b89126d53bf0b4fdbad6e044ce40bd6aab5c Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:02:08 +0200 Subject: [PATCH 057/149] Update hello-hybrid-cert-trust-prereqs.md Typos --- .../hello-hybrid-cert-trust-prereqs.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 6b4a465a9c..3dd1963a94 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -27,10 +27,10 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infrastructure) +* [Public Key Infrastructure](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) -* [MultiFactor Authentication](#multifactor-authentication) +* [Multifactor Authentication](#multifactor-authentication) * [Device Registration](#device-registration) ## Directories ## @@ -57,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning ## Public Key Infrastructure ## The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. -Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment use the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. +Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. @@ -96,7 +96,7 @@ The AD FS farm used with Windows Hello for Business must be Windows Server 2016 ## Multifactor Authentication ## Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service, or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. ### Section Review > [!div class="checklist"] @@ -119,7 +119,7 @@ Hybrid certificate trust deployments need the device write back feature. Authen
### Next Steps ### -Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. +Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**. From 6c20152a49c6d5ed62a316d5908c9f7e58a62fd7 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:35:34 +0200 Subject: [PATCH 058/149] Update hello-hybrid-cert-whfb-settings.md Typos lines 26 and 47 --- .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 3d78b7a719..f127c06ae9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -23,7 +23,7 @@ ms.date: 08/19/2018 - Certificate trust -You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. +Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. @@ -44,7 +44,7 @@ For the most efficient deployment, configure these technologies in order beginni ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. Configure Windows Hello for Business settings (*You are here*) From 7b1ac59f12a73df162c08bb0e3c6e1af1df07a8a Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:42:18 +0200 Subject: [PATCH 059/149] Update hello-hybrid-cert-whfb-provision.md Typos lines 58, 62, 68, 76, 80 --- .../hello-hybrid-cert-whfb-provision.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index e295b98d48..22b4bd30cd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -18,7 +18,7 @@ ms.date: 08/19/2018 # Hybrid Windows Hello for Business Provisioning **Applies to** -- Windows10, version 1703 or later +- Windows 10, version 1703 or later - Hybrid deployment - Certificate trust @@ -55,17 +55,17 @@ The remainder of the provisioning includes Windows Hello for Business requesting > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). > The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. -> **This synchronization latency delays the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. +> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] -> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers. +> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers. After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. -The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current users certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center. +The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.

@@ -73,9 +73,9 @@ The certificate authority validates the certificate was signed by the registrati ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md) -6. Sign-in and Provision(*You are here*) +6. Sign-in and Provision (*You are here*) From 34e23be6411b087eff0daafbf4471b214d7358c0 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:57:54 +0200 Subject: [PATCH 060/149] Update hello-hybrid-aadj-sso-base.md Typos lines 144, 283, 286 --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index bf17a84426..84d389751b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -141,7 +141,7 @@ These procedures configure NTFS and share permissions on the web server to allow 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. -3. Select **Share this folder**. Type **cdp$** in **Share name:**. Click **Permissions**. +3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**. ![cdp sharing](images/aadj/cdp-sharing.png) 4. In the **Permissions for cdp$** dialog box, click **Add**. 5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**. @@ -280,10 +280,10 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted 1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**. 2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**. ![Intune Create Profile](images/aadj/intune-create-device-config-profile.png) -3. In the **Create profle** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. +3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. 4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**. ![Intune Trusted Certificate Profile](images/aadj/intune-create-trusted-certificate-profile.png) -5. In the **Enterprise Root Certificate** blade, click **Assignmnets**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. +5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) 6. Sign out of the Microsoft Azure Portal. From b2ed14a6a2efb673f31324bdacbb7976afca8d99 Mon Sep 17 00:00:00 2001 From: larsstaalm <50363667+larsstaalm@users.noreply.github.com> Date: Tue, 7 May 2019 12:46:50 +0200 Subject: [PATCH 061/149] Update windows-analytics-FAQ-troubleshooting.md Step 6 currently wants to remove the solution like in step 1. We need to re-add it here instead, can be phrased differently :) --- .../deployment/update/windows-analytics-FAQ-troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index ea9214c57b..9942044960 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -86,7 +86,7 @@ If you have devices that appear in other solutions, but not Device Health (the D 3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). 4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set). 5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. -6. Remove the Device Health (appears as DeviceHealthProd on some pages) from your Log Analytics workspace +6. Add the Device Health solution back to your Log Analytics workspace. 7. Wait 48 hours for activity to appear in the reports. 8. If you need additional troubleshooting, contact Microsoft Support. From 05b003cb318d528d226c8e1f77700c4dbe93ca31 Mon Sep 17 00:00:00 2001 From: Russ Rimmerman Date: Tue, 7 May 2019 08:26:33 -0500 Subject: [PATCH 062/149] Update hello-faq.md Typo --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 1dabe3c95d..ecdde0e294 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -27,7 +27,7 @@ Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. ## Can I deploy Windows Hello for Business using System Center Configuration Manager? -Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no long be supported after November 2018. +Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no longer be supported after November 2018. ## How many users can enroll for Windows Hello for Business on a single Windows 10 computer? The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available. From be33f0358941dc5cc8c4c9edc3cbeb3ceaee8e3c Mon Sep 17 00:00:00 2001 From: Russ Rimmerman Date: Tue, 7 May 2019 08:28:11 -0500 Subject: [PATCH 063/149] Update hello-faq.md Typo --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 1dabe3c95d..d44e767bc5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -15,7 +15,7 @@ ms.topic: article localizationpriority: medium ms.date: 08/19/2018 --- -# Windows Hello for Business Frequently Ask Questions +# Windows Hello for Business Frequently Asked Questions **Applies to** - Windows 10 From e350e7b5cc557ce0802338590f6edcd5f1999979 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 7 May 2019 13:13:08 -0400 Subject: [PATCH 064/149] split & updated mdatp-mac.md into 4 new pages --- ...osoft-defender-atp-mac-install-manually.md | 145 ++++++ ...ft-defender-atp-mac-install-with-intune.md | 173 +++++++ ...soft-defender-atp-mac-install-with-jamf.md | 145 ++++++ .../microsoft-defender-atp-mac-resources.md | 136 +++++ .../microsoft-defender-atp-mac.md | 487 ++---------------- 5 files changed, 631 insertions(+), 455 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md new file mode 100644 index 0000000000..27b3a8f924 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -0,0 +1,145 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Manual deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +## Application installation + +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +## Client configuration + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` + +2. Install the configuration file on a client machine: + + ```bash + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` + +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Configuring from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md new file mode 100644 index 0000000000..8af90fded1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -0,0 +1,173 @@ +--- +title: Installing Microsoft Defender ATP for Mac with Microsoft Intune +description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Microsoft Intune-based deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +6. From a command prompt, verify that you have the three files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721688 + -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +7. Make IntuneAppUtil an executable: + + ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` + +8. Create the wdav.pkg.intunemac package from wdav.pkg: + + ```bash + mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" + Microsoft Intune Application Utility for Mac OS X + Version: 1.0.0.0 + Copyright 2018 Microsoft Corporation + + Creating intunemac file for /Users/test/Downloads/wdav.pkg + Composing the intunemac file output + Output written to ./wdav.pkg.intunemac. + + IntuneAppUtil successfully processed "wdav.pkg", + to deploy refer to the product documentation. + ``` + +## Client Machine Setup + +You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). + +1. You'll be asked to confirm device management. + +![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) + +Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: + +![Management profile screenshot](images/MDATP_4_ManagementProfile.png) + +2. Select the **Continue** button and complete the enrollment. + +You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. + +3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: + +![Add Devices screenshot](images/MDATP_5_allDevices.png) + +## Create System Configuration profiles + +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. + + ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) + +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +6. Repeat these steps with the second profile. +7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. + +After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: + +![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) + +## Publish application + +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. + + ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) + +6. Select **OK** and **Add**. + + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) + +7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. + + ![Client apps screenshot](images/MDATP_10_ClientApps.png) + +8. Change **Assignment type=Required**. +9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. + + ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) + +10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: + + ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) + +## Verify client machine state + +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + + ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) + ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) + +2. Verify the three profiles listed there: + ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) + +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md new file mode 100644 index 0000000000..27b3a8f924 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -0,0 +1,145 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Manual deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +## Application installation + +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +## Client configuration + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` + +2. Install the configuration file on a client machine: + + ```bash + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` + +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Configuring from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md new file mode 100644 index 0000000000..09a4dcceae --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -0,0 +1,136 @@ +--- +title: Microsoft Defender ATP for Mac Resources +description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, and known issues with the product. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Resources + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic describes how to use, and details about, Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Collecting diagnostic information + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +## Logging installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. + +## Uninstalling + +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. + +### Within the GUI + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +### From the command line + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +### With a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +```bash + echo "Is WDAV installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Uninstalling WDAV..." + rm -rf '/Applications/Microsoft Defender ATP.app' + + echo "Is WDAV still installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Done!" +``` + +### With a JAMF policy + +If you are running JAMF, your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. + +## What to expect in the ATP portal + +- AV alerts: + - Severity + - Scan type + - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - File information (name, path, size, and hash) + - Threat information (name, type, and state) +- Device information: + - Machine identifier + - Tenant identifier + - App version + - Hostname + - OS type + - OS version + - Computer model + - Processor architecture + - Whether the device is a virtual machine + +## Known issues + +- Not fully optimized for performance or disk space yet. +- Full Windows Defender ATP integration is not available yet. +- Mac devices that switch networks may appear multiple times in the APT portal. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index cccde77573..af6205c2ca 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -22,15 +22,40 @@ ms.topic: conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## What’s new in the public preview + +We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP for Mac include: + +- Full accessibility +- Improved performance +- Localization for 37 languages +- Improved anti-tampering protections +- Feedback and samples can now be submitted via the GUI. +- Product health can be queried with JAMF or the command line. +- Admins can set their cloud preference for any location, not just for those in the US. + +## Installing and configuring + +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +In general you'll need to take the following steps: + +- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal +- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune) + - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf) + - [Manual deployment](microsoft-defender-atp-mac-install-manually) + +### Prerequisites -## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. You should also have access to Windows Defender Security Center. ### System Requirements + - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) - Disk space during preview: 1GB @@ -49,462 +74,14 @@ The following table lists the services and their associated URLs that your netwo To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: -``` +```bash mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report' OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. -## Installation and configuration overview -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. -In general you'll need to take the following steps: - - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal - - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - * [Microsoft Intune based deployment](#microsoft-intune-based-deployment) - * [JAMF based deployment](#jamf-based-deployment) - * [Manual deployment](#manual-deployment) +## Resources -## Microsoft Intune based deployment - -### Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -6. From a command prompt, verify that you have the three files. - Extract the contents of the .zip files: - - ``` - mavel-macmini:Downloads test$ ls -l - total 721688 - -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` -7. Make IntuneAppUtil an executable: - - ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` - -8. Create the wdav.pkg.intunemac package from wdav.pkg: - - ``` - mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" - Microsoft Intune Application Utility for Mac OS X - Version: 1.0.0.0 - Copyright 2018 Microsoft Corporation - - Creating intunemac file for /Users/test/Downloads/wdav.pkg - Composing the intunemac file output - Output written to ./wdav.pkg.intunemac. - - IntuneAppUtil successfully processed "wdav.pkg", - to deploy refer to the product documentation. - ``` - -### Client Machine Setup -You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). - -1. You'll be asked to confirm device management. - -![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) - -Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: - -![Management profile screenshot](images/MDATP_4_ManagementProfile.png) - -2. Select the **Continue** button and complete the enrollment. - -You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. - -3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: - -![Add Devices screenshot](images/MDATP_5_allDevices.png) - -### Create System Configuration profiles -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. - - ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) - -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -7. Repeat these steps with the second profile. -8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -9. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. - -After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: - -![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) - -### Publish application - -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. - - ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) - -6. Select **OK** and **Add**. - - ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) - -7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. - - ![Client apps screenshot](images/MDATP_10_ClientApps.png) - -8. Change **Assignment type=Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - - ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) - -10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: - - ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) - -### Verify client machine state -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. - - ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) - ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) - -2. Verify the three profiles listed there: - ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) - -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## JAMF based deployment -### Prerequsites -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. - - -### Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ``` - mavel-macmini:Downloads test$ ls -l - total 721160 - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -### Create JAMF Policies -You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. - -#### Configuration Profile -The configuration profile contains one custom settings payload that includes: - -- Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - - -1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. - - >[!NOTE] - > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. - - ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) - -#### Approved Kernel Extension - -To approve the kernel extension: -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. - -![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) - -#### Configuration Profile's Scope -Configure the appropriate scope to specify the machines that will receive this configuration profile. - -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. - -![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) - -Save the **Configuration Profile**. - -Use the **Logs** tab to monitor deployment status for each enrolled machine. - -#### Package -1. Create a package in **Settings > Computer Management > Packages**. - - ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) - -2. Upload wdav.pkg to the Distribution Point. -3. In the **filename** field, enter the name of the package. For example, wdav.pkg. - -#### Policy -Your policy should contain a single package for Microsoft Defender. - -![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) - -Configure the appropriate scope to specify the computers that will receive this policy. - -After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. - -### Client machine setup -You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. - -> [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). - -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - -![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) -![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) - -After some time, the machine's User Approved MDM status will change to Yes. - -![MDM status screenshot](images/MDATP_23_MDMStatus.png) - -You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - -### Deployment -Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. - -#### Status on server -You can monitor the deployment status in the Logs tab: - - **Pending** means that the deployment is scheduled but has not yet happened - - **Completed** means that the deployment succeeded and is no longer scheduled - -![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - - -#### Status on client machine -After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. - -![Status on client screenshot](images/MDATP_25_StatusOnClient.png) - -After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - -![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -You can monitor policy installation on a machine by following the JAMF's log file: - -``` -mavel-mojave:~ testuser$ tail -f /var/log/jamf.log -Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. -Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... -Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV -Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. -``` - -You can also check the onboarding status: -``` -mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py -uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 -orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -``` - -- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. - -- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. - -### Uninstalling Microsoft Defender ATP for Mac -#### Uninstalling with a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -``` -echo "Is WDAV installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Uninstalling WDAV..." -rm -rf '/Applications/Microsoft Defender ATP.app' - -echo "Is WDAV still installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Done!" -``` - -#### Uninstalling with a policy -Your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. - -### Check onboarding status - -You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: - -``` -sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' -``` - -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. - -## Manual deployment - -### Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ``` - mavel-macmini:Downloads test$ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` - -### Application installation -To complete this process, you must have admin privileges on the machine. - -1. Navigate to the downloaded wdav.pkg in Finder and open it. - - ![App install screenshot](images/MDATP_28_AppInstall.png) - -2. Select **Continue**, agree with the License terms, and enter the password when prompted. - - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) - - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - - ![App install screenshot](images/MDATP_30_SystemExtension.png) - -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - - -The installation will proceed. - -> [!NOTE] -> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. - -### Client configuration -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. - - The client machine is not associated with orgId. Note that the orgid is blank. - - ``` - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : - ``` -2. Install the configuration file on a client machine: - - ``` - mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) - ``` - -3. Verify that the machine is now associated with orgId: - - ``` - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 - ``` -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Uninstallation -### Removing Microsoft Defender ATP from Mac devices -To remove Microsoft Defender ATP from your macOS devices: - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -Or, from a command line: - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - -## Known issues -- Microsoft Defender ATP is not yet optimized for performance or disk space. -- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device). -- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only. -- Full Windows Defender ATP integration is not yet available -- Not localized yet -- There might be accessibility issues - -## Collecting diagnostic information -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: -``` - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ``` - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: -``` - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded -``` - - -### Installation issues -If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. +For further information on logging, uninstalling, the ATP portal, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. \ No newline at end of file From a4025fa754257dd9793a122d3f19697b39a7ea35 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 10:28:24 -0700 Subject: [PATCH 065/149] Update create-wip-policy-using-intune-azure.md --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 2a82682a3c..4932416954 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -39,7 +39,7 @@ You can create an app protection policy in Intune either with device enrollment ## Prerequisites -Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. +Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. ## Configure the MDM or MAM provider From 73d487b39303c6ead5a2e35423f581d895d543f4 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 11:22:51 -0700 Subject: [PATCH 066/149] Update create-wip-policy-using-intune-azure.md --- .../create-wip-policy-using-intune-azure.md | 23 +++++-------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 2a82682a3c..6bd2b66834 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/29/2019 +ms.date: 05/07/2019 --- # Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -586,13 +586,13 @@ After you've decided where your protected apps can access enterprise data on you - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. - - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. + - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - - **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection. + - **Use Azure RMS for WIP.** Determines whether WIP encrypts [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) Files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. - - **On.** Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the [Choose to set up Azure Rights Management with WIP](#choose-to-set-up-azure-rights-management-with-wip) section of this topic. + - **On.** Starts protecting Azure Rights Management files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with access to that template will be able to read it off of the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. + - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. - **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. @@ -600,18 +600,7 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. -## Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. - -To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. - -Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. This template will be applied to the protected data that is copied to a removable drive. - ->[!IMPORTANT] ->Curly braces -- {} -- are required around the RMS Template ID. - ->[!NOTE] ->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. +For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates). WIP can also integrate with AZure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). ## Related topics From b9be7905f38301508a50fd86b724ef14308ac73d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 12:02:56 -0700 Subject: [PATCH 067/149] --- .../create-wip-policy-using-intune-azure.md | 8 +++++++- .../images/wip-encrypted-file-extensions.png | Bin 0 -> 10846 bytes 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 6bd2b66834..9701e21082 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -403,7 +403,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor ![Add protected domains](images/add-protected-domains.png) ## Choose where apps can access enterprise data -After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include policy that defines your enterprise network locations. +After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations. There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). @@ -602,6 +602,12 @@ After you've decided where your protected apps can access enterprise data on you For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates). WIP can also integrate with AZure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). +## Encrypted file extensions + +You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. + +![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) + ## Related topics - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png b/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png new file mode 100644 index 0000000000000000000000000000000000000000..1a0ec5397d87e4b1f8af36ddd7fa49b20a528a64 GIT binary patch literal 10846 zcmc(FXH*ky+iegLMZtm;saB9K0@4Wz2uO*P(3>JgLhn5w76hbs2t_)f2STrp6p@|~ zsubw~A+*o~XLz3Towd$;&iVDO_d7qh$;_IW`?|}u_rCT_@Jmf)S{fD_5C}x8s-mb3 z0#RNEfhcZVJa=}6uD=TSN8zHa{0vmm$3_4S&cmK+JOzQuBQ77mq5_UDIjR`CfIv4~ z&;BT;-g0_^Ks?*3icfVt&DJJOW7zS2#LY%?c|lj7brY8;8~xtP5>41ip6LSKPF3V+ zxkz}-42>YK0x}@XHX3Us?^^{+O0iPKEyDWRkJH zN?J98X?PGDcYB5rEPh}y46GP`iWr@=DLx@mhe;&}nyvtWWq_B|z0ZR{@_f!*AW(qJ z|D$afTvSg@5V{E#Py1s=PV44%_4h>cpDs+K9*u--DcDR3HB5R5pPzO`ABEksY7tYe zSL6PGaHPA3;@vloaBtS9I_;HC^-BW+`+lO=PmUG_X`UcOTtQHeM@o9?THPd9~H2 z-?iDf=F0x==6dy%Q1|JE{n9Q@=^*K9$c(bTaV$}Cg6z!T`+ajA1Kj{OP1K5=Fa0>9 z{A{BUR_}kLd23^mUdqSnAU(p>UJe?Yep+@Bu`jOVHC?;TR5(LSA8_O8uG6l6wsHB6 zr~k#KQPmAYq?=4bhSmdC zk9J}l#rDz!c9#Q)MMUmupoc#er7r~7@|9J(w`l~Korfw6lrCYP(k;YSk zrhGC98N#h!Y=vAMgbXdQmx)Y3`WRqc6w}7j5ceQ8e~U7Nv(80?lOK5S%1i(!-7v(A zmql!1XPx^umUvZv`%@KSi@buhnd;t+A?mfV@K}QlFD0A|w;pzh+}YnHk>@9%W$WjB zzTaLv~|9dV;% zF%+1&pJYzhq_D9D-LPziUy^%CMZDbVae}_$nJKVe%ey~i&e-Y! zZG}`*fsLuA=>v%+f$7$lhZ#+#SOfh{s7f2gZXCa1Xy877I!}5m-``GQy)g&fU=IqJ zIYP}ajR(5PnKlWW2fw6h9%3xwTi6n~v;U2EA3P1egs9;q(zSLw#8U7Uwp+DJNSF%m z#sodVLR{x*rcBOugFMTx!t`Y$iQBZ{WW^D!)+B_sX@(J4tDX`&V@6i=ag}FbI|>fh zYqeZHTXK~TtK{suoe!j#%p&Euqdj`N-UW>vdfCg=J49|NZkpi(C;3xEW<~J~Es5S# z=j`mt9U47{zt1-1%?y(0!`P{p`6d7E@19mG%MoB$WwAcKY(ktaD>}b zuA8VU@`ARqu5j0NOIrZ99=B2yliL>hn;-K@;=;JyYODb4v}lM8ddSMd_x+Y#-w+x5 z$|@thad$b&<+Smr<)Dy5qVT!?9{JCA4P9{cwn5e5d|`7aeq`#XMh|LKSBv^tet2NY zZCq&Hu1abE;Kiu)ol=wysT8q@y2o0KI(<{fYg_4kGRuuw zaf>L&LJ?}IQqK*aTRd*VyKaup=+?ti zT0$+0_3#_NOrQ$}c$qOH{3BaE(lY$C%RTY`(yv(IPled9d?(MW-Xtj@^HI{c5_=^V z6O{C8M1GA4?=zNBt$?6;!tOU(uXsej(O zW_8cXN&@KocTS zN5Us^^aGuz`-k-a^81laT&x;<8&9kECu+>en@Q-j<%)O1BrkX&?BvLwy!d(>zVpo*+D|C*Wj0rczH_JBh0}Z~ z<2~Me*_9S2#>(Q}k$!2(EEpB*7-x+ow$r0<9XKaxZ1fjBK}Z$>N=R^y=r{Ax_4F(jrhW$xTJR<#uwP!PxtR4ujR0z|9>U6C}aylmG-B@iMFZK%q1cer!%?lRm~_Q|dJ z0x#*4!RJ_++<06z=WoJ6)!Uq6VYw%qsB^B7@LR{h5@^zWzNxT7t)~LTokh?g=KgPO zkJj4N{NCR;RZ1v@Y|)xn_n9Bhcj^0!OHae<7MHhJ+s$*ADkL+WS1U};`-!_IK?u%LbQt+}lS`5U~w z#ww4l4(8)l3}lG{SPnEf;`YcWXQZ5Vf9U37nFOH+)^-w;uoiZP)NGas&E2Hd5FHd zxQRNn7`iBbOk4~hikRwLS^6Dz55~&}x`FUf*qby6_foA>ah2A^SL1<+rwQG&9$Yhr zGWbgG70c@RCEy!nOxxj`vy7amy>+w;*Yu1M71Yn7X}X@jG2E^tk83KSo6vzn>qlJr z$N~+6jUKku6oJ@{eGe(+u9r@DM?+s4&AFG3%Dk2Ryr2~DBr#V{uoE?cMYyfazG^!M zN=ZU?rT3bWS`4RP=d|m}bE@TG%yrcDsCo;N`xw?YrAj<71`H=AZ;xmM{p1PK5-^L! z<+u9`t$~}C=4I<_g^S!H|A~aqge|KC;MWFBppTLhu9NqMqjCuoeK`RHgZhiS02 z)LpWr>mwtSf*Z6_)ZW}%_PWFH!dqy zxWSdtG5u64JaZz=-`8UYW-Qq0lNaB?`X*h8$D!Hl$kn&OKMy)-A4gI7mO*$5xpBZM z z_Q*}MQJB`xJ>9iuuXtDKijT_284BDn68y!7pVtIdJBgC`+1@>8I}=rfG2I1WGt(69 z00gj;wn>@XC$+b7Jy2gb9h9c`$6?cZ;}}5i*Nf_^ z4^EP?z1nMiBCgV|&^=pj`c1?bOzTCcujO#WdQ%gLR~wp;0%ec3Z-H;x)!(`%=Fs2N zYLhn=h$1kRkgGxvzec@nGbd@ch8lztF!oo}x-LGsw@8YZ-Q&pqC_YXHQV=++&P5)X6pI=MY-y2W}*ni883A;_wS7RaBeSM07xmZ zcW4@Ri2Y6JfS3o1W>j`1;bL{k!%X<6s7{OYfu0K#9_4-y?m7Pwe$`p@~CG(rMU*$P{Y(pxN>`NoEA^qqt5CeVQDNOL6pAS<6V;UW3Tp&i^1!=T zRG|iM7P8c`7Q^Lgzd~t$%Rw1Tpk6LeyE4qmEz5smh%qT#x$?CRmBo^aIvHz5g^w6P zIUS+0URhAmff1Cl%pa;?tpE*MHTrv?Vss8|lDKZBli9edZZ(HvfIuK;FPwT8@)P~% zGQB5ygMJ1mj|ZBU1akT|UTnh9ASwm++r_)L$bgjQ-7h!Coadu-^D@8Kw4Gqp5@Xle z4{hB$L0@btq(RgP?2qy8r(N^)U^rGcE~}c^n!0v8$LqP!8*jm$((UtX17apbxnsf> zc>!!jHSLstv8j{>@lC*B3AZruY=aWIp=Q@wr!6>rBajmnc)DF2KND2AwSKMP`1!32 zw2_J4*AF-bOR(3wdt^oBk~4{!%1OQa^&c?_GyYplDpSD@Ro&jh$%<=$TJ<5(uMGmi z@(;I^5tTzp`rpcP9S?CmVUN53s7{+a3sYt4E5ncwGzWBj8d52i02CwK?2mvdpu$n! z20W*J-Y%hqrd&|6Ovev)&A-Hmw{MSS(lfs4ucm1@4 z_5~A{%6ivK{!@~4>QNuV!ouw7n`O3#nonVS1?y1gMl;76qLk(&#Y1ZE^H~k*!g+JS zSkvv4F!|VGlf2$HXLXY%VNRTdVq71M6MgtOF|a>+f~gKoHW-ZYPA(v$Z1Jd^iq zWA2V8F=<_&E`efNuH+t1w^Y>xglPdL_b`x?Y^T+$;l8%7SaYIcN7fzGZZoB-9bg8U%l=G=@!6)A>%R!mO2 zqF~@LCPDJ|)uZ6F1j;S)ysJ|Oo1>jE*vqvHffhdxmQy^djY^0><(o6@Q#G1J*;LV# z{)UN~6t-)Sg=cnZiz+Sv2htmBw^~Weu z*11=#JwDFliBCZgMkIQY7xkYa5>T#>kYZfc$co$B>(_iOzWlxWz-&e74Z5Q6D#GMh zyqqO(ZNLWzH-Z?^E;s#SVJ+Ye6f5k+IOw<5UH(I>zrE=wW_;A;hR+!xKUm|2e4MF2 z1dISeI-UM@xg&vSHVru`uG=x^%t+_gYpt8eCC{IJR6C6U3TMY#i4>Z(hA>tyd{1H(|4#ZZcI~K*#4Us0iCvj=xP|{o1b; zG|$YrCN^R+x0_spQ!##LpY3joA*0&4Wn>#fx$GRO_9fwYyd!FJ)0qux{ zM~#*YKY5u^xlSo1OxVfs95Zt1>5{sA@bhGm9Lgt+5#BFD3t5Ox)+Y1D4&Ij|_IwzS zv=Y@Dv9o?TM{b%k%&Ov6jda>;B^}6n9C2RV)|N6=Mv@^1iiYN;wNF*k9kySl6n-3i zOo8z{o;A(u)SJldSND!LVRR5FSxv3u-@MYflxVM58EOV$i-~S>3~>$aO6uSarNoU4$u0*yvm|44E*Cf%L>40Rm)U>ZRej;$}PzD=m3`%=B; z+MMP%G^<3&EgE^+0d1pZtah;98G0j}o*$Q$2#F<;l36QjJizhAPhA+G?cANd7ua~< zsu8`A=BlwBz$BUcl;F+4(8jvA9nwGeDw^X;E{&v)@P%Uu9;dR}jLz}%^Vf3JanNqi62Hv=Kdse zq_7I4#qaQYML}|NmO9mNw1<+11+{}AV!~EGl0p!YV^d>NqdUtKi{Ikna}0`;YhMRk z9#0m}?_{RW`Oe&O8!j2sJbcY17lXkJ_~TG@LJv&764 z=cXRCz0{wOqn02?-ocHS`#FInU~*`St<770_38of`a36U>PexaOO5~Ez>$>1;$ z6KIJYqiu_I zZ!}Z80)xYSj?d!H`a~B*kHxNj;rb|${z!FDhulpHR-sO5)5;!XrZ#3%=_Ry;{z?ot zknKo($i4=8(rb-d&`8Xdw2+<0n?2Y4U@Eg~Q}{)%pqDp1I4Nixhmw%zizg}C>0noH z+hCzRN2H-QP9bXDQQ>8~ndR{co*$z6qp$Y+Y_`@z-CEwrL`}_$JpRu{HPDbKLh#QI$CphaKt76S$&(tiwh!)Q@U40215bmU9wBbq| zcrOQ6P{l&lWS2#erpw>~8Rxk~w>XN67PyeE{}mz=6JXe$&-RG!oB=A;0EwCL*9A9v~H!ItLO4vHb^aDlv!0Gion%b1@1q2`hYG7_T>rA{`+K82w=;)mZaLX+1(Wm@gJv*slczkw=hP%&a>v;1~&-HE8 zD0Z-H{2cEP_2TTVxp3drYPSq)=a-fh?4T#8#23fiBq!e8$trUgc$4+YY{3BWPB7Qg z-e?-fukm$K=44CpI0m9eF+8~fWxQiBOn>t7Hlkyxe-W8~Ns``i%&V*o(r*mD7Qva| zlW{=rWlbmQ|0GX2!bC2G^3j!EZk+@X)otk+Va^-e&}52KhJ!gt=p2*GWTqk3{AOHD z-A|*~K9v2Sr6FYBMcyuNRFU)vml$Fv3d0I7dtyx~^EWMmKaA)+WqZNl$`TB}{;7ba zGu8dq!a|1j1IQO|T}i+9%cX*J9m@py&%mY>x?}u2~nN%v+X)*`qP< z7oFMSIDQaDsUOM8?7Gzpt-fa!i|_WHNsz~MYz`o}<3%Xs!}5NZC57QK(B~{J^I)Sg zim0t{hmx(^^2JUvA&rL#tDr|u=ha){tc8!GZUbg%z|%7;$Y@?2lzS1-@dZl%23(#2 zAMl2~B|FZm%kg=NNF(q9{=W_Q&LDLvE?R`4Kc?YYq8NZrLq8^){Co_l1G;!bf;X4w z0Z_zg>g(%wALgj}?EWdx2)D7ZfhVP;@U1EgxMvrE60e_4gL0DUS8%$4fx&=gLPEmX z#mS7JS*qc0tgMvq?d|PoxsT)V6g}sGSMRv2p8Fl?kcY-t%{a;0mFigaifq<6fdW)d z7ygxJw-r^(*W0jjk7R$Uzdk-tTyv@3kB{a^h>!oZ?2&epfWj6X9C%@VgtJS(hChI7 zIo2J1QwU;fu$y?Y1e>)0;nXShL_S<7;z;2f+e@Mr)nB$s1n=#&jL2j-BVi^FC@IS% z+Z*P9gpA>q^UvubgwrGwhB)FAk|Mk52JYr4^7+& zU7*<)o2a3DczZkG1{Z`UnYuyuAbuRGm$k(mhhZ;{Mugn}UC8Tt^IB3zD#1ErNbNbp zPX2QZe*|Qz!pv8P7qHB8%#?J8b(hheuSxOkg`tI@T)ji>7szLluoduCPr1#nQQBpC zgU2%(Vw4~Y`D6vIc##7?=f;Oa$IMHQA4u`qxNl!s){jiPg}*V(SMZ?eP`x`7ZS?cS zfGx$NPjE}a*J`I;EtWF5Iy|M!_b4n}LcH1liV5>dnV7`t+pEJr z_a`0CVu0n-!<7Hoi~sdlrEk82rCBC43It4$%o$>hJ=+hZO#Tro8K?2vMGE3i*o)EC zu$1xX06DZ-ZBqO4;lVYbBDugY;>~!h^E;|Tj{|>Z)t}1DbY+jgTxP3F4s7XKa;@o- z-t^5wX79fR&pO;wJ$@ElBTQb;YZH=vrs*CD~IaBP;4|9C%_)z>?Fo2^QFt6NrQP>T; zf!1U*uk=facZ8wXM|-xBe?R6YBEnE~15;uy*N#syrhN23v{Fn4C;qZ6toP_B`vQ7b zx(j&;_)0`YIS|betI@?-&uFFA+p+m@cg4Jf5(N611b)8cclPB-(!cK({QpmPy}l$m z4w?KVOl76+FhvhP?HgJc?FyO>WGUW-EEwJMPVjhk|IG9Ta+O~H4e!aqp#;Mbouo!( zU7e9&J=>3@009L`!|zGROD*Ra3`6~E_t!m2LK`X zOpGqc2VVk@qG|sOnsFYuFJdYgd=RFQlxAe^<;_M-26 z4;$_1@Nc5~)wNHbsN&+D6rhwNoFY5~LRvQ$=s_lo$p&0Vk(^%~=J((~b>`A!eSYOL zVn)m)q&h^3-g!gu+gv~xE=EDk*^)8NJaKa)oO8%B%T79sjZ$$5nw4V4dGLw|AkuVR z=?dm!*@GRpYL!ZPOv5VU@9CI@A}=K>_5K#(AoL|2$5%WQb`Cv=iyJ2y_&8C4zVj`z zpE~;?L;UteOPf1yV~_<&ATKU_s1}u?k!h&zJ5#C_Q5!mcRTnNpQ&Up|1IN!d&0ieI z@?s)ID40LJe!caN#+*RNZmRYK4J}`t95P6uA%|2PoWuZ^h~&BLt0jxHtIAV}@hUju z(|f%%XDTE?38{6tqnHYlr?kiLMbp2TBO#I(rh2MyRIitj|^&wI!6IFH$t7 zVm6f$MP=S19PShJ~@~a;fSOvWu z3(qLp5%atcy5ayZOSUWQM#>dB(#wg3m>oQ(tmy)O1$uB5~D&l|P75DvSsZzThsONT=d4zYE zE5k8Mmw=#6q78?Esi|Gq`G6=a5=c}W5QVP>PhZgSgFIQE-Ta~ht-^;LL~yXqLrgu5 zMXt5PQCzfjwoL;c6ubIR04wuS@SWnh78PI+CCCDajL-Y)Q6F%OcK{f=LAzwcH7`76 z>re%1S-y#j1n>sYi?l`{%yi!HHs#Eh3J0@H-sLU)guFD$B8s$0ifrx}`rod`Agu+D z3GWl{=NykAImqo?fU2#!PrD>azXfy26kflTVFH-J77e0H>iT{2Z9lfNfZ+=A^XL1y zxj_rC$HxsnySuwXHa%L}C1c`wdAOl}D?hA#u#s604+W^Xu*6F~?#X z1{(J!&sjVd_#_@}V>uS)^dn_jyg)2GXjl6889AB!4spHzaP{d}<%wDk;%d&Y1V_6W zx!VmOCE@KQrG|dM%YL*Cyu$>6w*H+K5TK^OGZHJ$zAJm@lB*9S9#?UX+GmmRvoI`d r0DuR9e%$*%+N0C6${ggq;(EflePYHe+VkBXI0mUIX)2aHvk3ejDV@d2 literal 0 HcmV?d00001 From 9aad02aa689ca7a518a1177ab0132412abb4bebb Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 12:06:43 -0700 Subject: [PATCH 068/149] edits --- .../create-wip-policy-using-intune-azure.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 9701e21082..dfb3d3f4cf 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -590,7 +590,7 @@ After you've decided where your protected apps can access enterprise data on you - **Use Azure RMS for WIP.** Determines whether WIP encrypts [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) Files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. - - **On.** Starts protecting Azure Rights Management files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with access to that template will be able to read it off of the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + - **On.** Starts protecting Azure Rights Management files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. @@ -600,7 +600,7 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. -For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates). WIP can also integrate with AZure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). +For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates). WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). ## Encrypted file extensions From e75744fbb5ad7dc5f756a80d590931e9aa86e06f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 12:45:06 -0700 Subject: [PATCH 069/149] edits --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index dfb3d3f4cf..0e53bed956 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -604,7 +604,7 @@ For more info about setting up and using a custom template, see [Configuring cus ## Encrypted file extensions -You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. +You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this settings is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. ![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) From 1cbc48ce3444e7ed38e926108e20f3e8c81a602c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 14:06:31 -0700 Subject: [PATCH 070/149] Update increase-scheduling-priority.md --- .../security-policy-settings/increase-scheduling-priority.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 565e032adb..95a0914890 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -38,7 +38,7 @@ Constant: SeIncreaseBasePriorityPrivilege ### Best practices -- Retain the default value and allow Administrators, and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities. +- Retain the default value as the only accounts responsible for controlling process scheduling priorities. ### Location From 64b22e58edf0dcbf33f1f178e42c21bb9d7f0497 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 7 May 2019 15:33:04 -0700 Subject: [PATCH 071/149] Added 19H1 policies --- .../policy-configuration-service-provider.md | 15 ++ .../mdm/policy-csp-windowslogon.md | 255 +++++++++++++++++- 2 files changed, 264 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a27926a537..70e8359000 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3678,12 +3678,21 @@ The following diagram shows the Policy configuration service provider in tree fo ### WindowsLogon policies
+
+ WindowsLogon/AllowAutomaticRestartSignOn +
+
+ WindowsLogon/ConfigAutomaticRestartSignOn +
WindowsLogon/DisableLockScreenAppNotifications
WindowsLogon/DontDisplayNetworkSelectionUI
+
+ WindowsLogon/EnableFirstLogonAnimation +
WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
@@ -4116,8 +4125,11 @@ The following diagram shows the Policy configuration service provider in tree fo - [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) - [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) +- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) +- [WindowsLogon/ConfigAutomaticRestartSignOn](./ - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) - [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) - [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) @@ -4975,8 +4987,11 @@ The following diagram shows the Policy configuration service provider in tree fo - [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url) - [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) - [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace) +- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) +- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) - [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) - [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index e75a0cf6de..4b9da72e50 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,12 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/12/2018 +ms.date: 05/07/2019 --- # Policy CSP - WindowsLogon - +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -19,12 +20,21 @@ ms.date: 07/12/2018 ## WindowsLogon policies
+
+ WindowsLogon/AllowAutomaticRestartSignOn +
+
+ WindowsLogon/ConfigAutomaticRestartSignOn +
WindowsLogon/DisableLockScreenAppNotifications
WindowsLogon/DontDisplayNetworkSelectionUI
+
+ WindowsLogon/EnableFirstLogonAnimation +
WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
@@ -36,6 +46,159 @@ ms.date: 07/12/2018
+
+ + +**WindowsLogon/AllowAutomaticRestartSignOn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark6check mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot. + +This occurs only if the last interactive user did not sign out before the restart or shutdown.​ + +If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns.​ + +If you do not configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.​ + +After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot​. + +If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Sign-in and lock last interactive user automatically after a restart* +- GP name: *AutomaticRestartSignOn* +- GP path: *Windows Components/Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + + + + + + + + + + + +
+ + +**WindowsLogon/ConfigAutomaticRestartSignOn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark6check mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls the configuration under which an automatic restart, sign on, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign on does not occur and this policy need not be configured. + +If you enable this policy setting, you can choose one of the following two options: + +- "Enabled if BitLocker is on and not suspended": Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +BitLocker is suspended during updates if: + - The device does not have TPM 2.0 and PCR7 + - The device does not use a TPM-only protector +- "Always Enabled": Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. + +If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot* +- GP name: *ConfigAutomaticRestartSignOn* +- GP path: *Windows Components/Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + + + + + + + + + +
@@ -188,6 +351,84 @@ ADMX Info:
+ +**WindowsLogon/EnableFirstLogonAnimation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in. + +If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation. + +If you disable this policy setting, users do not see the animation and Microsoft account users do not see the opt-in prompt for services. + +If you do not configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer do not see the animation. + +> [!NOTE] +> The first sign-in animation is not displayed on Server, so this policy has no effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show first sign-in animation* +- GP name: *EnableFirstLogonAnimation* +- GP path: *System/Logon* +- GP ADMX file name: *Logon.admx* + + + +Supported values: +- false - disabled +- true - enabled + + + + + + + + + +
+ **WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers** @@ -374,14 +615,16 @@ ADMX Info: + + +
-Footnote: +Footnotes: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - - - +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From a4e67880ba9196aae3599b061c0988d4ba972c71 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 7 May 2019 15:49:05 -0700 Subject: [PATCH 072/149] Removed extra space --- windows/client-management/mdm/policy-csp-windowslogon.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 4b9da72e50..885ae70ec7 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -34,7 +34,7 @@ ms.date: 05/07/2019
WindowsLogon/EnableFirstLogonAnimation -
+
WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
From 7ec392d52df5200ca97d355d52f559a40c06cc94 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 16:03:33 -0700 Subject: [PATCH 073/149] fixed link --- .../create-wip-policy-using-sccm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 6edf443eb3..84ebcf1861 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -480,7 +480,7 @@ After you've decided where your protected apps can access enterprise data on you - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. - - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Choose to set up Azure Rights Management with WIP](create-wip-policy-using-intune-azure.md#choose-to-set-up-azure-rights-management-with-wip). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). + - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don’t specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to. 2. After you pick all of the settings you want to include, click **Summary**. From ed83d70393fdc9d3e570091713b9114eddcaf58b Mon Sep 17 00:00:00 2001 From: Max Velitchko Date: Tue, 7 May 2019 17:47:12 -0700 Subject: [PATCH 074/149] Fix mdatp parameters --- ...osoft-defender-atp-mac-install-manually.md | 34 +++++------------- ...ft-defender-atp-mac-install-with-intune.md | 12 +++++++ ...soft-defender-atp-mac-install-with-jamf.md | 12 +++++++ .../microsoft-defender-atp-mac-resources.md | 35 ++++++++++++++----- 4 files changed, 58 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 27b3a8f924..82e53c1ff4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -114,32 +114,14 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) -## Configuring from the command line +## Test alert -Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: +Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. + + ```bash + curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt + ``` -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | -|Health |Check the product's health |`mdatp --health` | -|Protection |Scan a path |`mdatp scan --path [path]` | -|Protection |Do a quick scan |`mdatp scan --quick` | -|Protection |Do a full scan |`mdatp scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | +You will get a "Threats found" notification, you can inspect threat's details in the Protection history. -## Logging installation issues - -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. - -## Uninstallation - -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +Soon after that you'll get an alert in the ATP Portal. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 8af90fded1..6cfc85694d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -164,6 +164,18 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +## Test alert + +Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. + + ```bash + curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt + ``` + +You will get a "Threats found" notification, you can inspect threat's details in the Protection history. + +Soon after that you'll get an alert in the ATP Portal. + ## Logging installation issues See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 8837b3bcc5..b2df2ab85f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -199,6 +199,18 @@ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. +## Test alert + +Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. + + ```bash + curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt + ``` + +You will get a "Threats found" notification, you can inspect threat's details in the Protection history. + +Soon after that you'll get an alert in the ATP Portal. + ## Logging installation issues See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 09a4dcceae..03532ddfb4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -36,9 +36,7 @@ If you can reproduce a problem, please increase the logging level, run the syste 1) Increase logging level: ```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established + mavel-mojave:~ testuser$ mdatp --log-level verbose Operation succeeded ``` @@ -47,21 +45,40 @@ If you can reproduce a problem, please increase the logging level, run the syste 3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established + mavel-mojave:~ testuser$ mdatp --diagnostic --create "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" ``` 4) Restore logging level: ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established + mavel-mojave:~ testuser$ mdatp --log-level info Operation succeeded ``` +## Managing from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp --config rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp --config cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp --config diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp --config sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | +|Health |Check the product's health |`mdatp --health` | +|Health |Prints a single health metric |`mdatp --health [metric]` | +|Protection |Scan a path |`mdatp --scan --path [path]` | +|Protection |Do a quick scan |`mdatp --scan --quick` | +|Protection |Do a full scan |`mdatp --scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | +|Protection |Request a definition update |`mdatp --definition-update` | + ## Logging installation issues If an error occurs during installation, the installer will only report a general failure. From 3a12cbe4d4e5544a2853fb4c7a6f7e002cdb8422 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 8 May 2019 09:47:31 +0500 Subject: [PATCH 075/149] update net-framework-problems-with-ie11.md --- .../ie11-deploy-guide/net-framework-problems-with-ie11.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md index bed077a506..96c9783664 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md @@ -16,9 +16,9 @@ If you’re having problems launching your legacy apps while running Internet Ex **To turn managed browser hosting controls back on** -1. **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. +1. **For x86 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. -2. **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. +2. **For 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page. From 79f9363a41a5d93227958cb3245a6f48997f3fe0 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 8 May 2019 14:09:10 +0500 Subject: [PATCH 076/149] Wrong Command Their method mentioned was POST where in actual it was DELETE method. I have updated this accordingly. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/1252 --- windows/client-management/mdm/reclaim-seat-from-user.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index e3351b8c80..95f47c5df9 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -29,7 +29,7 @@ The **Reclaim seat from user** operation returns reclaimed seats for a user in t -

POST

+

DELETE

https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}

From f49d3c2d6da0638492675d0c846bf65407b2cbda Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 8 May 2019 14:21:59 +0500 Subject: [PATCH 077/149] update win32-and-centennial-app-policy-configuration.md --- .../mdm/win32-and-centennial-app-policy-configuration.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index 543252e8f2..d69549935e 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -50,6 +50,9 @@ When the ADMX policies are imported, the registry keys to which each policy is w > [!Warning] > Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. +> [!NOTE] +> Settings, that cannot be configured using custom policy ingestion, have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). + ## Ingesting an app ADMX file The following ADMX file example shows how to ingest a Win32 or Desktop Bridge app ADMX file and set policies from the file. The ADMX file defines eight policies. From 2f92dc55cc0bf116fca0988f97d95662a06d7a74 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 8 May 2019 10:07:40 -0400 Subject: [PATCH 078/149] spacing, typo removal --- ...osoft-defender-atp-mac-install-manually.md | 4 +-- ...ft-defender-atp-mac-install-with-intune.md | 8 ++--- ...soft-defender-atp-mac-install-with-jamf.md | 36 +++++++++---------- .../microsoft-defender-atp-mac-resources.md | 22 ++++++------ .../microsoft-defender-atp-mac.md | 4 +-- 5 files changed, 37 insertions(+), 37 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 82e53c1ff4..9b90ab16b4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 6cfc85694d..b145ab592c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -47,7 +47,7 @@ Download the installation and onboarding packages from Windows Defender Security 6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: - + ```bash mavel-macmini:Downloads test$ ls -l total 721688 @@ -167,7 +167,7 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ## Test alert Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - + ```bash curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt ``` diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index b2df2ab85f..a66f836f20 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. @@ -48,7 +48,7 @@ Download the installation and onboarding packages from Windows Defender Security 5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: - + ```bash mavel-macmini:Downloads test$ ls -l total 721160 @@ -165,24 +165,24 @@ After the policy is applied, you'll see the Microsoft Defender icon in the macOS You can monitor policy installation on a machine by following the JAMF's log file: ```bash -mavel-mojave:~ testuser$ tail -f /var/log/jamf.log -Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. -Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... -Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV -Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. + mavel-mojave:~ testuser$ tail -f /var/log/jamf.log + Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. + Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... + Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV + Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. ``` You can also check the onboarding status: ```bash -mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py -uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 -orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 ``` - **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. @@ -194,7 +194,7 @@ orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: ```bash -sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' + sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' ``` This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. @@ -202,7 +202,7 @@ This script returns 0 if Microsoft Defender ATP is registered with the Windows D ## Test alert Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - + ```bash curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt ``` diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 03532ddfb4..8967cf9879 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -36,25 +36,25 @@ If you can reproduce a problem, please increase the logging level, run the syste 1) Increase logging level: ```bash - mavel-mojave:~ testuser$ mdatp --log-level verbose - Operation succeeded + mavel-mojave:~ testuser$ mdatp --log-level verbose + Operation succeeded ``` 2) Reproduce the problem 3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic --create - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic --create + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` 4) Restore logging level: - ```bash - mavel-mojave:~ testuser$ mdatp --log-level info - Operation succeeded - ``` + ```bash + mavel-mojave:~ testuser$ mdatp --log-level info + Operation succeeded + ``` ## Managing from the command line diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index af6205c2ca..b22d38d977 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -69,7 +69,7 @@ After you've enabled the service, you may need to configure your network or fire The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them: | Service | Description | URL | -| -------------- |:------------------------------------:| --------------------------------------------------------------------:| +| -------------- |:------------------------------------:|:--------------------------------------------------------------------:| | ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` | To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: @@ -79,7 +79,7 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. ## Resources From 6d337b5763f4a609a589efd5238cd8dd04ba0d58 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 May 2019 08:53:59 -0700 Subject: [PATCH 079/149] Minor update --- windows/client-management/mdm/policy-csp-windowslogon.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 885ae70ec7..bdf911fd67 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -165,11 +165,11 @@ This policy setting controls the configuration under which an automatic restart, If you enable this policy setting, you can choose one of the following two options: -- "Enabled if BitLocker is on and not suspended": Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +- Enabled if BitLocker is on and not suspended: Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. BitLocker is suspended during updates if: - The device does not have TPM 2.0 and PCR7 - The device does not use a TPM-only protector -- "Always Enabled": Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. +- Always Enabled: Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior. From 3bb30fe435131c2553ee9b848f5e4f27ad1226f4 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 8 May 2019 09:23:19 -0700 Subject: [PATCH 080/149] Revert "WIP - update microsoft-defender-atp-mac.md" --- ...osoft-defender-atp-mac-install-manually.md | 127 ----- ...ft-defender-atp-mac-install-with-intune.md | 185 ------- ...soft-defender-atp-mac-install-with-jamf.md | 220 -------- .../microsoft-defender-atp-mac-resources.md | 153 ------ .../microsoft-defender-atp-mac.md | 489 ++++++++++++++++-- 5 files changed, 456 insertions(+), 718 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md deleted file mode 100644 index 9b90ab16b4..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ /dev/null @@ -1,127 +0,0 @@ ---- -title: Installing Microsoft Defender ATP for Mac with JAMF -description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# Manual deployment - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Prerequisites and system requirements - -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. - -## Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` - -## Application installation - -To complete this process, you must have admin privileges on the machine. - -1. Navigate to the downloaded wdav.pkg in Finder and open it. - - ![App install screenshot](images/MDATP_28_AppInstall.png) - -2. Select **Continue**, agree with the License terms, and enter the password when prompted. - - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) - - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - - ![App install screenshot](images/MDATP_30_SystemExtension.png) - -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - -The installation will proceed. - -> [!NOTE] -> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. - -## Client configuration - -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. - - The client machine is not associated with orgId. Note that the orgid is blank. - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : - ``` - -2. Install the configuration file on a client machine: - - ```bash - mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) - ``` - -3. Verify that the machine is now associated with orgId: - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 - ``` - -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Test alert - -Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - - ```bash - curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt - ``` - -You will get a "Threats found" notification, you can inspect threat's details in the Protection history. - -Soon after that you'll get an alert in the ATP Portal. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md deleted file mode 100644 index b145ab592c..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ /dev/null @@ -1,185 +0,0 @@ ---- -title: Installing Microsoft Defender ATP for Mac with Microsoft Intune -description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# Microsoft Intune-based deployment - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Prerequisites and system requirements - -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. - -## Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -6. From a command prompt, verify that you have the three files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721688 - -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -7. Make IntuneAppUtil an executable: - - ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` - -8. Create the wdav.pkg.intunemac package from wdav.pkg: - - ```bash - mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" - Microsoft Intune Application Utility for Mac OS X - Version: 1.0.0.0 - Copyright 2018 Microsoft Corporation - - Creating intunemac file for /Users/test/Downloads/wdav.pkg - Composing the intunemac file output - Output written to ./wdav.pkg.intunemac. - - IntuneAppUtil successfully processed "wdav.pkg", - to deploy refer to the product documentation. - ``` - -## Client Machine Setup - -You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). - -1. You'll be asked to confirm device management. - -![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) - -Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: - -![Management profile screenshot](images/MDATP_4_ManagementProfile.png) - -2. Select the **Continue** button and complete the enrollment. - -You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. - -3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: - -![Add Devices screenshot](images/MDATP_5_allDevices.png) - -## Create System Configuration profiles - -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. - - ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) - -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -6. Repeat these steps with the second profile. -7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. - -After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: - -![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) - -## Publish application - -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. - - ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) - -6. Select **OK** and **Add**. - - ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) - -7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. - - ![Client apps screenshot](images/MDATP_10_ClientApps.png) - -8. Change **Assignment type=Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - - ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) - -10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: - - ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) - -## Verify client machine state - -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. - - ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) - ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) - -2. Verify the three profiles listed there: - ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) - -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Test alert - -Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - - ```bash - curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt - ``` - -You will get a "Threats found" notification, you can inspect threat's details in the Protection history. - -Soon after that you'll get an alert in the ATP Portal. - -## Logging installation issues - -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. - -## Uninstallation - -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md deleted file mode 100644 index a66f836f20..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ /dev/null @@ -1,220 +0,0 @@ ---- -title: Installing Microsoft Defender ATP for Mac with JAMF -description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# JAMF-based deployment - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Prerequisites and system requirements - -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. - -In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. - -## Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721160 - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -## Create JAMF Policies - -You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. - -### Configuration Profile - -The configuration profile contains one custom settings payload that includes: - -- Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - -1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. - - >[!NOTE] - > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. - - ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) - -### Approved Kernel Extension - -To approve the kernel extension: - -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. - -![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) - -#### Configuration Profile's Scope - -Configure the appropriate scope to specify the machines that will receive this configuration profile. - -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. - -![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) - -Save the **Configuration Profile**. - -Use the **Logs** tab to monitor deployment status for each enrolled machine. - -### Package - -1. Create a package in **Settings > Computer Management > Packages**. - - ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) - -2. Upload wdav.pkg to the Distribution Point. -3. In the **filename** field, enter the name of the package. For example, wdav.pkg. - -### Policy - -Your policy should contain a single package for Microsoft Defender. - -![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) - -Configure the appropriate scope to specify the computers that will receive this policy. - -After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. - -## Client machine setup - -You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. - -> [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). - -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - -![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) -![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) - -After some time, the machine's User Approved MDM status will change to Yes. - -![MDM status screenshot](images/MDATP_23_MDMStatus.png) - -You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - -## Deployment - -Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. - -### Status on server - -You can monitor the deployment status in the Logs tab: - -- **Pending** means that the deployment is scheduled but has not yet happened -- **Completed** means that the deployment succeeded and is no longer scheduled - -![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - -### Status on client machine - -After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. - -![Status on client screenshot](images/MDATP_25_StatusOnClient.png) - -After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - -![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -You can monitor policy installation on a machine by following the JAMF's log file: - -```bash - mavel-mojave:~ testuser$ tail -f /var/log/jamf.log - Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. - Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... - Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV - Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. -``` - -You can also check the onboarding status: - -```bash - mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -``` - -- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. - -- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. - -## Check onboarding status - -You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: - -```bash - sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' -``` - -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. - -## Test alert - -Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - - ```bash - curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt - ``` - -You will get a "Threats found" notification, you can inspect threat's details in the Protection history. - -Soon after that you'll get an alert in the ATP Portal. - -## Logging installation issues - -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. - -## Uninstallation - -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md deleted file mode 100644 index 8967cf9879..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ /dev/null @@ -1,153 +0,0 @@ ---- -title: Microsoft Defender ATP for Mac Resources -description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, and known issues with the product. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# Resources - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to use, and details about, Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Collecting diagnostic information - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp --log-level verbose - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic --create - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp --log-level info - Operation succeeded - ``` - -## Managing from the command line - -Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: - -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp --config rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp --config cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp --config diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp --config sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | -|Health |Check the product's health |`mdatp --health` | -|Health |Prints a single health metric |`mdatp --health [metric]` | -|Protection |Scan a path |`mdatp --scan --path [path]` | -|Protection |Do a quick scan |`mdatp --scan --quick` | -|Protection |Do a full scan |`mdatp --scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | -|Protection |Request a definition update |`mdatp --definition-update` | - -## Logging installation issues - -If an error occurs during installation, the installer will only report a general failure. - -The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. - -## Uninstalling - -There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. - -### Within the GUI - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -### From the command line - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - -### With a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -```bash - echo "Is WDAV installed?" - ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - - echo "Uninstalling WDAV..." - rm -rf '/Applications/Microsoft Defender ATP.app' - - echo "Is WDAV still installed?" - ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - - echo "Done!" -``` - -### With a JAMF policy - -If you are running JAMF, your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. - -## What to expect in the ATP portal - -- AV alerts: - - Severity - - Scan type - - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - - File information (name, path, size, and hash) - - Threat information (name, type, and state) -- Device information: - - Machine identifier - - Tenant identifier - - App version - - Hostname - - OS type - - OS version - - Computer model - - Processor architecture - - Whether the device is a virtual machine - -## Known issues - -- Not fully optimized for performance or disk space yet. -- Full Windows Defender ATP integration is not available yet. -- Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index b22d38d977..cccde77573 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -22,40 +22,15 @@ ms.topic: conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## What’s new in the public preview - -We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP for Mac include: - -- Full accessibility -- Improved performance -- Localization for 37 languages -- Improved anti-tampering protections -- Feedback and samples can now be submitted via the GUI. -- Product health can be queried with JAMF or the command line. -- Admins can set their cloud preference for any location, not just for those in the US. - -## Installing and configuring - -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. -In general you'll need to take the following steps: - -- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal -- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune) - - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf) - - [Manual deployment](microsoft-defender-atp-mac-install-manually) - -### Prerequisites +This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. You should also have access to Windows Defender Security Center. ### System Requirements - - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) - Disk space during preview: 1GB @@ -69,19 +44,467 @@ After you've enabled the service, you may need to configure your network or fire The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them: | Service | Description | URL | -| -------------- |:------------------------------------:|:--------------------------------------------------------------------:| +| -------------- |:------------------------------------:| --------------------------------------------------------------------:| | ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` | To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: -```bash +``` mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report' OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. -## Resources +## Installation and configuration overview +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +In general you'll need to take the following steps: + - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal + - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + * [Microsoft Intune based deployment](#microsoft-intune-based-deployment) + * [JAMF based deployment](#jamf-based-deployment) + * [Manual deployment](#manual-deployment) -For further information on logging, uninstalling, the ATP portal, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. \ No newline at end of file +## Microsoft Intune based deployment + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +6. From a command prompt, verify that you have the three files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721688 + -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` +7. Make IntuneAppUtil an executable: + + ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` + +8. Create the wdav.pkg.intunemac package from wdav.pkg: + + ``` + mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" + Microsoft Intune Application Utility for Mac OS X + Version: 1.0.0.0 + Copyright 2018 Microsoft Corporation + + Creating intunemac file for /Users/test/Downloads/wdav.pkg + Composing the intunemac file output + Output written to ./wdav.pkg.intunemac. + + IntuneAppUtil successfully processed "wdav.pkg", + to deploy refer to the product documentation. + ``` + +### Client Machine Setup +You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). + +1. You'll be asked to confirm device management. + +![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) + +Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: + +![Management profile screenshot](images/MDATP_4_ManagementProfile.png) + +2. Select the **Continue** button and complete the enrollment. + +You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. + +3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: + +![Add Devices screenshot](images/MDATP_5_allDevices.png) + +### Create System Configuration profiles +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. + + ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) + +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +7. Repeat these steps with the second profile. +8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +9. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. + +After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: + +![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) + +### Publish application + +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. + + ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) + +6. Select **OK** and **Add**. + + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) + +7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. + + ![Client apps screenshot](images/MDATP_10_ClientApps.png) + +8. Change **Assignment type=Required**. +9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. + + ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) + +10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: + + ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) + +### Verify client machine state +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + + ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) + ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) + +2. Verify the three profiles listed there: + ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) + +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## JAMF based deployment +### Prerequsites +You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. + + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721160 + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +### Create JAMF Policies +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. + +#### Configuration Profile +The configuration profile contains one custom settings payload that includes: + +- Microsoft Defender ATP for Mac onboarding information +- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run + + +1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. + + >[!NOTE] + > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. + + ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) + +#### Approved Kernel Extension + +To approve the kernel extension: +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. + +![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) + +#### Configuration Profile's Scope +Configure the appropriate scope to specify the machines that will receive this configuration profile. + +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. + +![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) + +Save the **Configuration Profile**. + +Use the **Logs** tab to monitor deployment status for each enrolled machine. + +#### Package +1. Create a package in **Settings > Computer Management > Packages**. + + ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) + +2. Upload wdav.pkg to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, wdav.pkg. + +#### Policy +Your policy should contain a single package for Microsoft Defender. + +![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) + +Configure the appropriate scope to specify the computers that will receive this policy. + +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. + +### Client machine setup +You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. + +> [!NOTE] +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). + +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + +![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) +![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) + +After some time, the machine's User Approved MDM status will change to Yes. + +![MDM status screenshot](images/MDATP_23_MDMStatus.png) + +You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. + +### Deployment +Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. + +#### Status on server +You can monitor the deployment status in the Logs tab: + - **Pending** means that the deployment is scheduled but has not yet happened + - **Completed** means that the deployment succeeded and is no longer scheduled + +![Status on server screenshot](images/MDATP_24_StatusOnServer.png) + + +#### Status on client machine +After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. + +![Status on client screenshot](images/MDATP_25_StatusOnClient.png) + +After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + +![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +You can monitor policy installation on a machine by following the JAMF's log file: + +``` +mavel-mojave:~ testuser$ tail -f /var/log/jamf.log +Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. +Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... +Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV +Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. +``` + +You can also check the onboarding status: +``` +mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py +uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 +orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +``` + +- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. + +- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. + +### Uninstalling Microsoft Defender ATP for Mac +#### Uninstalling with a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +``` +echo "Is WDAV installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Uninstalling WDAV..." +rm -rf '/Applications/Microsoft Defender ATP.app' + +echo "Is WDAV still installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Done!" +``` + +#### Uninstalling with a policy +Your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. + +### Check onboarding status + +You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: + +``` +sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +``` + +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. + +## Manual deployment + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +### Application installation +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +### Client configuration +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ``` + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` +2. Install the configuration file on a client machine: + + ``` + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ``` + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Uninstallation +### Removing Microsoft Defender ATP from Mac devices +To remove Microsoft Defender ATP from your macOS devices: + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +Or, from a command line: + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +## Known issues +- Microsoft Defender ATP is not yet optimized for performance or disk space. +- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device). +- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only. +- Full Windows Defender ATP integration is not yet available +- Not localized yet +- There might be accessibility issues + +## Collecting diagnostic information +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: +``` + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ``` + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: +``` + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded +``` + + +### Installation issues +If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. From 0734e038948e6d12cbba8e3943558cec05cd5829 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 8 May 2019 09:32:09 -0700 Subject: [PATCH 081/149] Update hello-hybrid-cert-trust-prereqs.md AS FS > AD FS typo --- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 3dd1963a94..8179a617a8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -57,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning ## Public Key Infrastructure ## The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. -Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. +Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AD FS) as a certificate registration authority. The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. From 244670f6f4afec4900759ba76498a0b41048116f Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 8 May 2019 21:13:55 +0200 Subject: [PATCH 082/149] activate-using-key-management-service-vamt.md typo Typo correction, 2 characters were swapped. - slmrg.vbs -> slmgr.vbs Closes #3539 (Spelling Typo) --- .../activate-using-key-management-service-vamt.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index dd8545387c..2fea892b96 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -133,11 +133,9 @@ If you have already established a KMS infrastructure in your organization for an 1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed. 2. Request a new KMS host key from the Volume Licensing Service Center. 3. Install the new KMS host key on your KMS host. -4. Activate the new KMS host key by running the slmrg.vbs script. +4. Activate the new KMS host key by running the slmgr.vbs script. For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590). ## See also - [Volume Activation for Windows 10](volume-activation-windows-10.md) -  - From 14bdb0323bca915ff22c511e8949652c340ad568 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 8 May 2019 12:43:56 -0700 Subject: [PATCH 083/149] edits from Michael H --- .../create-wip-policy-using-intune-azure.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 0e53bed956..c20462e84f 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/07/2019 +ms.date: 05/08/2019 --- # Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -590,7 +590,7 @@ After you've decided where your protected apps can access enterprise data on you - **Use Azure RMS for WIP.** Determines whether WIP encrypts [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) Files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. - - **On.** Starts protecting Azure Rights Management files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + - **On.** Protects files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID, but they are omitted when you view the saved settings. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. @@ -604,7 +604,7 @@ For more info about setting up and using a custom template, see [Configuring cus ## Encrypted file extensions -You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this settings is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. +You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. ![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) From 8c69ffb1b9b212067b87a180f2817d00973e3a1d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 8 May 2019 12:46:18 -0700 Subject: [PATCH 084/149] edits --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c20462e84f..cbae7321c4 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -21,7 +21,7 @@ ms.date: 05/08/2019 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) -Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device. +Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device. ## Differences between MDM and MAM for WIP From 6556ac94e86a1e0c4c2cf4fde79bc91d290febe9 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 13:50:50 -0700 Subject: [PATCH 085/149] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 096932fb04..7552b38864 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -209,7 +209,7 @@ See the following table for a summary of the management settings for Windows Ser See the following table for a summary of the management settings for Windows Server 2016 Nano Server. | Setting | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | +| - | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | From 4cc2cec7411b5ddcb46b1204855f58ecbf951b4b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 13:52:08 -0700 Subject: [PATCH 086/149] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 7552b38864..5ab28a758c 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -194,7 +194,7 @@ See the following table for a summary of the management settings for Windows Ser See the following table for a summary of the management settings for Windows Server 2016 Server Core. | Setting | Group Policy | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | +| - | :-: | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [6. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | From 21b1e1063faa09bae66f71d2b69c1d112675e22b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 13:53:10 -0700 Subject: [PATCH 087/149] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 5ab28a758c..8fa437fbec 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -634,6 +634,8 @@ To disable the Microsoft Account Sign-In Assistant: - Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + -or- + - Change the **Start** REG_DWORD registry setting in **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**. From 3ead1b57077ad38bc245e538c0a19605a1a02e1a Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 May 2019 14:04:00 -0700 Subject: [PATCH 088/149] Added 19H1 policies --- .../policy-configuration-service-provider.md | 42 ++ .../mdm/policy-csp-update.md | 409 +++++++++++++++++- 2 files changed, 449 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a27926a537..8a7e1f0050 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3336,9 +3336,24 @@ The following diagram shows the Policy configuration service provider in tree fo
Update/AutoRestartRequiredNotificationDismissal
+
+ Update/AutomaticMaintenanceWakeUp +
Update/BranchReadinessLevel
+
+ Update/ConfigureDeadlineForFeatureUpdates +
+
+ Update/ConfigureDeadlineForQualityUpdates +
+
+ Update/ConfigureDeadlineGracePeriod +
+
+ Update/ConfigureDeadlineNoAutoReboot +
Update/ConfigureFeatureUpdateUninstallPeriod
@@ -4881,7 +4896,12 @@ The following diagram shows the Policy configuration service provider in tree fo - [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates) - [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule) - [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal) +- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup) - [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel) +- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot) - [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays) - [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays) - [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod) @@ -5025,6 +5045,10 @@ The following diagram shows the Policy configuration service provider in tree fo - [System/AllowTelemetry](#system-allowtelemetry) - [Update/AllowAutoUpdate](#update-allowautoupdate) - [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Update/RequireDeferUpgrade](#update-requiredeferupgrade) - [Update/RequireUpdateApproval](#update-requireupdateapproval) - [Update/ScheduledInstallDay](#update-scheduledinstallday) @@ -5072,6 +5096,10 @@ The following diagram shows the Policy configuration service provider in tree fo - [System/AllowLocation](#system-allowlocation) - [Update/AllowAutoUpdate](#update-allowautoupdate) - [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Update/RequireUpdateApproval](#update-requireupdateapproval) - [Update/ScheduledInstallDay](#update-scheduledinstallday) - [Update/ScheduledInstallTime](#update-scheduledinstalltime) @@ -5152,12 +5180,26 @@ The following diagram shows the Policy configuration service provider in tree fo - [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon) - [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword) - [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) - [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) - [Wifi/AllowWiFi](#wifi-allowwifi) - [Wifi/WLANScanMode](#wifi-wlanscanmode) + +## Policies supported by Windows 10 IoT Enterprise + +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) + + + ## Policies that can be set using Exchange Active Sync (EAS) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index ab8f25ac1d..9d1af07791 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/01/2019 +ms.date: 05/08/2019 --- # Policy CSP - Update @@ -57,9 +57,24 @@ ms.date: 05/01/2019
Update/AutoRestartRequiredNotificationDismissal
+
+ Update/AutomaticMaintenanceWakeUp +
Update/BranchReadinessLevel
+
+ Update/ConfigureDeadlineForFeatureUpdates +
+
+ Update/ConfigureDeadlineForQualityUpdates +
+
+ Update/ConfigureDeadlineGracePeriod +
+
+ Update/ConfigureDeadlineNoAutoReboot +
Update/ConfigureFeatureUpdateUninstallPeriod
@@ -189,6 +204,7 @@ ms.date: 05/01/2019
+ > [!NOTE] > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). @@ -933,6 +949,78 @@ The following list shows the supported values:
+ +**Update/AutomaticMaintenanceWakeUp** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to configure Automatic Maintenance wake up policy. + +The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. + +> [!Note] +> If the OS power wake policy is explicitly disabled, then this setting has no effect. + +If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if required. + +If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. + + + +ADMX Info: +- GP English name: *Automatic Maintenance WakeUp Policy* +- GP category English path: *Windows Components/Maintenance Scheduler* +- GP name: *WakeUpPolicy* +- GP path: *Windows Components/Maintenance Scheduler* +- GP ADMX file name: *msched.admx* + + + +Supported values: +- true: Enable +- false: Disable (Default) + + + + + + + + + +
+ **Update/BranchReadinessLevel** @@ -995,6 +1083,298 @@ The following list shows the supported values:
+ +**Update/ConfigureDeadlineForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineForFeatureUpdates* +- GP element: *ConfigureDeadlineForFeatureUpdates* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. + +Default value is 7. + + + + + + + + + +
+ + +**Update/ConfigureDeadlineForQualityUpdates** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineForQualityUpdates* +- GP element: *ConfigureDeadlineForQualityUpdates* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. + +Default value is 7. + + + + + + + + + +
+ + +**Update/ConfigureDeadlineGracePeriod** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineGracePeriod* +- GP element: *ConfigureDeadlineGracePeriod* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 0 - 5, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. + +Default value is 2. + + + + + + + + + +
+ + +**Update/ConfigureDeadlineNoAutoReboot** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart. + +When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineNoAutoReboot* +- GP element: *ConfigureDeadlineNoAutoReboot* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
+ + +**Update/ConfigureFeatureUpdateUninstallPeriod** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. + + + + +
+ **Update/ConfigureFeatureUpdateUninstallPeriod** @@ -3579,6 +3959,10 @@ ADMX Info: - [Update/AllowAutoUpdate](#update-allowautoupdate) - [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Update/RequireUpdateApproval](#update-requireupdateapproval) - [Update/ScheduledInstallDay](#update-scheduledinstallday) - [Update/ScheduledInstallTime](#update-scheduledinstalltime) @@ -3591,6 +3975,10 @@ ADMX Info: - [Update/AllowAutoUpdate](#update-allowautoupdate) - [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Update/RequireUpdateApproval](#update-requireupdateapproval) - [Update/ScheduledInstallDay](#update-scheduledinstallday) - [Update/ScheduledInstallTime](#update-scheduledinstalltime) @@ -3598,6 +3986,23 @@ ADMX Info: - [Update/RequireDeferUpgrade](#update-requiredeferupgrade) + +## Update policies supported by IoT Core + +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) + + + +## Update policies supported by IoT Enterprise + +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) +
Footnotes: @@ -3607,4 +4012,4 @@ Footnotes: - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. -- 6 - Added in the next major release of Windows 10. \ No newline at end of file +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From d180e8329794c9bbbb17d655cc8ac977823a1e49 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 May 2019 14:57:42 -0700 Subject: [PATCH 089/149] Moved supportedvalues after description --- .../mdm/policy-csp-update.md | 56 ++++++++++++------- 1 file changed, 36 insertions(+), 20 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 9d1af07791..812ce661cb 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -995,8 +995,14 @@ The maintenance wakeup policy specifies if Automatic Maintenance should make a w If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if required. If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. - + + +Supported values: +- true: Enable +- false: Disable (Default) + + ADMX Info: - GP English name: *Automatic Maintenance WakeUp Policy* @@ -1006,11 +1012,7 @@ ADMX Info: - GP ADMX file name: *msched.admx* - -Supported values: -- true: Enable -- false: Disable (Default) - + @@ -1122,6 +1124,13 @@ The following list shows the supported values: Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. + +Default value is 7. + + ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1131,11 +1140,7 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - -Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. -Default value is 7. - @@ -1184,6 +1189,13 @@ Default value is 7. Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. + +Default value is 7. + + ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1193,11 +1205,7 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - -Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. -Default value is 7. - @@ -1246,6 +1254,13 @@ Default value is 7. Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. + + +Supports a numeric value from 0 - 5, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. + +Default value is 2. + + ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1255,11 +1270,7 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - -Supports a numeric value from 0 - 5, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. -Default value is 2. - @@ -1310,6 +1321,13 @@ Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureD When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. + + +Supported values: +- 1 - Enabled. Device does not attempt to automatically reboot outside of active hours until the compliance deadline is reached. +- 0 - Disabled. Device may reboot outside of active hours before the deadline. + + ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1319,9 +1337,7 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - - From 6e185405095303a8cb6cababbf7906885df17688 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 May 2019 15:21:26 -0700 Subject: [PATCH 090/149] Minor updates --- windows/client-management/mdm/policy-csp-update.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 812ce661cb..587b602fde 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -985,9 +985,7 @@ The following list shows the supported values: -This policy setting allows you to configure Automatic Maintenance wake up policy. - -The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. +This policy setting allows you to configure if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. > [!Note] > If the OS power wake policy is explicitly disabled, then this setting has no effect. @@ -1324,8 +1322,8 @@ When disabled, if the device has installed the required updates and is outside o Supported values: -- 1 - Enabled. Device does not attempt to automatically reboot outside of active hours until the compliance deadline is reached. -- 0 - Disabled. Device may reboot outside of active hours before the deadline. +- 1 - Enabled +- 0 - Disabled From 67d2ac3c477a7bb1b5ae34fa84d676fe6bf2ac11 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 8 May 2019 15:44:49 -0700 Subject: [PATCH 091/149] update supported versions --- ...igations-windows-defender-advanced-threat-protection.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index 8ff29cf968..76b8e8448b 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 12/04/2018 --- # Overview of Automated investigations @@ -34,8 +33,10 @@ The Automated investigations list shows all the investigations that have been in Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start. >[!NOTE] ->Currently, Automated investigation only supports Windows 10, version 1709 or later. ->Some investigation playbooks, like memory investigations, require Windows 10, version 1709 or later. +>Currently, Automated investigation only supports the following OS versions: +>- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)) or later +>- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/en-us/help/4493464/windows-10-update-kb4493464)) or later +>- Later versions of Windows 10 The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view. From a839ec7f1aefb1e51eb9478448793585ee70bc5f Mon Sep 17 00:00:00 2001 From: "Nisha Mittal (Wipro Ltd.)" Date: Wed, 8 May 2019 16:01:00 -0700 Subject: [PATCH 092/149] Latest changes done for few more issues --- ...ssues-windows-10-1809-and-windows-server-2019.yml | 12 ++++++++++++ ...tatus-windows-10-1809-and-windows-server-2019.yml | 6 ++++-- ...atus-windows-7-and-windows-server-2008-r2-sp1.yml | 4 ++-- ...status-windows-8.1-and-windows-server-2012-r2.yml | 4 ++-- 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index e3ea1030dd..b0d3c9f294 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -32,6 +32,8 @@ sections: - type: markdown text: " + + @@ -66,11 +68,21 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusDate resolved
Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
May 08, 2019
03:37 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
May 08, 2019
03:30 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4495667		May 03, 2019
12:40 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		April 09, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		April 09, 2019
10:00 AM PT
+ +
DetailsOriginating updateStatusHistory
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices. This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
Resolved:
May 08, 2019
03:37 PM PT

Opened:
May 05, 2019
12:01 PM PT
+ " + - title: April 2019 - items: - type: markdown text: " +
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue for affected platforms. For more information, see the ArcaBit support article.

Resolution: This issue has been resolved. ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
Resolved:
May 08, 2019
03:30 PM PT

Opened:
April 09, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493509.

Back to top		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
April 02, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 5237a7fcb5..2b50998415 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -67,10 +67,11 @@ sections: - + + @@ -93,6 +94,7 @@ sections:
SummaryOriginating updateStatusLast updated
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019
10:59 AM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
May 02, 2019
04:47 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
April 25, 2019
02:00 PM PT
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
April 09, 2019
10:00 AM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Mitigated
April 09, 2019
10:00 AM PT
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers, which accidentally turn on unsupported features in Windows.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Mitigated
March 15, 2019
12:00 PM PT
Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
May 08, 2019
03:37 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
May 08, 2019
03:30 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4495667		May 03, 2019
12:40 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		April 09, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		April 09, 2019
10:00 AM PT
+
DetailsOriginating updateStatusHistory
Devices with some Asian language packs installed may receive an error
After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround:
  1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
  2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
  1. Go to Settings app -> Recovery.
  2. Click on Get Started under \"Reset this PC\" recovery option.
  3. Select \"Keep my Files\".
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
Last updated:
May 03, 2019
10:59 AM PT

Opened:
May 02, 2019
04:36 PM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\"
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround: You can use another browser, such as Internet Explorer to print your documents.
 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
Last updated:
May 02, 2019
04:47 PM PT

Opened:
May 02, 2019
04:47 PM PT
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices. This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
Resolved:
May 08, 2019
03:37 PM PT

Opened:
May 05, 2019
12:01 PM PT
" @@ -101,7 +103,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493509
 
Microsoft has temporarily blocked devices from receiving this update if ArcaBit antivirus software is installed. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue for affected platforms. For more information, see the ArcaBit support article.

Resolution: This issue has been resolved. ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
Resolved:
May 08, 2019
03:30 PM PT

Opened:
April 09, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493509.

Back to top		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
April 02, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index a15923a007..ef1b22e4bf 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,10 +60,10 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - @@ -85,9 +85,9 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
May 08, 2019
03:29 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
May 03, 2019
08:50 AM PT
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

See details >		March 12, 2019
KB4489878		Mitigated
April 25, 2019
02:00 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

See details >		April 09, 2019
KB4493472		Resolved
April 25, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480970		Resolved
KB4493472		April 09, 2019
10:00 AM PT
+ -
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Microsoft has temporarily blocked devices from receiving this update if ArcaBit antivirus software is installed.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493472		Mitigated
Last updated:
May 08, 2019
03:29 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Microsoft has temporarily blocked devices from receiving this update if Avira antivirus software is installed.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493472		Mitigated
Last updated:
May 03, 2019
08:50 AM PT

Opened:
April 09, 2019
10:00 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493472		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Microsoft has temporarily blocked devices from receiving this update if ArcaBit antivirus software is installed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493472		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client:  Windows 8.1; Windows 7 SP1
  • Server:  Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles: 
Next steps: We are presently investigating this issue with McAfee. We will provide an update once we have more information.

Back to top		April 09, 2019
KB4493472		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install KB4493472 and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1 
Resolution: Avast has released emergency updates to address this issue. For more information and AV update schedule, see the Avast support KB article.

Back to top		April 09, 2019
KB4493472		Resolved
Resolved:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index 75805707fb..e159932ae6 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,10 +60,10 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - @@ -86,9 +86,9 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
May 08, 2019
03:29 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
May 03, 2019
08:50 AM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		March 12, 2019
KB4489881		Mitigated
April 25, 2019
02:00 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

See details >		January 08, 2019
KB4480963		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Mitigated
April 18, 2019
05:00 PM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

See details >		April 09, 2019
KB4493446		Resolved
April 25, 2019
02:00 PM PT
+ -
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Microsoft has temporarily blocked devices from receiving this update if ArcaBit antivirus software is installed.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493446		Mitigated
Last updated:
May 08, 2019
03:29 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Microsoft has temporarily blocked devices from receiving this update if Avira antivirus software is installed.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Next steps: Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493446		Mitigated
Last updated:
May 03, 2019
08:50 AM PT

Opened:
April 09, 2019
10:00 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493446		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Microsoft has temporarily blocked devices from receiving this update if ArcaBit antivirus software is installed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493446		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client:  Windows 8.1; Windows 7 SP1
  • Server:  Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles:  
Next steps: We are presently investigating this issue with McAfee. We will provide an update once we have more information. 

Back to top		April 09, 2019
KB4493446		Mitigated
Last updated:
April 18, 2019
05:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install KB4493446 and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1 
Resolution: Avast has released emergency updates to address this issue. For more information and AV update schedule, see the Avast support KB article.

Back to top		April 09, 2019
KB4493446		Resolved
Resolved:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
From c88375348dda4e2dd36ecfb28f5151e3710d6171 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 May 2019 16:02:39 -0700 Subject: [PATCH 093/149] Minor update --- windows/client-management/mdm/policy-csp-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 587b602fde..9d7ac6f259 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -997,8 +997,8 @@ If you disable or do not configure this policy setting, the wake setting as spec Supported values: -- true: Enable -- false: Disable (Default) +- true - Enable +- false - Disable (Default) From 095681f3baa4843ac3a29632891990c0fa263195 Mon Sep 17 00:00:00 2001 From: "Nisha Mittal (Wipro Ltd.)" Date: Wed, 8 May 2019 16:39:45 -0700 Subject: [PATCH 094/149] Status changed for 1809 product issues --- .../status-windows-10-1809-and-windows-server-2019.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index aa37741e35..2b50998415 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -65,7 +65,6 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- @@ -93,7 +92,6 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Mitigated
May 05, 2019
12:01 PM PT
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019
10:59 AM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
May 02, 2019
04:47 PM PT
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
April 09, 2019
10:00 AM PT
- From 46d01547942cb2745ad5e2b75c9b5bb7e1def141 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 18:52:53 -0700 Subject: [PATCH 095/149] Create windows-endpoints-non-enterprise-editions-1903.md --- ...-endpoints-non-enterprise-editions-1903.md | 163 ++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 windows/privacy/windows-endpoints-non-enterprise-editions-1903.md diff --git a/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md b/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md new file mode 100644 index 0000000000..b6be3b5acd --- /dev/null +++ b/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md @@ -0,0 +1,163 @@ +--- +title: Windows 10, version 1809, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: danihalfin +ms.author: daniha +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 6/26/2018 +--- +# Windows 10, version 1809, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1809 +- Windows 10 Professional, version 1809 +- Windows 10 Education, version 1809 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +|\*.aria.microsoft.com\* | HTTPS | Office Telemetry +|\*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. +|\*.download.windowsupdate.com\* | HTTP | Used to download operating system patches and updates. +|\*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. +|\*.msn.com\* |TLSv1.2/HTTPS | Windows Spotlight related traffic +|\*.Skype.com | HTTP/HTTPS | Skype related traffic +|\*.smartscreen.microsoft.com\* | HTTPS | Windows Defender Smartscreen related traffic +|\*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting. +|\*cdn.onenote.net* | HTTP | OneNote related traffic +|\*displaycatalog.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|\*emdl.ws.microsoft.com\* | HTTP | Windows Update related traffic +|\*geo-prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|\*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. +|\*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +|\*maps.windows.com\* | HTTPS | Related to Maps application. +|\*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. +|\*nexusrules.officeapps.live.com\* | HTTPS | Office Telemetry +|\*photos.microsoft.com\* | HTTPS | Photos App related traffic +|\*prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. +|\*wac.phicdn.net* | HTTP | Windows Update related traffic +|\*windowsupdate.com\* | HTTP | Windows Update related traffic +|\*wns.windows.com\* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). +|\*wpc.v0cdn.net* | | Windows Telemetry related traffic +|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related +|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +|fe2.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe3.\*.mp.microsoft.com.\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fs.microsoft.com | | Font Streaming (in ENT traffic) +|g.live.com\* | HTTPS | Used by OneDrive +|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry +|mscrl.microsoft.com | | Certificate Revocation List related traffic. +|ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. +|officeclient.microsoft.com | HTTPS | Office related traffic. +|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. +|purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata. +|ris.api.iris.microsoft.com\* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. +|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager +|settings.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|settings-win.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|sls.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|store*.dsx.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. +|store-images.s-microsoft.com\* | HTTP | Used to get images that are used for Microsoft Store suggestions. +|tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile. +|tsfe.trafficshaping.dsp.mp.microsoft.com\* |TLSv1.2 | Used for content regulation. +|v10.events.data.microsoft.com | HTTPS | Diagnostic Data +|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. +|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. +|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles. + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | +| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | + + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| *.tlu.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | +| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| au.download.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | +| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | +| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | +| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | +| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | From 7b1747d7eacafeaa4dbed1af7597007d098674c2 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 18:53:54 -0700 Subject: [PATCH 096/149] Rename windows-endpoints-non-enterprise-editions-1903.md to windows-endpoints-1903-non-enterprise-editions.md --- ...-1903.md => windows-endpoints-1903-non-enterprise-editions.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/privacy/{windows-endpoints-non-enterprise-editions-1903.md => windows-endpoints-1903-non-enterprise-editions.md} (100%) diff --git a/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md similarity index 100% rename from windows/privacy/windows-endpoints-non-enterprise-editions-1903.md rename to windows/privacy/windows-endpoints-1903-non-enterprise-editions.md From 15912e19d6a7578482a8b56030f73e84a1f8163e Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:03:08 -0700 Subject: [PATCH 097/149] Update windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 128 +++++++++++------- 1 file changed, 78 insertions(+), 50 deletions(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index b6be3b5acd..d17a7a9d77 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -40,56 +40,84 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -|\*.aria.microsoft.com\* | HTTPS | Office Telemetry -|\*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. -|\*.download.windowsupdate.com\* | HTTP | Used to download operating system patches and updates. -|\*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. -|\*.msn.com\* |TLSv1.2/HTTPS | Windows Spotlight related traffic -|\*.Skype.com | HTTP/HTTPS | Skype related traffic -|\*.smartscreen.microsoft.com\* | HTTPS | Windows Defender Smartscreen related traffic -|\*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting. -|\*cdn.onenote.net* | HTTP | OneNote related traffic -|\*displaycatalog.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. -|\*emdl.ws.microsoft.com\* | HTTP | Windows Update related traffic -|\*geo-prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|\*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. -|\*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -|\*maps.windows.com\* | HTTPS | Related to Maps application. -|\*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. -|\*nexusrules.officeapps.live.com\* | HTTPS | Office Telemetry -|\*photos.microsoft.com\* | HTTPS | Photos App related traffic -|\*prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. -|\*wac.phicdn.net* | HTTP | Windows Update related traffic -|\*windowsupdate.com\* | HTTP | Windows Update related traffic -|\*wns.windows.com\* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). -|\*wpc.v0cdn.net* | | Windows Telemetry related traffic -|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related -|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -|fe2.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. -|fe3.\*.mp.microsoft.com.\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. -|fs.microsoft.com | | Font Streaming (in ENT traffic) -|g.live.com\* | HTTPS | Used by OneDrive -|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry -|mscrl.microsoft.com | | Certificate Revocation List related traffic. -|ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. -|officeclient.microsoft.com | HTTPS | Office related traffic. -|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. -|purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. -|query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata. -|ris.api.iris.microsoft.com\* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. -|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager -|settings.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. -|settings-win.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. -|sls.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|store*.dsx.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. -|storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. -|store-images.s-microsoft.com\* | HTTP | Used to get images that are used for Microsoft Store suggestions. -|tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile. -|tsfe.trafficshaping.dsp.mp.microsoft.com\* |TLSv1.2 | Used for content regulation. -|v10.events.data.microsoft.com | HTTPS | Diagnostic Data -|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. -|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. -|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles. +|\*.aria.microsoft.com*|HTTPS|Microsoft Office Telemetry +|\*.b.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.c-msedge.net|HTTP|Microsoft Office +|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update +|\*.download.windowsupdate.com*|HTTP|Used to download operating system patches and updates +|\*.g.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.login.msa.*.net|HTTPS|Microsoft Account related +|\*.msn.com*|TLSv1.2/HTTPS|Windows Spotlight +|\*.skype.com|HTTP/HTTPS|Skype +|\*.smartscreen.microsoft.com*|HTTPS|Windows Defender Smartscreen +|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|*cdn.onenote.net*|HTTP|OneNote +|*displaycatalog.*mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|*emdl.ws.microsoft.com*|HTTP|Windows Update +|*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update +|*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates +|*img-prod-cms-rt-microsoft-com.*|HTTPS|Microsoft Store or Inbox MSN Apps image download +|*licensing.*mp.microsoft.com*|HTTPS|Licensing +|*maps.windows.com*|HTTPS|Related to Maps application +|*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps +|*nexusrules.officeapps.live.com*|HTTPS|Microsoft Office Telemetry +|*photos.microsoft.com*|HTTPS|Photos App +|*prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for Windows Update downloads of apps and OS updates +|*purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|*settings.data.microsoft.com.akadns.net|HTTPS|Used for Windows apps to dynamically update their configuration +|*wac.phicdn.net*|HTTP|Windows Update +|*windowsupdate.com*|HTTP|Windows Update +|*wns.*windows.com*|TLSv1.2/HTTPS|Used for the Windows Push Notification Services (WNS) +|*wpc.v0cdn.net*|HTTP|Windows Telemetry +|arc.msn.com|HTTPS|Spotlight +|auth.gfx.ms*|HTTPS|MSA related +|cdn.onenote.net|HTTPS|OneNote Live Tile +|dmd.metaservices.microsoft.com*|HTTP|Device Authentication +|e-0009.e-msedge.net|HTTPS|Microsoft Office +|e10198.b.akamaiedge.net|HTTPS|Maps application +|evoke-windowsservices-tas.msedge*|HTTPS|Photos app +|fe2.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store +|fe3.*.mp.microsoft.com.*|TLSv1.2/HTTPS|Windows Update, Microsoft Update, and Microsoft Store services +|g.live.com*|HTTPS|OneDrive +|go.microsoft.com|HTTP|Windows Defender +|iriscoremetadataprod.blob.core.windows.net|HTTPS|Windows Telemetry +|login.live.com|HTTPS|Device Authentication +|msagfx.live.com|HTTP|OneDrive +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|officeclient.microsoft.com|HTTPS|Microsoft Office +|oneclient.sfx.ms*|HTTPS|Used by OneDrive for Business to download and verify app updates +|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office +|ow1.res.office365.com|HTTP|Microsoft Office +|pti.store.microsoft.com|HTTPS|Microsoft Store +|purchase.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|query.prod.cms.rt.microsoft.com*|HTTPS|Used to retrieve Windows Spotlight metadata +|ris.api.iris.microsoft.com*|TLSv1.2/HTTPS|Used to retrieve Windows Spotlight metadata +|ris-prod-atm.trafficmanager.net|HTTPS|Azure traffic manager +|s-0001.s-msedge.net|HTTPS|Microsoft Office +|self.events.data.microsoft.com|HTTPS|Microsoft Office +|settings.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration +|settings-win.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Store +|sls.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update +|slscr.update.microsoft.com*|HTTPS|Enables connections to Windows Update +|store*.dsx.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store +|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store +|store-images.*microsoft.com*|HTTP|Used to get images that are used for Microsoft Store suggestions +|storesdk.dsx.mp.microsoft.com|HTTP|Microsoft Store +|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile +|time.windows.com|HTTP|Microsoft Windows Time related +|tsfe.trafficshaping.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for content regulation +|v10.events.data.microsoft.com|HTTPS|Diagnostic Data +|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data +|wdcp.microsoft.*|TLSv1.2, HTTPS|Used for Windows Defender when Cloud-based Protection is enabled +|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com|HTTPS|Windows Defender +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com*|HTTP|Used for updates for Cortana, apps, and Live Tiles +|www.msftconnecttest.com|HTTP|Network Connection (NCSI) +|www.office.com|HTTPS|Microsoft Office + ## Windows 10 Pro From ec9c3676fce744d81cd501ddacd0bb7d334b2fe4 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:04:42 -0700 Subject: [PATCH 098/149] Update windows-endpoints-1903-non-enterprise-editions.md --- .../privacy/windows-endpoints-1903-non-enterprise-editions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index d17a7a9d77..2d162078d9 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -56,7 +56,7 @@ We used the following methodology to derive these network endpoints: |*emdl.ws.microsoft.com*|HTTP|Windows Update |*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update |*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates -|*img-prod-cms-rt-microsoft-com.*|HTTPS|Microsoft Store or Inbox MSN Apps image download +|*img-prod-cms-rt-microsoft-com*|HTTPS|Microsoft Store or Inbox MSN Apps image download |*licensing.*mp.microsoft.com*|HTTPS|Licensing |*maps.windows.com*|HTTPS|Related to Maps application |*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps From 294d08f16e964c2721de6689a6f59fee058d40cf Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:19:17 -0700 Subject: [PATCH 099/149] Update windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 91 ++++++++++++++----- 1 file changed, 70 insertions(+), 21 deletions(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index 2d162078d9..25dd51cf33 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -123,27 +123,76 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | -| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | -| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | -| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | +|\*.cloudapp.azure.com|HTTPS|Azure +|\*.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, and Microsoft Store services +|\*.displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update +|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.g.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use +|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.windowsupdate.com*|HTTP|Enables connections to Windows Update +|\*.wns.notify.windows.com.akadns.net|HTTPS|Used for the Windows Push Notification Services (WNS) +|\*dsp.mp.microsoft.com.nsatc.net|HTTPS|Enables connections to Windows Update +|\*c-msedge.net|HTTP|Office +|a1158.g.akamai.net|HTTP|Maps application +|arc.msn.com*|HTTP / HTTPS|Used to retrieve Windows Spotlight metadata +|blob.mwh01prdstr06a.store.core.windows.net|HTTPS|Microsoft Store +|browser.pipe.aria.microsoft.com|HTTPS|Microsoft Office +|bubblewitch3mobile.king.com|HTTPS|Bubble Witch application +|candycrush.king.com|HTTPS|Candy Crush application +|cdn.onenote.net|HTTP|Microsoft OneNote +|cds.p9u4n2q3.hwcdn.net|HTTP|Highwinds Content Delivery Network traffic for Windows updates +|client.wns.windows.com|HTTPS|Winddows Notification System +|co4.telecommand.telemetry.microsoft.com.akadns.net|HTTPS|Windows Error Reporting +|config.edge.skype.com|HTTPS|Microsoft Skype +|cs11.wpc.v0cdn.net|HTTP|Windows Telemetry +|cs9.wac.phicdn.net|HTTP|Windows Update +|cy2.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|cy2.purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|cy2.settings.data.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|dmd.metaservices.microsoft.com.akadns.net|HTTP|Device Authentication +|e-0009.e-msedge.net|HTTPS|Microsoft Office +|e10198.b.akamaiedge.net|HTTPS|Maps application +|fe3.update.microsoft.com|HTTPS|Windows Update +|g.live.com|HTTPS|Microsoft OneDrive +|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata +|geo-prod.do.dsp.mp.microsoft.com|HTTPS|Windows Update +|go.microsoft.com|HTTP|Windows Defender +|iecvlist.microsoft.com|HTTPS|Microsoft Edge +|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP / HTTPS|Microsoft Store +|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in +|licensing.mp.microsoft.com|HTTP|Licensing +|location-inference-westus.cloudapp.net|HTTPS|Used for location data +|login.live.com|HTTP|Device Authentication +|maps.windows.com|HTTP|Maps application +|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting +|msagfx.live.com|HTTP|OneDrive +|nav.smartscreen.microsoft.com|HTTPS|Windows Defender +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|oneclient.sfx.ms|HTTP|OneDrive +|pti.store.microsoft.com|HTTPS|Microsoft Store +|ris.api.iris.microsoft.com.akadns.net|HTTPS|Used to retrieve Windows Spotlight metadata +|ris-prod-atm.trafficmanager.net|HTTPS|Azure +|s2s.config.skype.com|HTTP|Microsoft Skype +|settings-win.data.microsoft.com|HTTPS|Application settings +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Skype +|slscr.update.microsoft.com|HTTPS|Windows Update +|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store +|store-images.microsoft.com|HTTPS|Microsoft Store +|tile-service.weather.microsoft.com/*|HTTP|Used to download updates to the Weather app Live Tile +|time.windows.com|HTTP|Windows time +|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation +|v10.events.data.microsoft.com*|HTTPS|Microsoft Office +|vip5.afdorigin-prod-am02.afdogw.com|HTTPS|Used to serve office 365 experimentation traffic +|watson.telemetry.microsoft.com|HTTPS|Telemetry +|wdcp.microsoft.com|HTTPS|Windows Defender +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com|HTTPS|Cortana and Search +|www.microsoft.com|HTTP|Diagnostic +|www.msftconnecttest.com|HTTP|Network connection +|www.office.com|HTTPS|Microsoft Office + ## Windows 10 Education From 2d64996a22c8185a3d1b3325628fb04622f37aec Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:31:51 -0700 Subject: [PATCH 100/149] Update windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 109 +++++++++++------- 1 file changed, 70 insertions(+), 39 deletions(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index 25dd51cf33..44fadd939e 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -199,42 +199,73 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| *.tlu.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. | -| *.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | -| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| au.download.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | -| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | -| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | -| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | -| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | -| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | -| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | -| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | -| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | -| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | +|\*.b.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use +|\*.c-msedge.net|HTTP|Used by OfficeHub to get the metadata of Office apps +|\*.dl.delivery.mp.microsoft.com*|HTTP|Windows Update +|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.g.akamaiedge.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.settings.data.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.skype.com*|HTTPS|Used to retrieve Skype configuration values +|\*.smartscreen*.microsoft.com|HTTPS|Windows Defender +|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|\*.wac.phicdn.net|HTTP|Windows Update +|\*.windowsupdate.com*|HTTP|Windows Update +|\*.wns.windows.com|HTTPS|Windows Notifications Service +|\*.wpc.*.net|HTTP|Diagnostic Data +|\*displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*dsp.mp.microsoft.com|HTTPS|Windows Update +|a1158.g.akamai.net|HTTP|Maps +|a122.dscg3.akamai.net|HTTP|Maps +|a767.dscg3.akamai.net|HTTP|Maps +|au.download.windowsupdate.com*|HTTP|Windows Update +|bing.com/*|HTTPS|Used for updates for Cortana, apps, and Live Tiles +|blob.dz5prdstr01a.store.core.windows.net|HTTPS|Microsoft Store +|browser.pipe.aria.microsoft.com|HTTP|Used by OfficeHub to get the metadata of Office apps +|cdn.onenote.net/livetile/*|HTTPS|Used for OneNote Live Tile +|cds.p9u4n2q3.hwcdn.net|HTTP|Used by the Highwinds Content Delivery Network to perform Windows updates +|client-office365-tas.msedge.net/*|HTTPS|Office 365 porta and Office Online +|ctldl.windowsupdate.com*|HTTP|Used to download certificates that are publicly known to be fraudulent +|displaycatalog.mp.microsoft.com/*|HTTPS|Microsoft Store +|dmd.metaservices.microsoft.com*|HTTP|Device Authentication +|download.windowsupdate.com*|HTTPS|Windows Update +|emdl.ws.microsoft.com/*|HTTP|Used to download apps from the Microsoft Store +|evoke-windowsservices-tas.msedge.net|HTTPS|Photo app +|fe2.update.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|fe3.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|fe3.delivery.mp.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|g.live.com*|HTTPS|Used by OneDrive for Business to download and verify app updates +|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata +|go.microsoft.com|HTTP|Windows Defender +|iecvlist.microsoft.com|HTTPS|Microsoft Edge browser +|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in +|licensing.mp.microsoft.com*|HTTPS|Used for online activation and some app licensing +|login.live.com|HTTPS|Device Authentication +|maps.windows.com/windows-app-web-link|HTTPS|Maps application +|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting +|msagfx.live.com|HTTPS|OneDrive +|ocos-office365-s2s.msedge.net/*|HTTPS|Used to connect to the Office 365 portal's shared infrastructure +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|oneclient.sfx.ms/*|HTTPS|Used by OneDrive for Business to download and verify app updates +|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office +|pti.store.microsoft.com|HTTPS|Microsoft Store +|settings-win.data.microsoft.com/settings/*|HTTPS|Used as a way for apps to dynamically update their configuration +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Skype +|sls.update.microsoft.com*|HTTPS|Windows Update +|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store +|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile +|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Windows Update +|v10.events.data.microsoft.com*|HTTPS|Diagnostic Data +|vip5.afdorigin-prod-ch02.afdogw.com|HTTPS|Used to serve Office 365 experimentation traffic +|watson.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|wdcp.microsoft.com|HTTPS|Windows Defender +|wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com|HTTPS|Azure +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com|HTTPS|Cortana and Search +|www.microsoft.com|HTTP|Diagnostic Data +|www.microsoft.com/pkiops/certs/*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|www.msftconnecttest.com|HTTP|Network Connection +|www.office.com|HTTPS|Microsoft Office + From 16577f4056c0a629a2a3a503476030de93bed559 Mon Sep 17 00:00:00 2001 From: Malin De Silva Date: Thu, 9 May 2019 08:26:19 +0530 Subject: [PATCH 101/149] added not supportive line for pro editions --- .../windows-defender-application-guard/reqs-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 1cb8fce44c..741592efe2 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -36,6 +36,6 @@ Your environment needs the following software to run Windows Defender Applicatio |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher| +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supportive for the non-managed devices; Intune or any other 3rd party mobile device management(MDM) solutions are not supportive with WDAG for Professional editions. | |Browser|Microsoft Edge and Internet Explorer| |Management system
(only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

**-OR-**

[System Center Configuration Manager](https://docs.microsoft.com/sccm/)

**-OR-**

[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 816a1c8e5f6eec2f02e5ba213a5e039f24508c76 Mon Sep 17 00:00:00 2001 From: KC Cross Date: Wed, 8 May 2019 20:58:21 -0700 Subject: [PATCH 102/149] Trailing slash required for docset --- acrolinx-config.edn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acrolinx-config.edn b/acrolinx-config.edn index 7f639efb92..b235e443b5 100644 --- a/acrolinx-config.edn +++ b/acrolinx-config.edn @@ -1,3 +1,3 @@ {:allowed-branchname-matches ["master"] - :allowed-filename-matches ["windows"] + :allowed-filename-matches ["windows/"] } From 8debfd65035ef44784a7beaeaf47914fa82b7a5e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 9 May 2019 17:06:58 +0500 Subject: [PATCH 103/149] Sentence was confusing The sentence was confusing so I made a correction where now it makes more sense that when MDM policy is configured, it will win over GP. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3379 --- .../client-management/mdm/policy-csp-controlpolicyconflict.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index f6626284ef..c51f4ad30a 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -67,7 +67,7 @@ Added in Windows 10, version 1803. This policy allows the IT admin to control wh > [!Note] > MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers. -This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. +This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. Note: This policy doesn’t support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1. The following list shows the supported values: From 1da22a72a5fc239e82570c666f4dbcfbd48ceaa2 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 05:23:38 -0700 Subject: [PATCH 104/149] Update reqs-wd-app-guard.md --- .../windows-defender-application-guard/reqs-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 741592efe2..25b4ede41d 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -36,6 +36,6 @@ Your environment needs the following software to run Windows Defender Applicatio |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supportive for the non-managed devices; Intune or any other 3rd party mobile device management(MDM) solutions are not supportive with WDAG for Professional editions. | +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. | |Browser|Microsoft Edge and Internet Explorer| |Management system
(only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

**-OR-**

[System Center Configuration Manager](https://docs.microsoft.com/sccm/)

**-OR-**

[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From c1f385942dab5d5cdad178621bc6a91da1920d02 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 9 May 2019 17:28:50 +0500 Subject: [PATCH 105/149] Removed random alpha-neumaric value As the user suggested, removed the random value and inserted the guideline to let the user know what to insert here. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/1239 --- .../mdm/federated-authentication-device-enrollment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 22ee108fb4..6a8c928ee7 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -553,7 +553,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -562,7 +562,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + From 99f5ae268f16739cf7a0a224eab6860068a1b893 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 09:25:20 -0400 Subject: [PATCH 106/149] refining text, linting, CL commands in resources --- ...osoft-defender-atp-mac-install-manually.md | 40 +--- ...ft-defender-atp-mac-install-with-intune.md | 16 +- ...soft-defender-atp-mac-install-with-jamf.md | 197 ++++++++++++------ .../microsoft-defender-atp-mac-resources.md | 32 ++- .../microsoft-defender-atp-mac.md | 6 +- 5 files changed, 177 insertions(+), 114 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 27b3a8f924..eecb31f9e4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -1,27 +1,27 @@ --- -title: Installing Microsoft Defender ATP for Mac with JAMF -description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +title: Installing Microsoft Defender ATP for Mac manually +description: Describes how to install Microsoft Defender ATP for Mac manually, from the command line. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra search.product: eADQiWindows 10XVcnh -search.appverid: #met150 +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: v-maave author: martyav -ms.localizationpriority: #medium +ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: #conceptual +ms.topic: conceptual --- # Manual deployment **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -114,32 +114,10 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) -## Configuring from the command line - -Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: - -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | -|Health |Check the product's health |`mdatp --health` | -|Protection |Scan a path |`mdatp scan --path [path]` | -|Protection |Do a quick scan |`mdatp scan --quick` | -|Protection |Do a full scan |`mdatp scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | - ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 8af90fded1..bf6854e899 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -3,25 +3,25 @@ title: Installing Microsoft Defender ATP for Mac with Microsoft Intune description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra search.product: eADQiWindows 10XVcnh -search.appverid: #met150 +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: v-maave author: martyav -ms.localizationpriority: #medium +ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: #conceptual +ms.topic: conceptual --- # Microsoft Intune-based deployment **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -47,7 +47,7 @@ Download the installation and onboarding packages from Windows Defender Security 6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: - + ```bash mavel-macmini:Downloads test$ ls -l total 721688 @@ -166,8 +166,8 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 27b3a8f924..eead3818a7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -3,25 +3,25 @@ title: Installing Microsoft Defender ATP for Mac with JAMF description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra search.product: eADQiWindows 10XVcnh -search.appverid: #met150 +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: v-maave author: martyav -ms.localizationpriority: #medium +ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: #conceptual +ms.topic: conceptual --- -# Manual deployment +# JAMF-based deployment **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,14 +31,16 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. + +In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. ## Download installation and onboarding packages Download the installation and onboarding packages from Windows Defender Security Center: 1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. @@ -46,100 +48,161 @@ Download the installation and onboarding packages from Windows Defender Security 5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: - + ```bash - mavel-macmini:Downloads test$ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + mavel-macmini:Downloads test$ ls -l + total 721160 + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ ``` -## Application installation +## Create JAMF Policies -To complete this process, you must have admin privileges on the machine. +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. -1. Navigate to the downloaded wdav.pkg in Finder and open it. +### Configuration Profile - ![App install screenshot](images/MDATP_28_AppInstall.png) +The configuration profile contains one custom settings payload that includes: -2. Select **Continue**, agree with the License terms, and enter the password when prompted. +- Microsoft Defender ATP for Mac onboarding information +- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) +1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + >[!NOTE] + > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. - ![App install screenshot](images/MDATP_30_SystemExtension.png) + ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: +### Approved Kernel Extension - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) +To approve the kernel extension: -The installation will proceed. +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. + +![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) + +#### Configuration Profile's Scope + +Configure the appropriate scope to specify the machines that will receive this configuration profile. + +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. + +![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) + +Save the **Configuration Profile**. + +Use the **Logs** tab to monitor deployment status for each enrolled machine. + +### Package + +1. Create a package in **Settings > Computer Management > Packages**. + + ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) + +2. Upload wdav.pkg to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, wdav.pkg. + +### Policy + +Your policy should contain a single package for Microsoft Defender. + +![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) + +Configure the appropriate scope to specify the computers that will receive this policy. + +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. + +## Client machine setup + +You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. > [!NOTE] -> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). -## Client configuration +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. +![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) +![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) - The client machine is not associated with orgId. Note that the orgid is blank. +After some time, the machine's User Approved MDM status will change to Yes. - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : - ``` +![MDM status screenshot](images/MDATP_23_MDMStatus.png) -2. Install the configuration file on a client machine: +You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - ```bash - mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) - ``` +## Deployment -3. Verify that the machine is now associated with orgId: +Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 - ``` +### Status on server -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. +You can monitor the deployment status in the Logs tab: - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +- **Pending** means that the deployment is scheduled but has not yet happened +- **Completed** means that the deployment succeeded and is no longer scheduled -## Configuring from the command line +![Status on server screenshot](images/MDATP_24_StatusOnServer.png) -Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: +### Status on client machine -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | -|Health |Check the product's health |`mdatp --health` | -|Protection |Scan a path |`mdatp scan --path [path]` | -|Protection |Do a quick scan |`mdatp scan --quick` | -|Protection |Do a full scan |`mdatp scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | +After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. + +![Status on client screenshot](images/MDATP_25_StatusOnClient.png) + +After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + +![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +You can monitor policy installation on a machine by following the JAMF's log file: + +```bash + mavel-mojave:~ testuser$ tail -f /var/log/jamf.log + Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. + Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... + Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV + Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. +``` + +You can also check the onboarding status: + +```bash + mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +``` + +- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. + +- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. + +## Check onboarding status + +You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: + +```bash + sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +``` + +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 09a4dcceae..c7d8d338eb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -1,27 +1,27 @@ --- title: Microsoft Defender ATP for Mac Resources -description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, and known issues with the product. +description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra search.product: eADQiWindows 10XVcnh -search.appverid: #met150 +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: v-maave author: martyav -ms.localizationpriority: #medium +ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: #conceptual +ms.topic: conceptual --- # Resources **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -109,6 +109,28 @@ If you are running JAMF, your policy should contain a single script: Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. +## Configuring from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | + ## What to expect in the ATP portal - AV alerts: diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index af6205c2ca..416840ac2d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -44,9 +44,9 @@ In general you'll need to take the following steps: - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune) - - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf) - - [Manual deployment](microsoft-defender-atp-mac-install-manually) + - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md) + - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) + - [Manual deployment](microsoft-defender-atp-mac-install-manually.md) ### Prerequisites From a72734f71581f2d89be4ddbb7402cab473bd085b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 9 May 2019 18:59:26 +0500 Subject: [PATCH 107/149] update win32-and-centennial-app-policy-configuration.md --- .../mdm/win32-and-centennial-app-policy-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index d69549935e..9ead93e55b 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -51,7 +51,7 @@ When the ADMX policies are imported, the registry keys to which each policy is w > Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. > [!NOTE] -> Settings, that cannot be configured using custom policy ingestion, have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). +> Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). ## Ingesting an app ADMX file From b5c59e32bc4ac40a650f4c440abdb63dc26301fd Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 09:59:38 -0400 Subject: [PATCH 108/149] typos in links --- .../microsoft-defender-atp-mac-install-manually.md | 8 ++++---- .../microsoft-defender-atp-mac-install-with-intune.md | 8 ++++---- .../microsoft-defender-atp-mac-install-with-jamf.md | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index eecb31f9e4..1df8b31e64 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -116,8 +116,8 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index bf6854e899..54e0829561 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -166,8 +166,8 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index eead3818a7..3e4122d3a0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. @@ -201,8 +201,8 @@ This script returns 0 if Microsoft Defender ATP is registered with the Windows D ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file From 34e77a00035ef4617f6ffee4798cf68c5f311d24 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 11:59:32 -0400 Subject: [PATCH 109/149] corrected list of settings, updated note on E5 --- ...ecurity-settings-with-tamper-protection.md | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 930eb2406a..16fceaea85 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -20,35 +20,33 @@ ms.author: v-anbic - Windows 10 Tamper protection helps prevent malicious apps from changing important security settings. These settings include: - + - Real-time protection - Cloud-delivered protection - IOfficeAntivirus (IOAV) - Behavior monitoring -- Scheduled scans -- Policy override settings - +- Removing security intelligence updates + With tamper protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: - + - Mobile device management (MDM) apps like Intune - Enterprise configuration management apps like System Center Configuration Manager (SCCM) - Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures - Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup) - Group Policy - Other Windows Management Instrumentation (WMI) apps - + The tamper protection setting doesn't affect how third party antivirus apps register with the Windows Security app. - + On computers running Windows 10 Enterprise E5, users can't change the tamper protection setting. - + Tamper protection is On by default. If you set tamper protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & threat protection**. - -##Configure tamper protection - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Select **Virus & threat protection**, then select **Virus & threat protection settings**. -3. Set **Tamper Protection** to **On** or **Off**. - + +## Configure tamper protection + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +2. Select **Virus & threat protection**, then select **Virus & threat protection settings**. +3. Set **Tamper Protection** to **On** or **Off**. + >[!NOTE] ->If your computer is running Windows 10 Enterprise E5, you can't change the tamper protection setting. - +>If your computer is running Windows 10 Enterprise E5, you can't change the tamper protection settings from within Windows Security App. \ No newline at end of file From 7c9ffa815bda413ae78dbe8839a96c00e0cea23f Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 10:09:13 -0700 Subject: [PATCH 110/149] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...perating-system-components-to-microsoft-services.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 923bfedcb3..9b76bb4c29 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -194,7 +194,7 @@ See the following table for a summary of the management settings for Windows Ser See the following table for a summary of the management settings for Windows Server 2016 Server Core. | Setting | Group Policy | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | +| - | :-: | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [6. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | @@ -209,7 +209,7 @@ See the following table for a summary of the management settings for Windows Ser See the following table for a summary of the management settings for Windows Server 2016 Nano Server. | Setting | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | +| - | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | @@ -634,6 +634,8 @@ To disable the Microsoft Account Sign-In Assistant: - Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + -or- + - Change the **Start** REG_DWORD registry setting in **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**. @@ -1857,10 +1859,6 @@ You can disconnect from the Microsoft Antimalware Protection Service. - Use the registry to set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to **0 (zero)**. - -and- - -- Delete the registry setting **named** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Updates**. - -OR- - For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). From b1c2f37f09e2717000d94b5995359a47b1745293 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 10:25:14 -0700 Subject: [PATCH 111/149] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...-system-components-to-microsoft-services.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 9b76bb4c29..58d06760a9 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -508,11 +508,11 @@ To turn off Insider Preview builds for Windows 10: | Registry Key | Registry path | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Turn on Suggested Sites| HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites
REG_DWORD: Enabled
**Set Value to: 0**| -| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| -| Turn off the auto-complete feature for web addresses | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | -| Turn off browser geolocation | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | -| Prevent managing SmartScreen filter | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | +| Turn on Suggested Sites| HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites
REG_DWORD: Enabled
**Set Value to: 0**| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| +| Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | +| Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | +| Prevent managing SmartScreen filter | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | There are more Group Policy objects that are used by Internet Explorer: @@ -527,10 +527,10 @@ You can also use Registry keys to set these policies. | Registry Key | Registry path | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Choose whether employees can configure Compatibility View. | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\BrowserEmulation
REG_DWORD: DisableSiteListEditing
**Set Value to 1**| -| Turn off the flip ahead with page prediction feature | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead
REG_DWORD: Enabled
**Set Value to 0**| -| Turn off background synchronization for feeds and Web Slices | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds
REG_DWORD: BackgroundSyncStatus
**Set Value to 0**| -| Allow Online Tips | HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
REG_DWORD: AllowOnlineTips
**Set Value to 0 (zero)**| +| Choose whether employees can configure Compatibility View. | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\BrowserEmulation
REG_DWORD: DisableSiteListEditing
**Set Value to 1**| +| Turn off the flip ahead with page prediction feature | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead
REG_DWORD: Enabled
**Set Value to 0**| +| Turn off background synchronization for feeds and Web Slices | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds
REG_DWORD: BackgroundSyncStatus
**Set Value to 0**| +| Allow Online Tips | HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
REG_DWORD: AllowOnlineTips
**Set Value to 0**| To turn off the home page, **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**, and set it to **about:blank**. From 99097ab1dc0ff506314811efce4107d2e9d7d74e Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 11:38:39 -0700 Subject: [PATCH 112/149] Delete manage-windows-1903-endpoints.md --- .../privacy/manage-windows-1903-endpoints.md | 170 ------------------ 1 file changed, 170 deletions(-) delete mode 100644 windows/privacy/manage-windows-1903-endpoints.md diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md deleted file mode 100644 index f73b24241a..0000000000 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ /dev/null @@ -1,170 +0,0 @@ ---- -title: Connection endpoints for Windows 10, version 1903 -description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: danihalfin -ms.author: v-medgar -manager: sanashar -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 5/3/2019 ---- -# Manage connection endpoints for Windows 10, version 1903 - -**Applies to** - -- Windows 10, version 1903 - -Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: - -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. - -This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. -Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 1903 Enterprise connection endpoints - -|Area|Description|Protocol|Destination| -|----------------|----------|----------|------------| -|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com| -|||HTTP|tile-service.weather.microsoft.com -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US -||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| -||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com| -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net| -||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com| -||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.|HTTPS|mediaredirect.microsoft.com| -||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store.|HTTPS|int.whiteboard.microsoft.com| -|||HTTPS|wbd.ms| -|||HTTPS|whiteboard.microsoft.com| -|||HTTP / HTTPS|whiteboard.ms| -|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| -|||HTTPS|ris-prod-atm.trafficmanager.net| -|||HTTPS|validation-v2.sls.trafficmanager.net| -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com| -|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. |HTTPS|store-images.*microsoft.com| -||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client| -|||HTTPS|www.bing.com| -|||HTTPS|www.bing.com/proactive| -|||HTTPS|www.bing.com/threshold/xls.aspx| -|||HTTP|exo-ring.msedge.net| -|||HTTP|fp.msedge.net| -|||HTTP|fp-vp.azureedge.net| -|||HTTP|odinvzc.azureedge.net| -|||HTTP|spo-ring.msedge.net| -|Device authentication| -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| -||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| -|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com| -|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1| -|||HTTP|www.microsoft.com| -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com| -|||HTTP|cs11.wpc.v0cdn.net| -|||HTTPS|cs1137.wpc.gammacdn.net| -|||TLS v1.2|modern.watson.data.microsoft.com*| -|||HTTPS|watson.telemetry.microsoft.com| -|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| -|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| -|||HTTP|location-inference-westus.cloudapp.net| -|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| -|||HTTP|*maps.windows.com*| -|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| -|||HTTP|us.configsvc1.live.com.akadns.net| -|Microsoft Edge|This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| -|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| -|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| -||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| -||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| -||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*| -|||HTTPS|*displaycatalog.mp.microsoft.com| -|||HTTP \ HTTPS|pti.store.microsoft.com| -|||HTTP|storeedgefd.dsx.mp.microsoft.com| -|||HTTP|markets.books.microsoft.com| -|||HTTP |share.microsoft.com| -|Network Connection Status Indicator (NCSI)| -||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*| -Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| -|||HTTPS|*.e-msedge.net| -|||HTTPS|*.s-msedge.net| -|||HTTPS|nexusrules.officeapps.live.com| -|||HTTPS|ocos-office365-s2s.msedge.net| -|||HTTPS|officeclient.microsoft.com| -|||HTTPS|outlook.office365.com| -|||HTTPS|client-office365-tas.msedge.net| -|||HTTPS|www.office.com| -|||HTTPS|onecollector.cloudapp.aria| -|||HTTP|v10.events.data.microsoft.com/onecollector/1.0/| -|||HTTPS|self.events.data.microsoft.com| -||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store.|HTTPS|to-do.microsoft.com -|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*| -|||HTTP|msagfx.live.com| -|||HTTPS|oneclient.sfx.ms| -|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.|HTTPS|cy2.settings.data.microsoft.com.akadns.net| -|||HTTPS|settings.data.microsoft.com| -|||HTTPS|settings-win.data.microsoft.com| -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com| -|||HTTP|config.edge.skype.com| -|||HTTP|s2s.config.skype.com| -|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net| -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com| -|||HTTPS|definitionupdates.microsoft.com| -|||HTTPS|go.microsoft.com| -||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com| -|||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com| -|||HTTPS|unitedstates.smartscreen-prod.microsoft.com| -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.|TLS v1.2|*.search.msn.com| -|||HTTPS|arc.msn.com| -|||HTTPS|g.msn.com*| -|||HTTPS|query.prod.cms.rt.microsoft.com| -|||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| -|||HTTP|cs9.wac.phicdn.net| -|||HTTP|emdl.ws.microsoft.com| -||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| -|||HTTP|*.windowsupdate.com*| -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com| -|||HTTPS|*.update.microsoft.com| -||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| - - -## Other Windows 10 editions - -To view endpoints for other versions of Windows 10 Enterprise, see: -- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) - -To view endpoints for non-Enterprise Windows 10 editions, see: -- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) - - -## Related links - -- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) - - From 89813ad60b70028b7888dde35b9011e4bdda5b49 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 11:56:31 -0700 Subject: [PATCH 113/149] Delete windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 271 ------------------ 1 file changed, 271 deletions(-) delete mode 100644 windows/privacy/windows-endpoints-1903-non-enterprise-editions.md diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md deleted file mode 100644 index 44fadd939e..0000000000 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ /dev/null @@ -1,271 +0,0 @@ ---- -title: Windows 10, version 1809, connection endpoints for non-Enterprise editions -description: Explains what Windows 10 endpoints are used in non-Enterprise editions. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: danihalfin -ms.author: daniha -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 6/26/2018 ---- -# Windows 10, version 1809, connection endpoints for non-Enterprise editions - - **Applies to** - -- Windows 10 Home, version 1809 -- Windows 10 Professional, version 1809 -- Windows 10 Education, version 1809 - -In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Family - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -|\*.aria.microsoft.com*|HTTPS|Microsoft Office Telemetry -|\*.b.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use -|\*.c-msedge.net|HTTP|Microsoft Office -|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update -|\*.download.windowsupdate.com*|HTTP|Used to download operating system patches and updates -|\*.g.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use -|\*.login.msa.*.net|HTTPS|Microsoft Account related -|\*.msn.com*|TLSv1.2/HTTPS|Windows Spotlight -|\*.skype.com|HTTP/HTTPS|Skype -|\*.smartscreen.microsoft.com*|HTTPS|Windows Defender Smartscreen -|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting -|*cdn.onenote.net*|HTTP|OneNote -|*displaycatalog.*mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store -|*emdl.ws.microsoft.com*|HTTP|Windows Update -|*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update -|*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates -|*img-prod-cms-rt-microsoft-com*|HTTPS|Microsoft Store or Inbox MSN Apps image download -|*licensing.*mp.microsoft.com*|HTTPS|Licensing -|*maps.windows.com*|HTTPS|Related to Maps application -|*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps -|*nexusrules.officeapps.live.com*|HTTPS|Microsoft Office Telemetry -|*photos.microsoft.com*|HTTPS|Photos App -|*prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for Windows Update downloads of apps and OS updates -|*purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|*settings.data.microsoft.com.akadns.net|HTTPS|Used for Windows apps to dynamically update their configuration -|*wac.phicdn.net*|HTTP|Windows Update -|*windowsupdate.com*|HTTP|Windows Update -|*wns.*windows.com*|TLSv1.2/HTTPS|Used for the Windows Push Notification Services (WNS) -|*wpc.v0cdn.net*|HTTP|Windows Telemetry -|arc.msn.com|HTTPS|Spotlight -|auth.gfx.ms*|HTTPS|MSA related -|cdn.onenote.net|HTTPS|OneNote Live Tile -|dmd.metaservices.microsoft.com*|HTTP|Device Authentication -|e-0009.e-msedge.net|HTTPS|Microsoft Office -|e10198.b.akamaiedge.net|HTTPS|Maps application -|evoke-windowsservices-tas.msedge*|HTTPS|Photos app -|fe2.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store -|fe3.*.mp.microsoft.com.*|TLSv1.2/HTTPS|Windows Update, Microsoft Update, and Microsoft Store services -|g.live.com*|HTTPS|OneDrive -|go.microsoft.com|HTTP|Windows Defender -|iriscoremetadataprod.blob.core.windows.net|HTTPS|Windows Telemetry -|login.live.com|HTTPS|Device Authentication -|msagfx.live.com|HTTP|OneDrive -|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|officeclient.microsoft.com|HTTPS|Microsoft Office -|oneclient.sfx.ms*|HTTPS|Used by OneDrive for Business to download and verify app updates -|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office -|ow1.res.office365.com|HTTP|Microsoft Office -|pti.store.microsoft.com|HTTPS|Microsoft Store -|purchase.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store -|query.prod.cms.rt.microsoft.com*|HTTPS|Used to retrieve Windows Spotlight metadata -|ris.api.iris.microsoft.com*|TLSv1.2/HTTPS|Used to retrieve Windows Spotlight metadata -|ris-prod-atm.trafficmanager.net|HTTPS|Azure traffic manager -|s-0001.s-msedge.net|HTTPS|Microsoft Office -|self.events.data.microsoft.com|HTTPS|Microsoft Office -|settings.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration -|settings-win.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration -|share.microsoft.com|HTTPS|Microsoft Store -|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Store -|sls.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update -|slscr.update.microsoft.com*|HTTPS|Enables connections to Windows Update -|store*.dsx.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store -|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store -|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store -|store-images.*microsoft.com*|HTTP|Used to get images that are used for Microsoft Store suggestions -|storesdk.dsx.mp.microsoft.com|HTTP|Microsoft Store -|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile -|time.windows.com|HTTP|Microsoft Windows Time related -|tsfe.trafficshaping.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for content regulation -|v10.events.data.microsoft.com|HTTPS|Diagnostic Data -|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data -|wdcp.microsoft.*|TLSv1.2, HTTPS|Used for Windows Defender when Cloud-based Protection is enabled -|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com|HTTPS|Windows Defender -|wusofficehome.msocdn.com|HTTPS|Microsoft Office -|www.bing.com*|HTTP|Used for updates for Cortana, apps, and Live Tiles -|www.msftconnecttest.com|HTTP|Network Connection (NCSI) -|www.office.com|HTTPS|Microsoft Office - - -## Windows 10 Pro - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -|\*.cloudapp.azure.com|HTTPS|Azure -|\*.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, and Microsoft Store services -|\*.displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update -|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.g.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use -|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.windowsupdate.com*|HTTP|Enables connections to Windows Update -|\*.wns.notify.windows.com.akadns.net|HTTPS|Used for the Windows Push Notification Services (WNS) -|\*dsp.mp.microsoft.com.nsatc.net|HTTPS|Enables connections to Windows Update -|\*c-msedge.net|HTTP|Office -|a1158.g.akamai.net|HTTP|Maps application -|arc.msn.com*|HTTP / HTTPS|Used to retrieve Windows Spotlight metadata -|blob.mwh01prdstr06a.store.core.windows.net|HTTPS|Microsoft Store -|browser.pipe.aria.microsoft.com|HTTPS|Microsoft Office -|bubblewitch3mobile.king.com|HTTPS|Bubble Witch application -|candycrush.king.com|HTTPS|Candy Crush application -|cdn.onenote.net|HTTP|Microsoft OneNote -|cds.p9u4n2q3.hwcdn.net|HTTP|Highwinds Content Delivery Network traffic for Windows updates -|client.wns.windows.com|HTTPS|Winddows Notification System -|co4.telecommand.telemetry.microsoft.com.akadns.net|HTTPS|Windows Error Reporting -|config.edge.skype.com|HTTPS|Microsoft Skype -|cs11.wpc.v0cdn.net|HTTP|Windows Telemetry -|cs9.wac.phicdn.net|HTTP|Windows Update -|cy2.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|cy2.purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|cy2.settings.data.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|dmd.metaservices.microsoft.com.akadns.net|HTTP|Device Authentication -|e-0009.e-msedge.net|HTTPS|Microsoft Office -|e10198.b.akamaiedge.net|HTTPS|Maps application -|fe3.update.microsoft.com|HTTPS|Windows Update -|g.live.com|HTTPS|Microsoft OneDrive -|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata -|geo-prod.do.dsp.mp.microsoft.com|HTTPS|Windows Update -|go.microsoft.com|HTTP|Windows Defender -|iecvlist.microsoft.com|HTTPS|Microsoft Edge -|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP / HTTPS|Microsoft Store -|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in -|licensing.mp.microsoft.com|HTTP|Licensing -|location-inference-westus.cloudapp.net|HTTPS|Used for location data -|login.live.com|HTTP|Device Authentication -|maps.windows.com|HTTP|Maps application -|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting -|msagfx.live.com|HTTP|OneDrive -|nav.smartscreen.microsoft.com|HTTPS|Windows Defender -|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|oneclient.sfx.ms|HTTP|OneDrive -|pti.store.microsoft.com|HTTPS|Microsoft Store -|ris.api.iris.microsoft.com.akadns.net|HTTPS|Used to retrieve Windows Spotlight metadata -|ris-prod-atm.trafficmanager.net|HTTPS|Azure -|s2s.config.skype.com|HTTP|Microsoft Skype -|settings-win.data.microsoft.com|HTTPS|Application settings -|share.microsoft.com|HTTPS|Microsoft Store -|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Skype -|slscr.update.microsoft.com|HTTPS|Windows Update -|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store -|store-images.microsoft.com|HTTPS|Microsoft Store -|tile-service.weather.microsoft.com/*|HTTP|Used to download updates to the Weather app Live Tile -|time.windows.com|HTTP|Windows time -|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation -|v10.events.data.microsoft.com*|HTTPS|Microsoft Office -|vip5.afdorigin-prod-am02.afdogw.com|HTTPS|Used to serve office 365 experimentation traffic -|watson.telemetry.microsoft.com|HTTPS|Telemetry -|wdcp.microsoft.com|HTTPS|Windows Defender -|wusofficehome.msocdn.com|HTTPS|Microsoft Office -|www.bing.com|HTTPS|Cortana and Search -|www.microsoft.com|HTTP|Diagnostic -|www.msftconnecttest.com|HTTP|Network connection -|www.office.com|HTTPS|Microsoft Office - - - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -|\*.b.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use -|\*.c-msedge.net|HTTP|Used by OfficeHub to get the metadata of Office apps -|\*.dl.delivery.mp.microsoft.com*|HTTP|Windows Update -|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.g.akamaiedge.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use -|\*.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*.settings.data.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*.skype.com*|HTTPS|Used to retrieve Skype configuration values -|\*.smartscreen*.microsoft.com|HTTPS|Windows Defender -|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting -|\*.wac.phicdn.net|HTTP|Windows Update -|\*.windowsupdate.com*|HTTP|Windows Update -|\*.wns.windows.com|HTTPS|Windows Notifications Service -|\*.wpc.*.net|HTTP|Diagnostic Data -|\*displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*dsp.mp.microsoft.com|HTTPS|Windows Update -|a1158.g.akamai.net|HTTP|Maps -|a122.dscg3.akamai.net|HTTP|Maps -|a767.dscg3.akamai.net|HTTP|Maps -|au.download.windowsupdate.com*|HTTP|Windows Update -|bing.com/*|HTTPS|Used for updates for Cortana, apps, and Live Tiles -|blob.dz5prdstr01a.store.core.windows.net|HTTPS|Microsoft Store -|browser.pipe.aria.microsoft.com|HTTP|Used by OfficeHub to get the metadata of Office apps -|cdn.onenote.net/livetile/*|HTTPS|Used for OneNote Live Tile -|cds.p9u4n2q3.hwcdn.net|HTTP|Used by the Highwinds Content Delivery Network to perform Windows updates -|client-office365-tas.msedge.net/*|HTTPS|Office 365 porta and Office Online -|ctldl.windowsupdate.com*|HTTP|Used to download certificates that are publicly known to be fraudulent -|displaycatalog.mp.microsoft.com/*|HTTPS|Microsoft Store -|dmd.metaservices.microsoft.com*|HTTP|Device Authentication -|download.windowsupdate.com*|HTTPS|Windows Update -|emdl.ws.microsoft.com/*|HTTP|Used to download apps from the Microsoft Store -|evoke-windowsservices-tas.msedge.net|HTTPS|Photo app -|fe2.update.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services -|fe3.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, Microsoft Store services -|fe3.delivery.mp.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services -|g.live.com*|HTTPS|Used by OneDrive for Business to download and verify app updates -|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata -|go.microsoft.com|HTTP|Windows Defender -|iecvlist.microsoft.com|HTTPS|Microsoft Edge browser -|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in -|licensing.mp.microsoft.com*|HTTPS|Used for online activation and some app licensing -|login.live.com|HTTPS|Device Authentication -|maps.windows.com/windows-app-web-link|HTTPS|Maps application -|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting -|msagfx.live.com|HTTPS|OneDrive -|ocos-office365-s2s.msedge.net/*|HTTPS|Used to connect to the Office 365 portal's shared infrastructure -|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|oneclient.sfx.ms/*|HTTPS|Used by OneDrive for Business to download and verify app updates -|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office -|pti.store.microsoft.com|HTTPS|Microsoft Store -|settings-win.data.microsoft.com/settings/*|HTTPS|Used as a way for apps to dynamically update their configuration -|share.microsoft.com|HTTPS|Microsoft Store -|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Skype -|sls.update.microsoft.com*|HTTPS|Windows Update -|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store -|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile -|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Windows Update -|v10.events.data.microsoft.com*|HTTPS|Diagnostic Data -|vip5.afdorigin-prod-ch02.afdogw.com|HTTPS|Used to serve Office 365 experimentation traffic -|watson.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting -|wdcp.microsoft.com|HTTPS|Windows Defender -|wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com|HTTPS|Azure -|wusofficehome.msocdn.com|HTTPS|Microsoft Office -|www.bing.com|HTTPS|Cortana and Search -|www.microsoft.com|HTTP|Diagnostic Data -|www.microsoft.com/pkiops/certs/*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|www.msftconnecttest.com|HTTP|Network Connection -|www.office.com|HTTPS|Microsoft Office - From aeb325db764df3de68061c8ecad1b01c22b08de7 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 9 May 2019 12:56:34 -0700 Subject: [PATCH 114/149] Update microsoft-defender-atp-mac.md Edits --- .../windows-defender-antivirus/microsoft-defender-atp-mac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 416840ac2d..8a8a11ac75 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -84,4 +84,4 @@ SIP is a built-in macOS security feature that prevents low-level tampering with ## Resources -For further information on logging, uninstalling, the ATP portal, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. \ No newline at end of file +For additional information about logging, uninstalling, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. From 0c7afd2190b914bf0d2899a961a48ec2411c097c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 9 May 2019 13:00:14 -0700 Subject: [PATCH 115/149] Update microsoft-defender-atp-mac-resources.md Edits --- .../microsoft-defender-atp-mac-resources.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index c7d8d338eb..8af686d049 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -33,7 +33,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. -1) Increase logging level: +1. Increase logging level: ```bash mavel-mojave:~ testuser$ mdatp log-level --verbose @@ -42,9 +42,9 @@ If you can reproduce a problem, please increase the logging level, run the syste Operation succeeded ``` -2) Reproduce the problem +2. Reproduce the problem -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. +3. Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. ```bash mavel-mojave:~ testuser$ mdatp --diagnostic @@ -53,7 +53,7 @@ If you can reproduce a problem, please increase the logging level, run the syste "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" ``` -4) Restore logging level: +4. Restore logging level: ```bash mavel-mojave:~ testuser$ mdatp log-level --info @@ -131,15 +131,15 @@ Important tasks, such as controlling product settings and triggering on-demand s |Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | |Protection |Request a definition update |`mdatp --signature-update` | -## What to expect in the ATP portal - -- AV alerts: +## Microsoft Defender ATP portal information +In the Microsoft Defender ATP portal, you'll see two categories of information: +- AV alerts, including: - Severity - Scan type - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - File information (name, path, size, and hash) - Threat information (name, type, and state) -- Device information: +- Device information, including: - Machine identifier - Tenant identifier - App version @@ -155,4 +155,4 @@ Important tasks, such as controlling product settings and triggering on-demand s - Not fully optimized for performance or disk space yet. - Full Windows Defender ATP integration is not available yet. - Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. From 15fa5a43139094203763b0bcb8f43ac3902b65e6 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 16:29:44 -0400 Subject: [PATCH 116/149] reworded [!IMPORTANT] for redundancy --- .../microsoft-defender-atp-mac-install-manually.md | 6 +----- .../microsoft-defender-atp-mac-install-with-intune.md | 6 +----- .../microsoft-defender-atp-mac-install-with-jamf.md | 6 +----- .../microsoft-defender-atp-mac-resources.md | 7 ++----- .../microsoft-defender-atp-mac.md | 6 ++---- 5 files changed, 7 insertions(+), 24 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 1df8b31e64..13edfebf77 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -22,12 +22,8 @@ ms.topic: conceptual **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +>[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 54e0829561..c1568dc518 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -23,11 +23,7 @@ ms.topic: conceptual [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +>[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 3e4122d3a0..e3ff4b865a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -22,12 +22,8 @@ ms.topic: conceptual **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +>[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 8af686d049..d2f6dcffa8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -22,12 +22,8 @@ ms.topic: conceptual **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to use, and details about, Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +>[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Collecting diagnostic information @@ -133,6 +129,7 @@ Important tasks, such as controlling product settings and triggering on-demand s ## Microsoft Defender ATP portal information In the Microsoft Defender ATP portal, you'll see two categories of information: + - AV alerts, including: - Severity - Scan type diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 8a8a11ac75..70ba7ddb6b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -19,11 +19,9 @@ ms.topic: conceptual # Microsoft Defender ATP for Mac ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +This topic describes how to install and use Microsoft Defender ATP for Mac. ## What’s new in the public preview From c63815f124bc8b66304f82edc668bd8b22ddb836 Mon Sep 17 00:00:00 2001 From: KC Cross Date: Thu, 9 May 2019 13:36:06 -0700 Subject: [PATCH 117/149] Removed extra line in acro config --- acrolinx-config.edn | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/acrolinx-config.edn b/acrolinx-config.edn index b235e443b5..92f0d843c1 100644 --- a/acrolinx-config.edn +++ b/acrolinx-config.edn @@ -1,3 +1,2 @@ {:allowed-branchname-matches ["master"] - :allowed-filename-matches ["windows/"] - } + :allowed-filename-matches ["windows/"]} From f654a356f4b7a1069f9abfbe6e34c433215a54b9 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 16:48:01 -0400 Subject: [PATCH 118/149] fixed spacing on [!IMPORTANT] to make build happy --- .../microsoft-defender-atp-mac-install-manually.md | 3 ++- .../microsoft-defender-atp-mac-install-with-intune.md | 3 ++- .../microsoft-defender-atp-mac-install-with-jamf.md | 3 ++- .../microsoft-defender-atp-mac-resources.md | 4 +++- .../windows-defender-antivirus/microsoft-defender-atp-mac.md | 3 ++- 5 files changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 13edfebf77..5652662325 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -23,7 +23,8 @@ ms.topic: conceptual [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) ->[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index c1568dc518..15bfabbd53 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -23,7 +23,8 @@ ms.topic: conceptual [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) ->[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index e3ff4b865a..d0ad4df2aa 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -23,7 +23,8 @@ ms.topic: conceptual [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) ->[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index d2f6dcffa8..14853fbcd4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -23,7 +23,8 @@ ms.topic: conceptual [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) ->[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Collecting diagnostic information @@ -128,6 +129,7 @@ Important tasks, such as controlling product settings and triggering on-demand s |Protection |Request a definition update |`mdatp --signature-update` | ## Microsoft Defender ATP portal information + In the Microsoft Defender ATP portal, you'll see two categories of information: - AV alerts, including: diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 70ba7ddb6b..ad6e81eb5a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -19,7 +19,8 @@ ms.topic: conceptual # Microsoft Defender ATP for Mac ->[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic describes how to install and use Microsoft Defender ATP for Mac. From 6a1c728b1bb8f153042b2e51725d740a569a51db Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 16:51:34 -0400 Subject: [PATCH 119/149] fixed links --- .../microsoft-defender-atp-mac-resources.md | 2 +- .../windows-defender-antivirus/microsoft-defender-atp-mac.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 14853fbcd4..7f138a6ca7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index ad6e81eb5a..10fffbc787 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -83,4 +83,4 @@ SIP is a built-in macOS security feature that prevents low-level tampering with ## Resources -For additional information about logging, uninstalling, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. +For additional information about logging, uninstalling, or known issues, see our [Resources](microsoft-defender-atp-mac-resources.md) page. From de10cb9abc00e333906b1f07e0cd121b5c0ad9b9 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Thu, 9 May 2019 14:03:32 -0700 Subject: [PATCH 120/149] renamed acrolinx file --- acrolinx-config.edn => .acrolinx-config.edn | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename acrolinx-config.edn => .acrolinx-config.edn (100%) diff --git a/acrolinx-config.edn b/.acrolinx-config.edn similarity index 100% rename from acrolinx-config.edn rename to .acrolinx-config.edn From a40b57465652b271bf35ac02133670ba5935245a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 14:37:56 -0700 Subject: [PATCH 121/149] added new image --- .../wip-azure-advanced-settings-optional.png | Bin 14186 -> 23584 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index cd8e0d0388c3d30f4e4288d6884302ee048c3bb1..02138b02a709d31ff3a1c22f09c939f907a810f9 100644 GIT binary patch literal 23584 zcmdRWWl)^awk7WFbV#t^+RzZ(-L3IJppiy`6G9+(a1HKmjavcebZzm`N3tYWd`xv(MgZt-ZdE($P{T!~@}>pr8<{swn88prEy*prC%j zK?B|?rCvM${zLWDQM))i7a&(iN=?ekoN-jto&9H;}bhc#500!#OI9J1d~7|6Gs2 zrhKyjy3e=%rLEl~Ke9sK#GQ%xSVH?Y}Wg1>)Ko5vEV@(*w>>e8dxmY zj+KfKcopmLMltmMZBr}cGvMjvLokbG&t=4CV zZDrc$iS`&z#&e{03j9hsxIUiD|1@CLsF4`~uk;z?s%!6cD-~dC71H5Mh$@p#-ImAZ%&XZ6uGoHwqa*acJsjceV=or!bN^?t3bLd zU4M+HOfdaDMK<=~h(cebggiG$YpgkYpl_^b6~h>!u|W`pK$uww=_V>_EDAu17~~q_iA$^{M>Tic ztA{ms9?^ndoo0MGEHoa{VQIvgPGQFBFDR8_6&SO!r^_*wEaU~@?68RQKcw|Un}TeW z;&`w>)2!#`i+dz$|DHc&(OSv0d$`?nl0dV6%&N-FygE)?J>7h6sd|w?+3*!Pz1%AT zjDc4e@+sk;C0Ejo{n^XbGdKJmPKe5BVDA`L4+)Ok&N4H~`!j8j?pCml`ZA1*nT9%4 z$y%l{z2Aa2x!UF#yu*(bjWeHBDB^$amC@>A8rSYsx+-!(r9W82>)YyBSQK+z&PdNd zt_zA^(ZO_GHoVx7b6fZoX)V@iB|L93Md3Me#uZCz=xRDK9<^;&V6yQW#Dx$w5b|o! zGHs^aQPMAf5mjWXNF`ZJ){?oyB3Bk}4)gL_;iu8OwS!a=0$6OhOjpAiS<0#}RvV zW0opMfM_n>JqXT!bctui8K>;a@E)gVj5$+<%mV{&cKxNPA#JQ^t6i37S!}7nVDS+9 zsNhi#5%Nho7rY3zm?fc*O5Eewy;Fn(KBLpr*P&(a>u+19MF*?3)Ps48D?TzQv&V_> ztd8>9BgSzO%awu=qo%6|Y%k+8k)T0}&$@XSWBSD$YxZt2!@ffG_`oWy!wkcQK55gq=J+9Wi{E;k?>eDbm$b<6OMrX!c<2aEm79I--=;oUICXAH1{7PKkSaYB%7PD3D#i#YukIEKYawkWtI(yVIs^HWl2 zY708vOG9FuHc}ocipB?0zER8+1{~0-6j=0iB!w^cG)k&0?G^(_S9GT8!`TU;dg=?z z*UZj&q*D|L(hMqE92H7Nh&EW_`u2$Mh>0!Yd#pOtHbcbA7)Ql~3u`aCirgOiadJB5 zPQ^+6cAFrHCg-+oCDTR&Q;JU5up`Kqf$520ek%n(&ng{%#>)hL!@dC--%)-ZY=$^a z0dR}L9wk?hy(MicE3kd|&bkqr$wfY)i9N8jf5)1X@?iUK<&#>p(3~?*@2m1?)HR)eS6QRuqqRgcZnkO}RJfdc%$Hi`g z@@ks1be=BFh7R_35=yIpZGe33{LUepd=|X zLlju2LOT*A0(|t!Snwl$N`<^uP{TV}i|DNr+_yX_xRglFjWIV+)?$Uyy8?|PrvAv8 zIYLC4U1E^Vm*m1KgUUVORpIBm0<9b!K^A)=%!J*_4>Jpt!g7c)nJVa}N8*R8RmrV0_Phz-H88F}cLIroJF z44FvK@axIxglD{DL;J~1Cw1Yj;k$;8kCRG2bfGk%g3G!^;v>oM(nfE|L$l<9TQAe1 z4R_~JQ-zq}L|ZE9aRGG5K|@31xCU)Y62=43g*p~0Y)HTgcNACjL~m6p z7$P`T0{TPV4v92e#m+LQxP%-YrEmzsQwI78+&_(A5R_nkh7^M))VTTl!q&E%y_wP6 z)ok?=gBZRDYMbjoU7%wQkR|J=6Oydf+n|Tq{zoMqQen?)tpryc`V|CbSl{T1$_v^H z7*sf(qIu8zGjG$*@8K)r(BmPaC09QC8yzh<7SXLOZv;Uqt8qxXUWHXss@=R?;j~{f$`k!{ zeQs!tR2#aUGRRSR@ScuMC(*5#KrOrsN5%3d7(!%FJRe&vU>YGYlfz%(S{a)T{+&do zLt9~(TqB3Ma9n^vpgqo{$I_93Db??s#+abkJgn9fYMds6u1MseZ=y+>Z}VAF8B0_{ zokpF8SrQM-mnQqGHQr9i>5yGD}fGif#*DhNox=&7_z; zc>Jt(%Z#=O#ot;;z($4q=@FeLG-@+y3N%x~K^EHX;(KD3C^N&6szh1A=~)Vrmw&`G zWxT4yYQU@tg<>sQ?*>(p3KAzB>za(nv{t5%@`Je|J2yzwgFQFWMqXeQxq9_XL~=T5 z_9nN%#gMt2M6-?+1mK$}7t*xVB04zSd$NDZ1LaGwM?aDTY@G*-U*uM%p3<8E4f=Pb zg_V*J7En@~wldTO6fnp(lnpg7ILA{J8z955$S#zqW-_i5qp_1Cl|v;Mv4e9wB~&re za^A_|{uJ3Z`~tHO{l)3bTE`C!7&He!k(AtvXB0xZdAU%M9|fGdLQU2<1Hlq>s0}Hj ztyx!E1T6J4pf6k5L>FZ;i?2@|(+WXcOt8-w%qrm)9_WOop!hnA_?&d6IZx}}RNXvN za8e%t&PIGV6I4?3-J1kj!9OI5r`^JiMq&)X&xM-bi5|CSKvww=4Z}(8Vq?r^x$0sC z9O8{R_2)FJ3I!mcHaIF(ShEmYYEkC^gYNzZs35JWben?ahh2rDs#83}z5p^BZmTO} zDB}^*%!*VZg`%PU$vOVXTWS@{-S)AJ zLyMw9g9#xjLeIXULbfrf<4g1(Q`g=#gj9rE+}212ZqQb^VxRAu4u*jIxlaVIpzpSG z&XF$2XA?|RguO*pF2;}?Bayz=reIg_w%89h>rI<~e%5nOC2H#7`~bnw;Nk||6Ob9a z7%br3!RFqg|M}xIEr^8QbzK}U@#7aEuAg_z#147xZuzgAynVs>8=w4ub5N-UDx%v% zPrVP$AFKoLH@?|_qGh{Tp>O-D?(gkHApIg zu2iWd6kbcjpIe~qvB75nv9ZrU#;6Es(FEX?5>h_<%N+qX zm#JJvwNF1Pt@easmjd@Y*1lT@AC9Of7!^%dE~o1v$&Vd~!OHE)dJ2xSa=b`Qb@-v7 zEDlZ=+?;jDVUO>kMobjg<}I(|0uhOVxz z#zv-88CgEz3cNXh|IJ`Njlz29>Q1v$A2p9Y$R<}g=ulEdLTG%{RvJ|5k%Pk$nJBI| zf$hdRh=#{$6s5S~KcPDzsvpmaX8^_W9b7eHkx#~&{n;BQP*DvjBDvTQY>lF7H(;%? z*d*z1JQf^83um6?oQN%*6H}-X8;rI}xNeeMNphf#cABrH3_kd*Ka9zJw!gx63O3ku z0BETNK<$ox^Hqeu>0`+EZR7Ci=b5Pash_muB{Hy!FXq(5GCV{!lo8KMrsHBzMGp2T z%SrBe6v2YJjuV!neN16cHJXH?R1}OLl@OPH>sW2KVkdz1(QdreH=ZU_F~0byxwOoW zG9R9WvoX-m!&+MyYMdO6P5g+$!L1(-`QWvyR~g&(>eTU2c#uYr?E@KM4n_`YsX(|q zQ+${Rn}U=Ud%uYy@J=#f}Y%>qf$Xe47SFQ>o!PSX3 z40y`}hO%Tz@ZL5~hU0*lhsh~Y<%1+wSZ(8Vodnzq1)A4180Q`jCvo(bcucTug)vW^ui1>?0DgS$5psf&uXw zj7RxMThJ4iMfT}u1ktGLOCNpIZ*W8(z+yA0fw+iI7NJy-5?Ie6Sy(?WBys8H=#_oL za%DuKsSMiC*Mv-diq(=D{vyE6Z0LR@n*K?~q&#;p+9s$OcH-|C&1p7zo~Ti4_%y6H zZS-*#QGbsyXR=G;F!Nhs+qbbP9=%QJS>K^t>Uf;w!b(G$QIZ~dvZrc&3P`uzX_kN8 zLoU0!+OEWuJ6apAi29mw5s5OsTeD8?>$DAWoJf+PM>-RzTq$e{ErbEGXJ_uWiZS7#p`p3Cxp8rEEiElQ&)hDKHla-^ZazBB*O#3g9Zy~IfMgcX zB!Ubwm*FZP3o3>?5uo*QGy42ql;v`EajC7VQ6TYBE4NK6H>uK6GxHHEr?{+ocBco7XP;LbfgwBs^6|prV!Qu^hpQz_27HkH z%KI{J7yq=cBm>0h#!pjSSLaj)l%H2}Mn$MKLDoCJ-k*w?PxjywjQ{A{zYO#0o0yo` z+e36|Tg8Gqinx&V4GqX`qx#7&P6QWn1P<}VU`}9D?V{&K-p{F2;M2A2{5wPMsk|oj zeAk6<-;QJMb1|0~DdDBdGMd!g`Ml*#wtvRb%Z6L~jKGs0^g{ug9r=ZH6PoWYj#hnM z%b|O_ceEWF(r&HxS>8H#IX)db?eUQ+$G{2=zOyI+51vG5DfC%ev4`)dW(;Sifl0t+V{Wlb8nrvVY(%DSxMOQacz&^Oy0jTH>P^AI}jch zN7y9~jOeD29LY~d^yJAC_0k6?jk1OWXv~_N%nXg;!8*Xj>P2{WP|EH((!?xwiL=4BawZz` z#L{5+#p5@%?o2}#$r)Dz5L&r?c?S_74!84waqR6m&gX~Z{INh+$}*@8!&F{EvvAl^ zfj9?PIelfLsh?4k^^moVisB30n03qEKdr>)BeS$@m&kc{zqnIT@bB*@YierrcCk`= z6foWPidOOIUy0J!9)Czgn^_JYE@HgWx&0kCUo5twUex2N4PceJ9R)~rO%0C>gnOHd zkWbR*{BW$zlE>0v*j3eF_QFCVdBh{VZ9c0NxPqrPTagtER{Wz2><_HcNC?BQ+^T_s zyz)xk`H`{(%ggLZh=P83QLuwRZI|TV2q8z-2TcySUwe8%SMmy?!6`kJkytxB`w)%m zKNx8*)r<6Sq2BTH*ee$~w;9cMT7W`(5)I5mPfrh;6n+%LcNF|3hJk}=WnxQV>T(uP z=gpCmnEAHfuHqXts%Im!2qB~Gm%CSKw`b%)Ts;Bes=l+cGsx$oYx_$s_oe=7Da>r)FmBw~qhVC=o@d;eA$Tzye;64yKhrsIP)j0jyx#eb1mJib&_P{Nr;xAto*^K8*RefbxEdk|z{H7Zw(bpFUNT z{F_I_-R6~wNkP5b@5bo=}F@5@WEX<7S8ATi~N`-sGidGs!Q`TBKD3kVX` zgNu)3z?^wfv4POynL79;bZye8njd-uix1o!U6BG=;5&uFU&Z_${sJ%m?Ta>n(J-(|Udq^8Yh|IwzAg|BVr`w<#gT4Jq2 z=${#av}s`@ZqOs@m~h|wCc*B5rRZ=y(XV4(( zm5Px-O>$l7?C9#U1VH~5cRd3VWm4*jdk9)NMjR79G*Dz^A&~}`p)a5WDqNlz5$L`| zjZFi^q+51i(3EqXlZXVH27zWk1$i^^oi0^+Lr{o57z9Bu1XeH^QIxN{fFuWNnBd%n ztR}r$LpiwLS+xVE5iq4Gb*WM*rHPja29G+r{9=53cYcIWTCMe9G)H8lVp)#-i1K@~ ztA(>fe^0>~vbibWeh1Qw04p$S8#A|Nl08u^In%3=+AwBq#knY^BK%^V_~4y9$p&R|or&ZciAqHE zY7ulqA)Gcu!yN1#_5HjeDnAK@-^Y7$=y8X2p@1M6fK{N)2V?xN9^)njjh;j!!u4sb z@njemQXecnJaM78$JhW+=so)06RJn=d3XET7X%vKr?Gws)es3>R=RCc;N3xxZAVgIG-jRsWj~# zFPhiF5f!XtQI$EKp^>WksTPoi5>nKZs8Iq6TiKRTL{^BB5$pONT!VeJSfyfs8KjP8 zR2kJ#8Np&rtby{+Y4iYWCOV7vYwLn83r+x^9n|E?7J=e9k_i}Y%qWhz6>|)ImZ3P( zO>+1;qVqI}qyLM%=qEIh6kO#rbF9&<0E=k`IWTXHDHutos9^@?*8Hr%F6u-<3k}aO z8u%HO{RztRlB77M9g$MS$V9JHXiloxPxq1jtsru3nCMse)YxPFk{%k2et-=En9E=f z#{Z9d0}u_vpDze=QhPlqnuVcbDn7RvR2eQ?x+4qX8Lfh7S{Ep}Eg|@jA=p0*qp`nT z!4tD0oFzTDu}u03WrpN@m}p$LznQYHg5`P0Q_-pS(UsK<#5{Iv)rQk)56hPDKiK#M zIP27g7a&afKL}N3d9b>tD_(Ix1V<I+>#-` z;*V&0YPzn zqV26#q^{Fjv)$Bnj2XjN$2`|JW#NIIYl+EYV=Ap}<}+j!tZ!X03UP`W3lQgDYKlgM z?Wcdvdf<&~2q;qDgXL?rQ1F(<{bv99`D?s)`{p|1{&(k2gQ`yBBSS4wt)%u(GhA{U zsLy|Q7hHVDwQD66X3NCxjj#~ok#V`e!R4Qhsb;5`c`4?rqo_}NBqQUb5nU#Mp}88B zROXnHq0Tx~u8uL^KuyXHw+PYk6)6B^j?p-o_V!O|%IH4=>sTLshA>BF8BiI(tT?u- zt;=YN2}G0IMT#~lvNCO=AvA)zkYRW%SbbtmA@rT!^EFOvkx$CcM*KRSrKbyS6tnCf zks4mLdf?bN3yjx@^&!?3?4uIRq~runMjy&5b65Dy;x+zw*2k0Y=DX-Tzj&EnBsB|S=| zV%cQ#-&%t-+sBruEJ6jE)`g9EZn>O=r z(v3B;$jZmZ$J5hOgs!%x=4q$D?<_ahVs6hfeo$PiA#kNo+H``+FuV2q8J~^{pnZn9tA8--!P(2@@ag zNcJi)ufE6KO4~)jD<;^Xs6~a79#-2u(p?8F9mM{J<@>bP=S%c{>l)@Im$#F*Va=)* zO*n@`lBolKF^nOEfkFf(EG$e!L=;_V@7#GSjC~OJ@^b%nDX_!m1s_KLAL2Vz!8MoK z+FH{mz#+uDI*@~yN(%YPvxNKe+dt*qh}nf({P^)>(c~|@e_bq(ET~gC`6Cp57Wjv4 zw$P8L)+g{M;dp$uI1PaTpc>4O1F8YQfmYLz%K`DL(?-jP_-~$`yQf&q-~UIF(Cu2( z@fv1*eENQJ<|ElSzyzkUDY6>>!mB9w!qU>_{1j&U_RYoJ>9K#t>kYoU1_<3D{oOa> z`n#|B*O49~PnNbm`C&=V$vibbd-2JK_Ir)xwfgLbj33g0=Wddx)}hj0fS&$6e6I%> z+`D&%oVkbM^UE73A1`j+tKY23BkndY0@+g=LN`KWWW0E&gI0Ri-EyxKuWPy_Blk|{ z1EMycNL?!3(*eJX(4J?Wp2u!q?-xV{fV>cp_sw#ch465+?6VS8TMUIclD0~5i}SB} z@w07~XD{wVxv-w@VEs&WN2Q*zX}t7H`WIXdwv_pJ8)?ph6H@;p4)^Ko73R^;$oNjk z;RAZf>#uUhif^2i^>#pP9zTVm+AO&_0-bn&aZf zf52>?o4 z|3vgNT8(%`T6Uv>V784 zyCj2Imfuzw$U$@WTP`kFN6#*_U(((Os{(-0CvO>WL^|Z2sDQ60TAo1fFMIGi!TTtJ z{G>>Z1;2j7aW<>Uv;8C(YsvQRqdKtLh;t*cXb7-?m@b{BrN8(TI2K`2imRm#@wzx(+WR%aua+{swtmFg^Tj%}7`zdPn@gF9A}d$d1WP6A1J;3Q zj|mIcXJUE;W@cuKUzTrIJb|n50Mvbo{%-g94)XPORoeTcZCKGlV>Pww_KjUh-JsXa z(8qgu;+_X2y3i0syuPI$Rf(YPe0O%g|7Xq!p5EsKVAC=Aj<0?H{_OSZrD#C6eWku# zg!;nAXMS!jk?8vEo=?vt)1pvEchLFqU%YPyRPwOfjd}}jKnW=M087gNhU%7ZGFg{| zzxWYgf=*Jv%?ZYk6Nb!0dg3fGpjxF-;bKytpE&_1^|)7ti~eDxnPC6_j~4vX^Ha_M z$^*E;s+%zC-DXmx8m z+xa7^eZo&F!iQE!e#@6rrhtV=qYT)os(pEW`^%D0Qj&%{UJVHUXw#&W8D}{g$T+N> z!ahE&D0uzAOS_*<<9qc=S=1sRW=)r>b8&HL#{m-T-mh=()w98a5>h~Q)cWBt+Fi8j zY=v~A`m(a3%%s9)06@hxn^*dhuw zWQ3vt3M9x>wIV7cm`9zA(q>ScyQ#34+R#DLHy40r?A#y&hzx4(~=hMf(?tNIZv zku9%yx0b_97X+H3;KG6u320?A=nU{oNBT*UrpO|3V5vF|k!J5*D5YVszH~sHaEGV9 z3PDHl`}sBnb~Q8cK)mIhM=sOP)KykL=f#C%)<@4`kI_GKaer-uVvQz|X|}=avL3w2 zA@huNZlQ3e3ei$a<>-&9NGZZ?HnbWMb*k~mOM&TRF-=# z8uk5(!J%9=9RsHX`XM}f&ouNQ)z#G!FAoY{K7eUB0V4>>)fInQnP62nmMtz0b8dtT zTrk4lzPSMlo6r`kT`$-RiVEnAXTrbD#%t(naXhiLYX$2(;<7hWEavb-s~OGzj#Sqf zXGWV4<2*NEQ8gAdV#cFYwEd^@xYv?R=vR<+ zi%N64%`|dV$7XV>LMaQsC{~pSgl?UVXi_d5f3_JL%VT)z;Uu&&cHegq6Je5?Bl)i1 z9tSQH0&+*s;7|ay_{$bSy}3NIUtdF>>-xQJ4!MTr0!+;0wIadeod+fyebFi+00Yur z?m4b32tKdmbXgA=nld2++!8rV#VVy(%Hihx zXDzWIq_B9=U{2LSlMUWX&Q8RKHqpikQ%{*#Q7x>GX;phn2n>ZkvA?aYNpxRlp}uxI z`@IBon^G<_e$3ZVy8_C>IFkbUMsbB0ThVS(Hmi$sR!|b>i%~D57Frb<(;ZrL=6FnF1=kH3xcrFMxaqySd^pzz4tOWB}I6&*LL z$fyO4*56di&6-3h*4Y!yV{W`=*d>!QAb#qnUdtAx69)(pq{G7Caj?Vdp|4mdK2ohYZpE2be zB5vQ~ub3W&tgmPG$!+9BkU)u;ChBP;Ov-4}GG<&z@^lAylS-Tk_L6oxe>O*hloY4d-Gaa`26rFg7CL3qnu0^Y&^dPWGz zBuD3+6c~M&e`F)upcWxyV2)tnkO2S6qgGhASuc|VWH4c(xfpNXsyobPC1o+o*#b={nm6e+q zwz&36V??5;I!**?mO8Y48YB_U35{hWFjCPED4GquvrmiFA3aH4*LT_Ko|J$K^(;O_ zxC_o=GiDd{(1$?=b7F}U(f!Ox#JQ(Zs#1R#*HeC#HRpwh{G=ZZ(iq$Q-|%~=5o z>#)vx;IPpTi2=lxo2D)VlUB$USf=-6fPHe&ln^yZKJ_tFR3~RJ#VM+ZchXp zK}+5*09%Z{ZU`@fANY|EW+Wq1;ryP#u+Zdcpag6Ogp?25-rf$xP_vM-o40weAW|H7 z0tRW0MT{ZbK;w8zwKd@8Ls*EhiOJy;o;a{}h+>}}?A}jm=UWdqcKpj8xQYKab&=Z? zLPtmU^XE@zXJX82RVVi#FeT@G!onfbIe4?`kOVMKxd? zoTjkFHc#xD`nI;V&Q4y!o(=$xah**AwTI6n435**?OIExVxS%>%3Q$M>hqRp04Nq^ zfnL0zM4VzI&OmpMzQ&ew@52o#fWnyk0RWZst|7$jgWI4?zU7yIt8MI+mCK$gK7SY> zM!w$bjj`WkGUJ_Qy%0z)ejr9eQ2hWnU4$1q=mdmrui;8ev(fwBGT@hX;MHWnnbGaJ zh9!N#JX?lJ=4@ZYqW+yCD*zyX#zgq|_&6}Yvp+&u6zE-*M&+4#2$1 z=@?Ap>rdPg0Tus~L5PTm>>SUtbY5JzLa~2|emuDd@92>1S^$=%qlg??u)oFg{Wu}; zX0~f2;!7O0Yg#z-?asV({LQGJw7h6ew#)J6eRBhAZ|#-mc8$PTUqsjSmw90TI2x8p{L3LWIu6#U)Mc$&PJkH4O%!`76oT z5GG}RDE@fHy1eMi^)Fg64=hgTh>NQ$F&4V!;$M1judEx@aLJN{J$2RC0o|^u>u$ZZ zSN1v~9oFvL_r!4RtVsN&g7r3ZD&-ks?Rp(}a(gBcb`pgjT{69hM&FalY; z`hBpT>Dgu4Ii0xjwgPe7k-?h0$?I7sn z(=m9d+}&@hpiZ?Dhtp>~H~VZr*t!B_27uhJQTJc0ygam%8spS-Gc7{>aODcU4<6d} z)xN#rq!?1d!!F*4zQUF4zY~xOHy(>2RR1J;%a`ujaVW@IkxmO>bsXl!A=FTg4)*)-?%m+ctOn4SJqZJnDM3VEULeap&{UfPdM4&T_pU95gP*j6 zE7+PQPHAy&c~thES^#zbMr{v$OWg8q83>(qVD%)-=D*HZzS?c83jhZ8m|7;-)rNP zm{aJ_ko#&t266?|xS*w_rPEXIlF*5~U%!6c^9fMqX4uE3mX?8BQ!}&V@5g_;65D`r z8G}yom1R!xFgFied;`rV`fBrx8K61c9Ff4qz=Ju8|0clvyLaaQ$&W?+%xR7RqksB` zd!9=IB&)vF1K>FTj#Op~-_6vrL)B*#@srt4T+=RlS2yNJc@bZ92VMfU8$InrLCp=z zJ>|5Z7EZz;-#=gM^UZllFw|@bRE4qQ8W0c42}1SF1A(cD*>H}*DjMi{!O8FSDA(o) zgTu4T&X(kRX0|acf{{-oob3;qwbl&zugY-r@V>X(Z*3L4*Xtv666btv)PN>Gpulwk zdRU9oyvt(iAs~@Y1L<+=r(3up`Vb}3>mB7xZ>2)$+o-;b6HZ#j4JCc{Q1d*^Z1T$_ z8(D@Fd#%(t>QqTY)vrUON5#^7MxytHkN&f7q1_IoBQC z1ppm`N<;{$ldDQbDE3}XW@kaaO_lB``4E{e1)iv>7M3{jh%pPMHnaf~C{X_mWzk60 zEfCWe8p_dDVS(BQ5u-v4>u`!@V+@tb#lX*p$xC8JMN1{p-AJGdj-&zrAsDX%?>voi zZgXD`2PEi0Zs~GX5Q5qKS*##2qKPv(yX@iK`LlB9tYbeNs(2n}%pz%7ZVb&Kfd@51 zXIXM~J-dM?W<9%BrFMwn0LI#sqOELqJ^y8Yj-mx*af5bgHp_G336oezT5Z-#H=yBC zL^P=LFixpd01H*u{Qi29!1dTY7Yw%JxG772iOfc+xA@9TKbbJ9_^@Gva26#M@?s@g z*PweZ6UK?ntrm3tMU%}XRXZqmH4CINMUfnRjtZqSDD$?yW}vec(ae#vpsPTf+eCYl zQS(`F?>!q!1($j#xC;T{dvcF4VM>rVI@62qg+U3Uf*CI>v_Xfy!?FQU%KlWcB*PqcP$267q*B~d<*-U2C;@0gat{4=X665J)@bthbWT5CWmE;zs_dkNz z>v;8$3K*)%DFM;^N!zH%YOPIN$|~XE22=cd*4rEE6NUvU=@Rz;Bi4BK%Z0UD-7_q60z0K!xXY4+x1Jz}gn=>Bn z1((xdvG)+nQ)yQXf}%`Xu3kxZLq;dSL~pR*O)|100iCJ49gyauCs; zk+K`v@Ofz1m~-8N+^AUf)b3wb)`6g~t(+ThQv9G%#Y>tLo+!6|s9%kn)9~ZxWPehn zARjrl+eWCi6i!qov0_s4BpF*Mampx7X}KV@c$f&I5&=Hs+-_%}Y~Es+CX}_HvYv=! zh72vLqgGvPwV=_NMu&g&*{5>gR~qC7UC-b59tn^&aDLXnU^GHhMiBeY{e5bHdxO;z z6hn7&uFrBq0LFEmp!xtd_610)+#y$I`^*mqS6bTzKyiRp4!!p*<~;nb<=1GyGXvy& z0N|~Kj1GR(%FGuNm5$IQc{rbUkn@FiC z$Ia*6`}ev8?(-FCet;LQES*~pPyv4tM#u+vKDD$w+po4K{mpQuH685Ha4(zF0!1jm z{viQYWVqC)H$apA%MRMYbzL z4V?1o?j=ww^Ss*<`O1oYYwGGe?Qf*s0N;osQVi{6LVla4={zV*uaZBbGY8x`MRr5u z!2SJozu^8uKRoyZcaLCDTe0z;d z(l@`PVO|{z-?fE-5*-M5Je;3D2b%t=YWD3X$U2Xpn}d(8DVKc_2GVC&fx4V9>=Df1 zpdC|Ql&&{Jt72y{=hCgOr4cI~hhk~>Xwu4Lp>*Gh2rCp=@ji!phYu=%oRIL(r+(zG zzA$iM1t+nll9HInZ$IRgsM=ts&tADYsrM#=3RB^WU*${n*j*OZpJtT>sra^zl~b zCiN_U^`GMSO29>nf9u4L%m2|NvwH6yYK^(b0=8WS%YEkpuu`3xEz#Z4J)M2eR$)zG z>&98M`YWG)$2j*&=C4+QQ#T>z>c%fFE&aeMW~CDHoj zZt-S5=e^D59M~7$jsFf{u|ZzxH~YMRIwXA$VgGu*($(x2{{zGp&UEdce9Hfo{(nOp zpU=CU{w6JbZMj{HjJ%5RnzFfvvcW`(eap*_x?*|1YetuD=5#D~dzH`t6W!X>anrR8 zqz*GN3c>>E+nMbMeKFD?+uQa3FCUazjD zQ<8{QuCL$U?@Q6wlT$5!PSP!2uReHOX9DnUz}sd9z6Y$k<`5JQE1=`y?VW0=cf)&b z685o-n&uVnEs%+}flP#RGh$T|dTa4`_F+>$z`P^;N&*Ao%)c)K$Cw-g^f})o2Tqcs zlq0``g^SbFtioPE(`pG=hSKnX%}d2|pGkq@)9_z&ga6ku?*Gn9{{O_$;TN9ATjPMo z=Ah{_y_7%j2yDH?)z7BV+YEvTd8U+6+TanXyX)gp>qi6RQgVP;0zT1#>?jc5gX3v_ zX-;JKmy587U`2V%D$*zM1IQYJi5z3!BV`p#RFeq5v)`$gy;fo$sEe|4V@o~gT(~qZ zOiY$m^m9_cSeGoIW|o1@zP5?95)YqxnAC6f^X=DZd&x23{!_dtN3NbPJ;jgI1$ZhI z&bju{-Qn1Ho_W#zrpk|j$Tv}E6mfOQ3*;*AK`0^DXvst`U`j)aN)l` z>1jX?s5!F<$EgZM8Sjh>PNT>;SBkrQrwvg z_`Qg{HAod3XvD2peN$ydrjouehtcIXOj6>{*;x|4wvdd>Vpm|72rVoxb~!5CfsNLT z@*7>fcGRBHto8Huxlt@5P`m|A`kRnHqu*!pZz0mhtn8DH3<9(t>E&qgO>~Emh+N2r z;jSXJP7U~9XRcvp zTE>UP8hlv2Y!8Myh%;Y=ey%bYJQI@^*sX{%Qm?VN*jh_2=g+RDVPENd{m~%rl_Nk7 zfJX@cv+gm*i8=&c9HFNT&yLU45-%Q|#qFP?dQkCaW;{h6^RoUZ9a{eb z?$l!4Ub%F-d=KYp$Yy+IJ2g5OMn6gZ+2xU@LNOhfL%}4EWTu>MriW*gqL=MkFfZ^B zNzJT)-H|z>1rKq7MFV?L&^DxrEMa|7jiskN&c(+{3SkzlAeikJJc+{yvRE}KRZeu+ zjmn{vWvwOHu<>{sB$>s&fn@Y~OlS(N?XJnvoiJfuBPo>0)E|DLC9jdK$f}MprH&7n zi#Siq^FDZNMgt^3TdqqX^ck@=+cXhnJ#>?Yz-?;ljpTmNPoF)rTs+y9%q`~NGLfgx ztbMwrT~iD^yZ!k!7JX+8lFqCv7IBJ1vYy(Mwrx0WSo+H4y_9+?AZQpQ=MuuX&G4^H@^Ej&x=_8cBtnz?2v-|VRB{+Mxx0TcB&S5lS&HUhBy+P^wx+fIcGW3d}Q=L@b zSjY@e7#2v?RRGvk-$9#0f}(z#sD7K+$5o2O zs^r0rS%UYst!Ch0kNA(9rre`ZVwzFZY#PZU&^;afA#wFW87))71a9|6dl8KxfIyZ} zJ2M{I?66@1p=Sd#NmC|{!F0H1AL80+bnS#N16v(z$R|8JLv#H2#1vBhWPnwr@N0s# zQ}#QkPy%6L$43LuH!tUuFXd==wAn3#P?yClI)zkiyg-G zNksas<%r}M*=BCBkX&{c2A(-NWG_Z-D7jQcx04z3hii(au>r2+rO>4y-vZN%lZ^Ce zNq^H6AF(jJuvA3t;`?A$$>di}|HuP&_#)19NwmzF3f7Tofk%sM`m}rfHYtaZJbMA_ z1MyY_r@WSiW|DELDnU6f9(%q-x}$r=)^+(f=KI!%UXv~$Yg6S4R^!qd!vI89l6|Z? z5h)unwV+8fJ|XRO4(oQwdiu*XG7nr5eJq6M ztR=r9n~xEc6m15BIs=7mUG^!Q(j4n`AydC;m!O1YZ{j!<1VoQB>K3g-5C{TaN5|;; z#3x>8TTRMDV`%vj)RChS~H>I;-sw270)L0XF3%U%d z%v}RPo`-`ZCB_MLj&D5JQ^P!Jx7e+xj6FkezHk_5W57K_cc4O~c!4!2ZzMR-453Sl zb`xJ}&{B0i_hbMq2}@rAJ6<4Ljuo`I`(XPq^`(wxDzdFLhfZZ+CU<#9DFmgaQbK`Z z#7S!v>nq0%!i%9GynaO0#h(9^8#LDFes_Db_kesS9PmRLgJ}f$fN$WF6N)*hZ*l`| zinQc!?_HTG?p>W{zn|WrI>5GK6y>c@ix`)SCF!wi?)&;Dg!ef4fAQ4XtH+?_!@Gb1 zz>nPNf3dd;CF*4>vn;YYkiLC!>__YmaKKOLb$RCLw_Wo*AT6}2!K2h@00_;Xi<|>L z7!d-Tyj)RRm==~s5))2tjeIudfK1i|uy23SY8cR$_cT4RNe0{DHo!#~fr!kZlKf&5 zYXXc>EAl@*6mZv`*Q{LD7^flOCD4$ryQ{8rcaR9hyia>5!@#TlA?e%0=`^_|;D}eniGZJg$m_bS>N4e29=^ylCF3fG?FlFt(JHZOA3>u zly_x#s*5Nr^ACJNoeXwj&b7wnDuIs=~bmn7i5laAGpzM95aM}5|w$uOjI-OS*3Q0 zv7w9MKu%>nCx$CRX-X8q=1V4=;|UptGLc(uYDfiasY`7bq`ej%A8=Lml!STdLI;{x z>&X!Yru@%ok3-{vk9dZmmjc!=T&B&nQ`zF3Vl(-$?|fX{j-_h?ZXTLE0iLT&Opd~$ zV%smgIGCa0ULzRZkOUrpujknAJl|O;gZ*)RL~MK{t9L|`Og=$U_)?>7ef;sE%}hDW zGXxqwGgX<)Y&7(?EQgw0?Hj2hPpT@3{=?&}jSNxfL%R^)LqU3vqs%xe=^-PG!VIQK ziu#RH=XeqK%7$lrsR}J`qgi{U*(&>OCU>YRV&(JHj~QiK)L0X$7%605q;kZ*jsrgh zyPT}SheD=wbU~-z}B0#fb@gY zd?b6~E6Wzn6unThnt`9B@Dzml;Q1yDRy=GIlQGXWqJuX6{aoR#W(x3pp;cM5 zHlsG9p~Kf#dPE-$S)b^>iSjHLk|@kd?`BJTh-g-Y9;&}4kX@@CkyZ|pAgvgznG;Ma z1r5-6S`*#wFCWwecwW(mmr8{rDCAFrvFd@`z@sR?jN$!Znp zc$p|4D7GbtMekjCefZy+IrDI+`*)9L%^JdBC|g-3WX+7oPBHeGP{K2|8HFsBUC5T5 zWX&4JSjtu?*}_;ONs26CBng8^_O-fiYE z2W+L(&K;qKnlM>cZ8k?1MQcQ##Z4hEW4*bV+e`2zVYsEC{<-nY8dYu`Ln^Cv*W0RO zX*_*OGH_Zg)yJ(F?R&h-*85*dV`ap)aItnjkG^wxd$W%L9ua{%z)-h=*Zp6lm) z`HMJO-cJyX{&Z@rZD@*A8stlv(@U!*P@m9Pn>H6d{=PLhf3WkdI_?Ge_=$+PP~8qj zMB6FW*4a5X<*lKZ0H4&ws!9vJ=m$@6V?%Wd1JJyscdc4e=6n`6%7m^>EaIZ{-!bYI z6dL3YT<1o&Q@^sJ3S1|E8fsBzHHKI%rP3^-9f&GP;(6{zq)T&go}KOU!zf;=wzQWT zU~D%=(jPpR@7GOCy`3=DZ~J01Ei;?%C9)#aVqPL~kE`;8(Y40F{J=Rm@YSng#7^Ip>7 zAn}hIxF`e1G+ZNfVP;5@e%yT6TD!nmo>I+6@M2!wKCN~?Dmhpvtl~aq)-ThtqOkFH zGNL)_Dq7A{EtCO4LfZ0S^)h_V!bIm`Ze|ZQs36kLkwS_#sXu!-tz2+uUBVTnCys=8ynKY`GdbsTj+3qRn?;&9Eagf7kF3#s2vr(=(~)EU+KbLN zzI)am%A<`SUO5RvtBc@aI|aa{!_W*$FiGR`O>iu__cw=g3Y(7<&6WDYs7{IOM? zyl1;p79yH~Xd}^GlT@(G@}PEraV}i?!&*97N0EtY-exlTafhg`c5v(5v!BGn=4B_= zr4xDzuEBq{<%GoxH1aKPV=E$GwFzDnZXPlRN$$UKc44?NU%3|q0%G#BIc>T|N9W>qe zA*|vrDWElSin4<#y?KWpK(z;VJrL$cl))X(P=01xFr;t&R~2#EPOb4*(Li0k00;t5 zZ)~o@4$p9oi2jc55^wvTsqO!VL&LikoUA-DHogEal$dySD{*}wTiHon`d*~Dzf@$$ z%r9J!#PRk{nq->0FA$9~KCLb;eVBdBj|?DIbG=d}Bg;T*$r#|_3O5SHqB)yHhx3aP zroqX$_f%#2la8u(VQ5e)Djf4QZmV$SrJ<(;pA@vDHD$}q6SRn|FRAdbs&ULpN9LQh60xi|$KDez81fY^03P zh1kfL9QeM?yQ!&`n_u5sbc6Ak9`4LS&g)97eXYaQl2-4_5kkgaO0f3nFGUJ@3f3WZ z=$I+h-SQFRo;hi&fYiZhn~VA<#k~B5)~IyK2XiNwx!5I0EZ#~U$#XZ~xgnJ#Bz#AX z>tOs8D$QYU*UHLnbnsf3qOk>8<;mhHJ%+=}=;A9CpUiY{@Js9*Y=?UN9`vX-AvY51 zQyvhOMIcO=Nmqu z+|T>E_GUB{vE|vDUn7FgDHAF0&riNE2(kdx~zG(h<5R)dyPK( zY`M*RQ3AJt*bnFRAwPJN4!+kmBIP6`6Q(X+rMK;fB`m<*SS3%vQRM}MUJdKi-dnYZ zq+W1XmfRJfjTQ*f{6qXBwHSAgWvwZn7hcui31=yk+7Rww$qAXj>!;7==^WeqC8Np<#kQ>7lnl~%`Y*UF;>&Iv@T@73{B>3DMe|kWDVqR%cPBpfK zK(NszS`31rluO$6-7UAc@!2u{eng4(a8lmu(OM4ttcI}iXGT@`)Anr4!*A$B&r;)i zy|dTf71KXElMr1rQ>Q-!-3=3Pw1mQ#2_y0+g5!>N(4m}qINRDA%;Nnb$k!CqO{fND3Y+tqdC=X^=TgYyY2h{KxoHPJC6 zd7yUberTBRXgtjz436MZ$XbkShRUrw-kYEU(}fY#=27rsp3l+fmrj-<*wQ|%M?p<` zp8JE`v~J-K=PR57@g?ES1lNrTCwgocnBCem`)>k|h0?Fslw*jUb?e_L)E;gfIjbH; zu07`KwVqR&^pr)Qh7EabUOb4g%2mmf{@If>&#|L?v5^VH{5`D?cHXZF2{N>0XRIR` z439{NP(@#)>o!JnzG>*CB7khUZU*BcOW85-hh|8JcHYSX#8o*5CD^)o|03v2Fw4C_ zL_v%QBH|bLKsu93hnfxDk_R%E1TlJb&hkuE@|7bHVWIeOP1w3?T^!&Sj}bPc(>^7-&}I6HQlqqz z=|?p6xI7#NDM1QqU$gHmZ0HPRpM5pD^f~LYL*lgf%{anreq}+->wF~-PL{T}+G%3e zLaLIMMjGhJY`z-4&f|Bp%~`SNl-vAhfjJWa!kzdPt)h;)3r-AGlSx8o3{?S!!3eOD z{Ic#<^a>Y?!fwkA#o2C4knEr1qk0saCJ0LXL&}NgIu4Qxyq*mCRJ|?L%9Lo2tFAke ze7&D*_G8RK4a4#Vxo> zIv4Ag%nSCYO}?h&XE^dcV$fOhDCFlT=bDodq5Qt&jyT%^)CEzov(j*hnZQ!}td^2+?=ofLxK@Ru zhC%YE&N}A$Tpz;zf7cI7Alh=nsRO10QQ zn=#7Oo3tZvPQxPj$;iFD1KNrw;bPnDC%S2+M!S-4RV@T-D!K3nq~3hWP$k51(G#PL zvg=|sL=Rjr&f!@jKf%w``7qg5a;w*}nbN0uI&-DbT`A<|a_e$MO$%CN3>!-75}Gte zQ@XN-bek15jc7@{`1k{z>m4Ag^2Rr6sboSE(d7~p-Ys&<+2@ga_0hq$P-+EMQHk?q z0^+x#tVH6>B6FVfCeyb$9xFfX%n2`14N#KzlXU*x%h^WE_j`f(!wFyJlxO4iBfROQ2vR4p zZqZ!&QJj$hIYS@>1I;(HSMAeoH|9yB@nf>Kdc8*|C_$jpA#$!Qt)qLI6!@bReb;Pql_|0{y?^X;hTm`KDQ}jt67~AJ< zZj&f#P3Y%iF5!l8XOlY_~Y-ACUCS0Zk|11^u;vB{w}d;3X1SgAb(7Tp*x+`&JfHE=psUG0mP zupLsLJe#|4zy}0Pz`sgB!J~sBcLE>u55mn1m9%|&>dh{`R_7qEqw9FE4_6xEB)M*EVM}SAE6wbfmde92VY1#vb#jP zeFq$TR(=1ep#4F;`VPnZb@!%$^zSUe6`@THD_`$_lW)D;vYk%2AvYGXzdGZ;^7ZRZ z=U-#=AmvA2Ua9W`7Yotq9(?fCJY+j*Da3DI(7nL>%sTkqU-aw2eoJByvybhV z;Ln|zJd`UrGZMRmQndNedpWM}%7U$+@dvO$*eJNiwQD|m%8`hDL=(Zo#I%#QcN(SB z0W7tp{{|CeKN75Z{&!qQ#;b1O|D|TPI)(ca>jeb1RjZ5ejA+PC;*M;&VjC_d()i%T z2xak5c_4B5hT zy!MhgP}&00=f@8Rmd>TWIazDanf{BDW!?syY(FBPIrQ^+x$7ptcWY?LDgiJ>?oa{t z_RRHnJD%1ZlouxtVc)WBwL zTjJ@UdFhnXBXDz;@V3^x5U@s%gLjrg2|yV0-C1`EQT|o|IFWE04eCo2q(B`Y1<@cS zWONk$hUTz|TxKoJEjMts{A@@JwxqzxePKE@%PT7&CrI>|&(<{$k10SEj1Vb)Ffi^` z-hiWpHm~Irh)hv)@hlXcmUz88E1>I))BGUJ(_k@ixO%|8s)1 j+3!@3eo^1FBLV`_ zf^@^Vd7gKl^L}{uTDv}+4|^?UF>%K~uU}l(9igfI|vC4-T)`1VVY#ysU#=@$KBfc=l13nWuD;c_BVUcv*ys-P6 z3azlPM6Z?QAM1LW{QjgBZvE|b{?e+~u!>11bVYC>#Y=fllbJPMkcyCqlf;o+_`o1m z1{@I@`&j%|ZfYw|xGSUvPS&HBOJ0L-hWT zg`ve0kR*MShMSe?{3@B4?l$kbJ=>G^_tK7@;)tF;Cu1}w$^SRc9-`n5(Ki&Wy4KLT z!LRlgmqY6{f+75=cI84^BZjsRqo=gGdYP(ery-iZ(FNa$3MSzO$3$g=hO4I3k=eOu zgH(!VRVPA*>zm8GwN^Yh0)ENTB1kX3vx+n0Dl{TPmPA9^@#7=TD=x$!SER(f5{8c@ znG$~NsfIox-!AuVx`LC3y5z9bxFGgb5FLkaW%$LH{S>U^kLS2L6Sf?U9_y3oTpZHr zPJ;K`o%%5H^iGJc@P0;ra2SV2Pi|m$H|}978#z7L%OZrgMkLn%MD#&UK_UfiQSoBU z=f_u%-4gQ0nxi6cJUqDUK}5q#;Y>N)=DIkyEqcK?l}kfH4L0R8$Vi1PmY1@2_H%e5 zlDhhBNxQnk-O(kTOd8y@!seQgQA%*fa$Jp)72X1iTny@|Wms|L(@scvlGd*f@j=Lg z9B|=7&{4t2L|i1nUc_hDeoRTIz_eF&LXz%oZI<=tG0m>kZ6Qv%eDRJM zdQHI(q-==Y8Z+HS?vFo71AeI{%&tck@YDR^1Z#p2=(X1Ok#y)1hjw7{Wv78xbu?hu;U_<-?IE~Yjo`0o%@cxS}3;bTzSE|7QzGb23pkn9=sJ>QVAXZd^%~th#4m zcW8nSsSfhDr1e0Jc6SjW=DK=BmfD?*?8>)!&SD;I&)hjGGjp&Wo}SjDR0}<3bmef| z2%)3=SjTPUFpo#8AS3FiddJ3rBNDRPLZS45QcDiqFNKHeMLv6+ER|pVcq2NAWq>06 z++`TVpJU3=A?z~}n77%Jv^;%F0E({?_?)XFSV6F|T1ypQ7N*j1cedn-Hx+xin;;!zkSo({>U4wM-pGb5qEq+ix}&N?Gr7E%`64cvj&|_yhKo zvqtX665CNueuJ&b-LyGOLerUd=SL7f!lex84qA|wTv^OUj_R~6YO2uDZ_h}Rb!FTb zC;}cky_G}DI$kD|r12euZ^`^tZDYYRM{PWfOe&-4OR`Ehk9WX~b0xpxG8V+2WF(it z7H0Wy;AN3irWSAuq43iY;v=bxEfYF4^__2w49T#z6a=-}6k{3H%j3w8evIEfAIjHX z$eI&a-XSZiCNBe(f#M2!b9RG~4_q0Cz2zBA5zoU5M7H5o$S%L~BDt@UGluwA&-!rE z+|4I>rB2ePtP6#_o04Tf34$bSkGSi#-*vnSVK4opQ3EdmT~1e*;G2mn3)nd*0c(jF zpD-(xmZ)$@#oSFuMUCuiW_1vQff~47n^g~1MTxU~zb9#|a6R;u5!yc*plu${7ngjy zsHQ(b%J zZ%ivPZBpoc*7>zu;jyU^b3Swc8cRDQPC{53)z6*f6l)LXLr(k4Mfwv?STkAZ)-ZRS z%p9i2B|I&rwo|c$EY*X?;k{OY%Uk>19CB?_K|umvzxLdWJ1 zaeD&hj>~A4D>Tj6v5*Kdfdv)s*S3)|w+}7-EV3O6wc@c| zw2Gt&(gne03>C|)u_zM*M&A_}{_sBk_1;*885c22&9YM+F6B=0^xl>tGw$&1!Rg`x zApudnLyt_TmjHfx#z)@Bp%83*wTuWB1Z^J@uaR8Y03~jK@tw&RwPCWPo+-kV<_TUx zczo75#Wku#wugJ=s|ZH$n?gzBm#wj|s|4*{e@Ld?A6T1MjBr!^s)Tsoch4^6kCpK( z&wytmV#AsRNfrH7xp?|ge!1w*RtnWxnNoBvUrr(Gx!oX#quS$y;3_?=W8R=WJ3e!P zCGo7aW2Rz>@>DM!#!=!b;(R6Z%dSOrE0}`8+18)QyGSBWZgNY_DNo~W8F*h|(Lhp2 zi*e1}C5Te$@;R7c%a)lW0j60w&!IsZ64TO!*j#D$2oYOFpt6iED17}2Y#QI_zL zH=v5ial^1i%@JSp-R14e;2oIr5)DpuS&JGq_EN!HPRo5Paw_fb3x*aDADoR;G77Nn zr^^jHLj3O3A_`M$8Sg0W2;`(IH^N~+Q^af`y5-~Va(?x8rrCgXK!ge~Q)>Dwp$^qC9?&BxP9>XK+_v_E|7wCBmHpkmX}Ez;bilhLQbp=@*i z>1HM6h+y+2+&CSW>7X|Fgn+!O*r0@Q%g2sHotqI@DV$^+Y>+2EdV|B%vvi=k@)pBu z6d0U!&FB$(Fu&KvX}6DnSUVzy>j}oO?Cm+C`yfqBSj73+6Ou_#8+0bz~Wx2GC z=Kk#UU#yY;-(`&!aE$Ny(Qp2M(?NYI-(NhY*)xyi<>j}jZ%E_dm4+HMRc&v0-u29b z;R{Y46`!~z`uUSy3Js{s=;M8q*u29JfO{U}+1u|gz;JtdYsy8bOYHZJoLUaoa^e&d z_vaYsIgR<00GfJLT83&CJHGC;yDFRX$wH05u6?^{ydCiypT`3%_rlO9U2EcMzICAO zvCdhf?h=t#i@MVlk}fNv<_i0hze7)SfCEV!?8-A~u_vzjoWp~d9H7WBdwWQAWSXKy z1>@zsO-_Zd$`_Z<)z-`NLcFU6=>xblfuc)s#?XUNIkiYI$*UiYhZy?`WN!!dKN^*x zn69EppeBsGJ`Q2~IYqz7U=KO&(qCbFS`bx$@Ge%~RZ3sCdkl1Pe^nU6fJ+-&n%o+T zY|!5(<%~ws`jAy;q?mXY{qte(F+)ClPIX!nDq7D{M|?R%)&J3Zi9FH1Sgo_$V_T#e-bAsGu09NiCL$;;Z`J8)#mRrO&Yvfd z!FKTHtqk_ zcQdJ?^CuXv(VXNP=|j$IU4I9tSleX<<^D{?MV7Z%1C@?r77 z6POzDrZIRf^^Y=+0To2sG5UAr*|L~my=7m+2cDAY3>%YE|IFXG)bmh#uQ`idK-&0u zWTE<e$Ah6GdpwvhcajzUpLhmSz=>`(%tPdu#I?4068>5QkyEaauqh+ zu-7;XZ**HNnfE;o7>HH^ztwnybWab$kDE_q3iv7cf(CX}Rk2!@#)BxUEL&8Nx1!oo zOz(3Yx*m8H3KLA%cbcKZW6 zsKcf0xw&{pN`6+>8Z!cnFVl6aA)vYvP%}ZIZrR;^m!CY;gbf{6C>uu5*Pp)JY`ydv zddC&nH%4@2ul$ zz0mqT_^hne1f|(G^3N6g-&KkKZix8zh2g)rL{zKzN_rr}Tqq-AP9VayI{)kh6swUX?&ONNkEebtJM8jc!l`+;mn{yOxPr9*_BE5#PH(bH`6%suAA_*)Efi#{}cSuqL!H~p=I?wCffZ&wMmQj>s`6+ zzQxDW8)5B0)Mm$L^~pogh`YstwePg2&Mk9-2l!2zX>5wjyaa45;xo=6BTx$Py!cbytx~^|#=TV3w88cMQxFi$PJjV89+d+lk2)R$@odHijb6#< z$$LQ7Kb>*K(APo`%pt&z2&Z_{AEcgy1=Id{T9A#^ z5#~y0S=kF3u0w%sTc4EBgzT?f>av9xfh;la4Fb%caTWfbr+>m=vlt-I^pgSlon-S7 zQX-%#ieZ!}_|dO(%QW0i!O|_7-1WkGW6e(lZgb~5kS9tE%Q)9O8oSSnXsz2Q6;SFl zSjfV$ov_%80_ub^@j?ZzoI_%ZHjcrdVmj>k& zzw7X(?P*~hTr+o=_{rwD^1A^!1t&{jQ!hd>RFB2wJ#o&6cY}H~2JYXBiC~PcY{WOm zbv-za&lN7+3Nn*{#a9lQL{1$G`P|;tbLI`wOt^GkD%x$Y?`I5M7;0&V)ososJ1Y(x znmzyf?meRO$kic)gVZ|Rv{ip+5X+@^QZ{h=hS!_uV6ZgJea2?7OvyJ71%b`>)G;j`!FIbuXu&_B(P$2$iSykY#Z$Q|O(HiiP6wtpvz)M3s#t`|?JQ%0A zr0)DtRTAl1jB$cB$jr0*gd+2#8(92|{wL;J1dN^wz?yd=V`cRjSx2VIQRQ_k5cU$j zc1|G=xfN!$h9t0g4}V$w`8C7kuQ6>${OFK8tmqS5oyq3-N`;dqNIoWHDlwJST=VRC z3$EmQ&im#E%60)l#tw@U#3CwMdHJGd4w(g8pXXx^80}V++|RvglBTAyXo)0m;gzV%$aJe1_HBG@Iv$0Im6y$Sl;%aZaEvmo0EsHyj{_`V0 z4lq+wh@kNBE$q#gZZ&YF3OBcAj1X`b5d2nMkk$Z=V9XL7S+W}>B}#8cw@A7QE zC8pz^dW;rqqeWafoV=AYhg{+{4vi4veqegJAjgI1CCYu5E}uU+D6DB<@I@&*)t z_2ndI+l_=n`BdXOf~4>A&)Ao)RYCi03F{{r!(@aG%pa z=H*v#y+A7ft<8FJ(C>|jIyYziu-!L!<)si?15aJ?fna=>>|qSzV@u*=D-Xo@(MB2X zdH!yR7{+(j2cn1)GIW$aZE5hI{qa5B)RFcEQnqB$cb4YGN&sM~mXI8U%S6PTOa4x? zuEq@UxMo&fOFG^dkD@kW7|_})A`Slu2D@Yc+4L_vs1N=b**==Au6X_@rv;!k-^$C6 zKsU2$Aa~<@E(3G=pKv?>OE~r~JXKeiGeC^##a_K=^*udZ&Ah%?gq=05Um)Wv{**ckw;ZLLc6>S;=cy*e ztdib}t@JSkKoc*3h`f8maNa?{bkQr;I`&px9uDxnXzkc}vZ<9jTIpiTzfw$NX}a=M zQp$~+&~yX@8n8=u09jHg?QJ2>k4#&A8$_t&VSjM#=r}q3q4A#EBBaXUYpxY6GR30s zY;1Qucq4gNyeBgP@iqRWUtqs?U^?$zp5cewD4)g37L53N8^3GCEvSX zqClP@)dBg~qM==LfJ;HjX32&05a+!|e?~hK!khF{gdf`wKGNW}ns%3oq4@}7U-#;V zT?`(eajc#J5+|Ev-UMdh=AG=0jd-*vks{$t)SnF%Ps<)b4;nc%eypPbapu3~HT!Jh z3K(e;$5E3J2`0>mC)3FI)=KV={r*$R2D(sPgr?3xiHh%i0*mLS$7ON`X_art=fUgt zj2d@#-AqH;h>Zn{>ncdAA(}>G-+$Iu1=HG_F^STUBm9nL^1Fx~{Wr_%ZbmeR>C*PE z=`WaEp@<#saEa#ZY`-VD%8$LILx1KFvF_MN7;dA=#B{dQx;58uP|A;o!x|B1OuWvy z0a>te;ND6C6+&5b7D|5WB!S!?&VaI4@z`g^+|S0~jY=l= z>%X06r#qrSs>*)TW=fuiQ~K$5^eBAcV3{=Rk#h>;Cy7nD zfRE20*b-|#pIHNqzm9zeX<&iaZxh=4MJ;O<1UPZ>b`?qN#&Zc!X@v>o;@CB|R`RAU zM+9xy{T>^c3({S;5N`qX(SlK5N2JuZp3}+U6Bh*fQ?@`v56+XE(vLQC)cd zEWopmW5|cOf?pg80cykTiK8^pO>EwlvfEd_!A{p5t$)rQp+{GaFK5*%jE#TO-k@dW z6U=O~pd8$|IXt{H3IoOcuf7``t~~{SZhCL7VZR7=TCiui)NuMcpzPy_|1W~6rUB$f zJIUsgcLC+KJJ-kn+c}73Q%_WQfA>s`C|k?gD-mUry^EH*SJwaxM%(~s*$cy-73lug z<8uc9n^z16_o;4l?0OBZqhjd(^B4O3T_R)r*K=0)Qe1o7yOQ7lh zt0@J`6zldIA3}OVbe}5q+qU zxzSC_c&B4T<9;RUFN@oMe%UIP^A|<1X9!~Kix7R%;8it;j;`#{{Y$pyp!!X(>MEmw6w5%=LYl~yo03nRQk%V=5Hm43n;OVbAgN!ftODq0AK+^psbeWNUg-MJ1`Z%!HOad+s zS18F6&fgu@o>uiS+N0kB(D|axzeNNcqD!c1??7M78bG#+N*Al@OImF9J#}?>R!g&6 zUa)#`y6;}rYQ;)BPWNV8;Prenkh-kV)RTa`Zf9D>IyeDv5xVBN-LN|6fBqW{u*-db zqYORhm9=+DUyh5p>WLLS-XL7NKm0(@!tkpU8s11~8}q@uQQI)|_;dQhHKatZOiz@) zsh^1VML$~{AT{Z4@H4I7Eec?7r+}7M%-d5pltmhQJHjK!;c$jYRme_7l}2IM$11Zn z&XzfdkBCa*V4%NG%Bx`l*hxpYU~de)7{YTgLb!wJRaE$_n8TBFGQLKv-^$eEH%5h5DBb{$JRTOA@ zJGGRCV#8h{%xr0Fepl2neC`8mFCnh>sG|cI-y1t^D1*<|t>Pie)wE@dA-778c6Ov1 zRI#>_Y4FAUI`bkAG-<}JKxDt1we%Sk3$DsHA8uZ2=Qt+GsGdTof?C?oDXWcL*7$eT1hd@DWygp}|-lYG=6 zA7E$=eLAddxO@LVErdWT!q&W7BJ||lS+mMI!|iXxAY;@c#dMz_22H>iQ#R_de4n2@ zrlb8_ciJF5sg1v$6Su^*_Xy>$)o1-+_>&~{eMZ}TK(={qqRYC0NH=S!kv{ez@&2u% z1OE3z3s3wP83Nmcu;f^k2+em0v=#29+Loed`=wCWEuxk-y0DBn@=m#5FLb|C3#glz z2Nw;Nhu~_gvikkTAUQLAg)m$EK&aj3L{GrOi{E*E z)?=}|4VcZlyr@VbcHf`xsGlFa1x18n3-#X9;J4JoCY|C1+)szZgD#>6uX)FQQ;k%5%NPe?8s^SV%Xv z>W%-C|F=^57iP_kF}QR6J0N4{kS+7N?FG&C%5mGf-F?_8J?yMgEjlbiB_*Ls~MTs73i}n4j!UFxq;Pb#~Ru2nNka~cy zC$w1DU@n@jf3~F@U91Oq9S59+#H==iT|+!9%6<316Mu`a>)j!yT0n&PuEy-#`IjQh z|7>3ByzTldoo2RbX*PqeRjlo7{0{lE{mp>Wn3`mpo4X!G0>VltSGBaGKgJOk`4W@70F;!U1@o`{Gn5Fn zOrm!GmdIwNwO&m-sN<8p7DIWf3e9vI=c2z_)oSa;|N7s=^)$8P5%9bGN~bplI#28s z1-(w6zozOPxn6d-c^Xsyn4s8bA7TZP;Y6uP(U55 zv?xfUf)A?xk-q#7<`H@$>iPkd{y$jh@;{~hSS44=>gLXF6yL@E2q2nHfhb<*H2>-z zYjwqtTzZ9R+toA~>h<&COxOq!jUD3;f4ZTNqyD2o9 zPgl|bQ}ig2))vBP7C`rE^Ws-2bi00Q9qDZB2xsmxvQ){)Lh+On#z)dzM$$wDG`HVw zCCKnDcQ{19XhLF@ z)lY8#%-CXrjKX7oFuePo2NToC`qp`FlpgeRsjSroqk13rlhM7ea3i#zOv!}3n;)~z zpM{9gTrn`t`LZ{{|7<;6@S=n1qGNvqHVc_&KJM%?h88|%VEZU z+#YPmOnU$G*RqMtW_JB+3bGgG!VUUgZqqOG_tV01KYmTFy0y&Emn7G`^UnVf&SJL` z@&n(#5Vu-5W36IcBaRKI_h>O8@ww$=A(=^As0w%({zIyVwfRGbl$w%E;V-!_CHT*j z$DmN80-pNzNl8g4E^U8i%-iZ3lR`MX^BYGQdX-W=_`41s__{T2A2=AAns|cU% z0nSW^m|)yJz%8DEtz@IxwR!|o_V2O2v|e>)&&P4axV}P1FmQ*mNSJT3zk4hIa$V_; zjyGH8HF0Mg*7K5`H=4j!7aCPb6d%Ya;&ICmVUSGlEJirb$|~u3M1Riw+=+D_Vg@go zyUWzHCRKHwm^Gpi3Ppb2u}&3j3ID$Io*^ak#MZ$CJDimx{|1kAei@upORsCUiv zmNTFaXHFlxk&S0bDA7otjm3#_nb_`UUY};x^>%dBj7X=`kj==!^HHxq9`y;^SY$91 z?cQCQXdd2fC8oF8-n~l+W~cy4HI{Vh3yR!B z>NuIjt$klk1MgS?=L6{3TF!+BKWqP_`Ip{CjLP z;i&$}wKh0s&t(=$qR-9U^<+hUWp-#x8N#_YE)dP|iJ_j-6yo|&|AO0`MvM9_1(fkj^=(M~=`{c+S7XN00&`Dms-`wW7$-~kQ$=SMg^`Yh>Dm@kC zp)QS!DWT@MN^f~uO;tc-sdPz~d(BL>skp+NY|cU!Zh`0l!m2)Vpv;bBX8P9Z34W~Q z7G+m|>Jq(evhl);JfM3P)G9VMo2-m7_zoBHy>jFZ8J8r-I@IC=wCSMfXk%-QF;5gw8IRC(AfPM>Xyy zKlJF4q7CbLc+*$c9w|e?t(#%(>XJfC#&azOy&t1v6}sQcIVbTvFj2MYeM+yh^=zu*=ruW3nM-%1UKtIVju`*;`xzY@H@+`|14cfnnh6D9LggvC z&8>m)%IO}@qdbLPrV%2aYK!TjD5fwzzwHQza-x9UsD7(9=njD+V`lK>&sK3ha6qD$ zE6wUli~2r_qIQG((dP!Z;pVJL-?)k&u|z+mY5-qP+OBWi0)=o7duDxIVFXj$XHE?& zzZ;L0##O<;S1;8;6ZTlBU}1MlC2DJ5Kx<`j?gfR2Z@RfK(5sti--9cDy zE-;ASc0VO0NP4Jyfz%bnAM*CSSp=31S6thQv0$l&5vS+K%^-@JL4CS$gW)g+T!HEb z7S#{74JWZe z?((EhwXlN>&e=?#!mBr%qFnwAUlxHKb}My@dL7tcfDS6S+2A*25gB-P`|CH}*D|kW zx<=ehAh8Mh*RkSA9Y`|p+CGH{!vDI4&wstt`oB*=m!*Hkh|Qf0*+{#skKf;(M)9yh zmW46CR~M&)Dg1T4pCrEl?9=%tPA`ykxJgy7axsHbjVu$&oDx%&U8IkuEm5yo>8Wb& zk_$;X2tw?ez4qbu(Pox2$v~O)6x%9J`jDJMOltd++UxPaDOgqdpJBg-0IGOm4fQGJrG zKmYwoPAIToHekvj1t^E%O1wB(ireoUl2W_ilLb-~7|hUESHw)_Go#6sEAbWPk`=CD zBr1wl=1UDJ40$Sk2JU*5S}%IN1iP|q5e!&nV`^|&!ao+?tz-VH9d5O``mK4G=rGHB zu8fBS6k+=B?z}G&Vz&_?xZ0cK^_2BGGsN%FC1=hj(ZQ*oP<6fo9twBM%E^5y(A`yt z-i8jOMsPEqa&e_*b8{6YaS0HXS8^jPzUm~9axN&Ve&q=0jUDXGWKF%#sDza}$&F=K z{u!-TqC`OsWsD8e+L9?Q4ut0Cscf_GwuFqabDHZZN)_#yjdu4x&GcGH^$c84jcnsk zz+0MoO3zh$@BAt zEWC*RQozP_8|_~C7_Oxr8^>TXYl&r}>D{o(yEGaR2Dc{mbj4vrIH&OICplc6MkVA# z!hu{dHcfl`bW2htNCQK&8y{Jj=E8L#^b+r&gO*W}_t|K1ab=hGHc1IiB6Rp|`E$!d zA@*Sm_O|teN^w_xj`bp^hF(*x0}k^rB28GQTfInx*eVijAn-7!Z~@vKVh-+1e%Qb) z=OrXSx#HG2Y-2oYdAEDH;ov-w6L-DLb4zt>MDM;Jv}6GhqB%f}&rzBg+hCWxJ2_ib z!-xEn_GW01zik$#6||q zLAJ~M)_}5gzfTccHeluc`0A8oV~RV>%)LLmHgyXsI7uTQM=sU^`e{WOAQ7vK%46P7 zg)8ucl^ht@+pwQ1es5YB0xJ1Fb7x1Vz58Y5+0S8?`)2)1d~PWC zWIUyH(%rz3s=@STp5EV;aNjs6f>=8dal@h@ozZFSQ^jZKvM_si0j@_HndNN#*D9qa#n1^PmuG7CpuJL0O@fj_NRlu?qJp zWuBM&W)hk@6MBaS30BPT7wzAHx|%;-;3pA4su?E8D#Q;YG={@F8rqdRytIIU=K@yO z6TO)XwGY@iu*uuiKPy<4t&;6xS2r9RH>^t8XD!>uEevoJw?4y^iAP$@?z=)X6>Sz+Ad0o2Y3x1IFxfB7ps*+QNSEqq*9SYR)n zD1hnwaSoTcrz+zlB8XpL&{3H7;E9z;%J9_pCDK1t4)r!S<3iynu;N@5rnrh^0Gs(tk2* z*xzkjYORkgZXIH_Cnq2C{ zN>i>GGr>Z^a&~MHV$xs&OS0GBzL@1k%XfM*buwL!F-ZYxKf&tcqz`u07jV&6rXj!5 zONZfgy$;eovI{#AQIWTLQ;4em2I>YDVFFi{=pdq#e*ff2H-K}h*#Gi}-ID~S)9W9cm|1sLl1bqCI4orab@_5xv$y{TgA`ok From bc29a14319ea4f06773eeed0e587b5c2b59e9d10 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 14:38:10 -0700 Subject: [PATCH 122/149] added new imag' --- .../create-wip-policy-using-intune-azure.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index cbae7321c4..be51cbc165 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -588,9 +588,11 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - - **Use Azure RMS for WIP.** Determines whether WIP encrypts [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) Files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. + - **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. In other words, WIP uses AIP "machinery" to apply EFS encryption to files when they are copied to removable media. - - **On.** Protects files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID, but they are omitted when you view the saved settings. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. + + The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. From 402fb6538d0f7cef2e079c551cfaf440cc26e99b Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 14:53:58 -0700 Subject: [PATCH 123/149] added Note --- .../create-wip-policy-using-intune-azure.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index be51cbc165..06d1375468 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -596,6 +596,9 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. + >[!NOTE] + >Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders. + - **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. - **On.** Starts Windows Search Indexer to index encrypted files. From 7e9bcb3724a8cfc1835b4efe3ebf24d671481c40 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:06:20 -0700 Subject: [PATCH 124/149] new image --- .../wip-azure-advanced-settings-optional.png | Bin 23584 -> 23683 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index 02138b02a709d31ff3a1c22f09c939f907a810f9..2ac8f45b5c4f2bf46b77dcbf28f258bb34db65e3 100644 GIT binary patch literal 23683 zcmdSBcT`i|x-T4iMFhk`Rp}t0(jkD-drjzw0unmX2~}T3nt*hH5G3@3BArkz6ln zHB^j1pi>t>pcCEaPXhna$?|>?`0IqXk-8G749B(vyg3bftos-Qs))a||LhF#{=y3l zb8irc(dYQjiD?JU01(LPrl!hcNWhcTDSXVNY3TaVykh-W;8u8v=;Y^;ZzGsrf7QOd zclqs`n=t|Tx?rD(ry1u}ZmCUnT+$8yAX?)!Zc%gViyJTF<}9wLH5h9a4fdRPn7jQB zA?^*Emu$JU8L~u`4IHr~Q;WScm-T%|3X$~D3ka%At75*ahbgq~2pAU#A8;82df6Et z6$`v6i2Q%`Iy@2p4kc&#YZaU`Ewh4`8dBu<7IWjDJT1wT@<6AArtVv0Z0XeduTL9D zsjm>JRrb3(3z;6yN!knIe})%fU5b3dt<*S0(W6|;7c7T$+h4syyA~*kncIn*!7=h9 zNsq-m18Gh4E{CX{=H1xXO-R4|`NF;BmuW*TuA8XqGrd@V_Qi%nR z6ksU=3Yw9zCfe&2hM}s`Q-$L(#Rb*T$Q7GEY*l(~(NBiAE}A{OWci6|T)pq;df#EH z(D*FY1>?}3X6(_Bg3N5uGVTc)-2)mZ{7!u!x#+m8&4HSDhq2?#2_YP zKrpZ@?5B6HEQ65fbyne{@Ry^D;eCO;O`lyB(fxr@v8k>#wp>#WV~faLmzs8c?@C$- zYsbd!&-;ywUPpgS44@Pnm`6=~yf|Bp%^3`=#kRDGJu!uL+NF!qE-*MWKMd5mj_1g3 zyzb2u&uCZNb_Aj<5*14)!=~BvCr-h;ut_%|L@h%uhYyXuntWSxvgqEPO=L>) zKmknX1~Q*wRK6us8S!ZnY{ExNw~9t)X|{|Q%Iy4LG{hJUWoQn0C^G$3ry0UJL+qru3Q{d)%Qnlvviz&n7ug+QKdxF4k>|AQF_nT4 zCTLu{32RDbeP|)r5`TZKrL6?zU22Gs)aT;6x5GwyQeLw&29YVxA3|<)--qFhguyc> z%Tdm2+6l2`=p5?6IMWAJi7EY>M+6f`1$f{C@AVHN#ea#CYTZZmdP?{nfuE^Nr4GPI zXKMF0lkWva!etZGHyh9uwlXGKgR80LgO=97O8C&vVo@qJIo%z)(S>myDVKO)(8ol? zHubZUqUo$TN|tuPLbn)|K`^k3VqCj_s7j+PSCfqoPJPb}vRza6IznkzoQ`KSHnfpwjF0GHZvc0AnYhg*&QAwB4UgO1#@|_Mv235ut(#0)_;Im{7txbj zsfCJIloZuXHi;Uvup9Cx6JQH8?R$^uavel&SVtdL6|GOBGzT|)w9wb(*3)CE+!uYJ zS#7q;(8nQy7$q22=}(k?*Gfi>$C~-%>$e87>yJ#VDdM&jTI4ldndMXjIHM~+dfWB3lvG*r0Be17V z3uO_?sIjI+Nfs0=->u%Zj<0CqSM1Um#K;mNkyRPirrG&%JrH)f2eJv+lsbwWa*)HO$@Bv z>4+}-EAV?&2G3av+qjsAM|f}g3+_r>P~KNC!UF!W$$ka#I)DWW^DScZNU+cp@ehmx z!-@DyU3-Hq4Cti;8~cwpRppCPc$Z2VVl#_mXRGJ6tF}v1)UhWo@U zWLW+}_L_$h@g?oG#TF&1cBI3UG6xQ3@MZ}El&>IbkeKYF>1BJJ{sy(0pCFD#&KbEc z-jW>2?jIPJ6BX>m47X8)uTF)d?TK3)tWGn^EivPcM|0Ka0&M8?rq!Zsy4(;x_y&gW zeM9%0L&H$0h>1RXOh$`^e3f18b?OLD-9@-Nv08Tv`ehbv+5Qo$=cw2UbsKK$JxW#D zEce7r%K{Vq*0^s{vr#{Ot-5R>2m&o@xQIO$6GYZ#?z=A{L6i$L7`Af~F5^rt)vDw> z1t!&0%hfqoY&SEd?w1(Ti`=6X>L*5fr0%94>6~BVK3p|RZrhIDbuGUOzO`3eR8YMm z*%s@*4&~4$CL^n86>K~z%`zBX0=gmR!7L)gWnGP^X+kVns~lJxTtQc_hhs=`YhCp! zTbX|N--|5#fiX%^v^E{VwLGIT9xS$2$yYY0s_9~1H`95~nr1U^>~8rsY?v}}z;B)6 zGmvzr92F?(oK8G#n>5wh;fqz(bie7OUuk5Gmc2{_>+(#GI*+4DE~XSM6!VIhYBnlk zI-+@Vq*!aI{b#I#YaWSW)oYx=d!;b%%KoIyjCfSsVgL-59qsX2ffOqt_ui zTrPO4W?zMHS-CDAmL4bO4kq5r8dem=`DX?5DhU&TRxyv7t}H6~nY=BS96PpaH2vnL zC$6PN6q;oZ)uqcSL|1zxEf+bEho6_3Jfzd_pd;&iBPREslt;A(ZyNVme<+6f`pdQ} z{S|0Dfm5K`LhpD)wh^~&`$%guSs%1y(-gx77y6?irHqX^6=-5RM?+ZbidRhHovfp5ts1gbTr!x*cN=Q@I2=CC7*gwD`~u@QZd>9kgEEI| z--lv&*IjG6a>k+>vSpZX=-A2+-rR!DsJA?W{Rj*(os5v{!kZbIW;9)t%Z%xk^H(0y zZ%N+il)5WwBQc>|Z_x$TKDFe0Z*a`YyqV;NH%&1ZUg{Mavej-m-n_k+Zsg0?`DJH~ z6T#0s5*F^e9I2*3%zY^+TZLuggZldzUa{{0%B9O2S+h^e zl+;Gre^=(W7B)|7GUa%%UKQlsu-vw^%`I14nUUOU>~5(m5lFQ?o>zC`N1R}eFSI#4 z*k2{7cww+52ea1Hrq&{l<@Ts{e^*J&GNH%ni8DbwY-_L}>m zi2LTxosCMx^+(<8R;Sh0Ym4yp+}$QIePchc?H|{~oY7!?=pa>avO8SHjqo}s#=IC? zSs|Q$Hd-biDL19t`$(ibaQFrCgP^~jwCoLu%}rE4>q^$g2s(|@F&@Zo>Oe62BCD2-m8DnV zxN)iVQecy_h?odMCGl4BZT%>1c;v?ll*Qx?{eiK`FxMsEp-i9&XE*47`%*rfMrYlrIzLk^_y$^9Ca$CS(>19?h% z68_R4GLK|pfUS8AL6FcVlwLR#C8WJspmJFFM4sL@+0SDEV-k%#JoRb+G#dF}7G_pv zBLYq#vz4DQ(zV=gx{-o$Xkj_%Y(M~WluMH6E8n4W-=6=*z?$YJ zqVDcGjQqy?*=C7J{^D4lVYtz*E8ZJlq)_lFrX84u25`Npf{P*ey zJE$~L=$3e7tlk(ROy*{yjQXAhL7{0h>>+OKku4X(^7Xse>LQ$f&+x4Zf&iB!3wQJM z5-wGTT3{HQ{0X-ixce3FXUkQB`q{3A+>SZ8fqTion)T2&H)o(n{l|5=V0b#nurDh1 zlh@hntWIBrq{yV(k^n{haQFZ5RaU)%AQzixK01Er_LkO4Mo3ZnZXJnofI$7jcCL9z zjk1X$2vg5@TKh0Pif2oGRdlSo-$8<}Xurcj`*|ru&45tf5gROlbd~i4s6T?kj*Fd2 z%ziuQR5~}A@ZMKV8~>bEVR+>wz)#BCmvFzoR~QcUHl^aU-8fM83xVmQi-cVDk#d`v z$;qaGjoEzdw6Z77fh)tMUUZ!+ldyG1W>vV?C%Xkn;O6`q2Numo*I{tYho!{Akby)_=*JScP}g+yt=Zqtb*_K zlUt?#kQbfp(?yy!;5x^2Mf9F*$zPuYSE2+MJeD0nLD8<<;3TUj^a_OGAcB5sI2@wuPZcCfd@mlRdywY5w%q6fWvwj?Dv zV9s%_mQim-!^HmMo4E^x`La0Qu8nAZ_B1vjY2mV4u%=3xm;F5S%VykY0b#u$mV`*! zd;qF6I(EE54|+#Mw@>UkzZRy=I}+|p!7@SnPiFZYc@pWUXZ;GO?CBE9jlndpsMpg0 za|8L>g4m!P_bw^-nU>WI;FdL8D-0Dve3j&`^>6&jwHT9L0ersF&oiaMO@-1Iw81%d%q#ujN_uJhFwt-qk!4jK!b?o?zG9b`-2 z8h)|WAJ;m)nfx_3fVC@N6-V1&XB0k9Q`LBq0CBU#XrGP2b(9UUPG@hiKPV8t{!5LR1{)Z zA6leRqZRd%B{MU#&V8yoyEsZI--sFX@&qugjGVoU>j{6(`(OQdYC3!Xj>sGkG`!1s zl=?b~uLA#TlwXPN00Mu*MF1D6P)?7d`?>YM+2T@~P7^oYYz_uIG32wBZFKDdE zph=r00=|L_2H!jwpxMO?zy>~Byfdmnu0Wyor{68UF%dUlU(M>ow&$$%f2oL*QTf2E zGymdovPo9t0HQR*Opa1iEmXwGoZ4IEq5gbTz=`r8f{m5rV-S_LeqkQNB9dBgWg?T- z9Mi3JdT8-otfZ8bH50I_m*geA_zkjVFTV46+WFWWxPm|_VdiRoggn%^>d~9Iq z>a#Jcdf3JQdip+kKKmRU z9(dgXz5H_Le`!dvnWKyI^Yg!dzwr0>4+;trXK@3*epn4m-HPu_>YD%YFyb|723*7CTFO% zD)Vc2TcdhJL;3`@=&1&vhWYvXk5KK>n)O?54X8VIy;o(~L(NtRK{@@J%O82UB;mX&=SLaseHl&Wk4+i4*7x_A& z;XL5Od5_lLi=CaFO}?i=Hxq&0epKl{WAkNL=74M(YW^^u^N3huQ#`-W8fr|@J)^FQ zk}h5^(zv2rv7&7 zp%49|dgYzY&xGzQllOVXV5R)vV#W24$q`nW&`$nyYN162Y3Q#loE8pMlYH3-N(FGs z$Di$(+nAny(zW?9I!GzGv(PE9i82hMYI>(YpO%6DX7{k@Iqsaj;0Tll{l`gWopo#Hd2V^wUUt@uh*6G+ zz|Ya|PV(38Ps#1#mW;#NM5%kDwz&J+EEE~syg9&L8b#Gp~xz(QK% zOia0gqT~NmCj8z3gyQ3m`FME^?2J^brqn6Kh&5ge!3jz(Z{ZaW7y0n}49okgzw+DF zHVPPyv?V~FKX2Y-?ZV-337*Ah~hUL~w8ZEx4EmH%BO>lF#_ zI_G>3+1Fp=TUXaHW7Tnl>bMOq>`zmGPozCg+E?u0J)swS5FXQtamUuF$-69QMY1&LA)|^4_&&Z7(x^_H zZ0&$5B5PAF2{&A$YmWXNNLkR`P7WqQ_}uedv|6w!=1kju?TN6hAFG1tZ=KZ?wJ;GM z{C?$OON%ou*=gI^dTJ&^$t~9=riTP6&A%BD+d2q$|ajy7~s;z>Sx~_+YmDlirc4NVah#=lnA~nLrSVDh5 z*NPv_+1DIgm=bv*a(Hc_g31`Bg*1|QMweE#EbQzsU6$z7b{a8E{JwC7%E*m|v&`!H z9l;~!5+UAxq?;n^X4A3JO4<8y3A5bHPa6G7=VtSuRnAF{EYGU!8I)M##k0~oz>$l49@N=yw1DsL52B(e*Jh^uz-swH}8T^ zudcZ5X0bLr(6h^uMLx3Im*`|2U0p;4Yj!E~GvvC|Pu}nGU>PG~OfmS8wdrO{=Tjh@ z9xzrid@i?)F(P(A0Z+MbE&Q?R92-;#!q@pgmWJHiD+!JqM>x04I~SDD4+YV52#(%CTn z_gJ^zT5?R;nr7jY`B!NHGlI0l1~&_E0t}^1z|L3P!;49kI3x-%0^oEGKvY02-~kvs zqjM63C?&P4(NubuYNZ3I>5wdYM)i;UITaATY#kaX(@w8uo9DTFepB_m?BoJxktkoy zpmV_%jogJ?E2O&4K5M7*&==U=F&Hp5+Xz+p&eYnaL~{SypfxGy+x~?W=jk%@ov*rD z1qs=#TI4&n%}W@|JZd7g#z!R4KeBe=rv2e0BZ6MY=p6_4Pvvyh1C$P-OGt z?ovt7gjso}%5#`CR^HvcD2Gav(FPV+3;DK6ug=MFtGqkw5a=@>7OpL4BdhqgdSN;&7>D*=3NlGSD)DZ_|bdo~Y^` zRU+kazF2|t%HRXNdpyap-yY())6^w=89VbF`-5BFniD58FA2-;Sj-v>ZGw-2jn3X! z27F0tz01qflt8=N8_*q5xRp(GMpkZsaEfF8V{h^_ypX5Rt_yDaAcbk$bj(u{}$f z1DrR-C^rEEogl>uro-S&Iz;iV4`Iv+{H2MBnsNe$)6)ZBCTq02I)^nS_3weI$8(T8 zZq(T2x{Q=zc|kv1w^&)fu;nJ}*y#;F1hPq;V(VuRDaO#u)>|8}CJ2mfXdt?d@$p zKR-6XrD=9f&a|KlpwCx@MJ1z)9Kjqblh9hL&(Q_|(;%NOzIFn1Um8FF*DmPtGM!PA zwb5oUNm~23Hn+VkNf7=AC0e>lG!$If_w4=oZGC$0&!1KL(2!@FKZyRVR#6cJySsZf zPU9KD=4#)he8gE8I8K1x7VeCGU%$D;Z$07dv!3K}4Yp6PIh>_Gnw?%&xW>mGeCTFw zq`XtT%b5cL-3I|210YPm4Z7^b5hghI1Btn){eG|RuNg)D;w-DbekB9M>2<${Yu3kY;;khW_Zy-G&r-jy zbLg`0oC1AbUik-!n6S~A*qhJ16Oud}+U6f07atEl)&RHxBz*XMohSIr-Z{nnySQJb z)4L_f3S0h1`|B-#<5+W3cT+j*8*21mN6z?GTH(@!BqcYS&6GLy_n)NJ1JvcCKO2tX zv*iw_KxcCSv@DZdyNEcX3bo!#?~FfM9xsP@QEgfUXa#@e-ZexF`9rwRWrwYRQ1P8x z*++WH`%5!nw|KhO!U7q`^5ti5>;bThW(MHOo50BCHUd06%I$YIUUP;foZ>PL$nz>> z=3crMZy;c^j1S`6*;0#}dC>hTfm3iOAN^@PB6aNE&c>H7UmV4~00IRav2z{TQ5S|z zGNHf}q} zOPX;4flL5DlQ29ye0UhzwfX43;2Dv}%;9es4=@LRS09D{iemg5TX+Jn1;xW94<9A< zNhU9_4{rrQ@vtW;YHOq3e{<^YjFg3*Yc=iXNS_x?9>DM)0SqtvQ>fwpoM5a2;Pq`@ z=P||4TQ9eh`!6`gK*@jL7|SuE`_`_Y&rko!85molC;)A3Pqz+NfHAXf?UFgeHj`i{ z6aGap2m#=QQ@{Y6`#J+Ak#KlS$mU+gdLSY-W^N!+*u z`h0(r1JJg>PbOwII7S=QE%Z*SC3UIP`O4=$0eyZc%q2--z3dVc#{m>$m`&f4ab@j4 zi?G(MXf}XTa<%+L2fB%T-lm2c^Z|2t0Nj36G)PD(aD8rWWadcgamPh@k#`)fp?_+4 zZBhxrof?J-cddag`1!W5fMg}mvtncE&S?JKO(NFD?H?Mx#O!@ncLKf4v2b?fR##V- zlaq^nAKb>l#x{xdR*w+D@l9nN9E40214=??&AtghJVsO5SC;_70;glk@eRB(R#fp_uFTmmWKDEMSN{)g)yV&LBj?B z<+w5=WLlQ2!^9_3(L1VfYN`odWseh)98j1qHIs>HQ;X}x{r(X~yHK+0b`sRo1gILS z+*K!U+vcVyyH=wBJQ%bzkS~?klP0Pd{O6O^Sx_~wC44y`8(n{eTKKLl=+E9wCgd=$ zgEdp!IHx&y{-Eu+YJ77l%UrRVM9X1w;o%jpC~cmZNSVf#c9toyh`>sPPZv)jy@zP$ zM1BSl+4)d4&5A#tU$;P5UtgZQ+LvZ~N+Q;1==TfkeSNv0vNH|+<}sx!h?n!-A{D`f zP0@)?0Wk5TCRHT5{VUH}#>Ef`2dE*uF^5FKor%sQAH)YuEp^1Q9*fZ$dFKTNy!N(N zjV^$GmjL&+F*d2d7u?bI?Bhim^a+XfXn=<^Re=$eF)&+=zgZ|G7;k4Zgw>i&hRW*A z2D@XwP2TTCU*}5|g~vXyjAc9(Ri3INMyKD!zMx%pi>K_WEN z{UhBA`%tN%9o!YZz=0Un{86P6E_9?7|F*!D2EO zFm6+kbhRf+5+|T#NaluRH`6*er;>zbK6Nm6{Dki;V|->g8VWli4vhOQh#G8BiO$U_ zeSLk5=Oo;vvIv| z4YMIHD+awHOfKA0(K;%IFo}?{9sxGc-uQpR2>6!L8;lK3denKn8ESnA*E6?1< z-ydf5R|ytS+v#`bfuDP5DwN)VI8!UP@e%1Jaf0ZoUS|aDK_BKufb)M-Dhz|J=)cWw z{_NRH8jLITjop_Jc0za@rsOPm0W8QJAZ+e~!kRC)@u?rQtq!#W_~I1}B6(C-lu z&I?twvKR+;v1fV`c(H6hc*$}vwOX6kX{X#7TDL5gY9m}Ie=a6Ba5&w%xM8aV{L{J4 z?o>O`cGIDKu)=}v!0J+o+6~dMCFhfHcjlBJnG|Q7R;SL8x9?0Y6R^HG3sWXT&vI$JJ~nHAtAJt1L?g>k}#*6!UMGC8J4((hH$yc8SqE*hek_+b-h4AjIa zMY^<%QsPrg9ZHAx!OYlt6Fa+4MO9)ehu27T`f@24ZppUX`btPom-qLen?&>iT4v=u ze$asGNTLOt$4izA`L9{dRa^STk+d&~7(gD9ml7tlBpk&{uHTgBPe{wHg))g+QI?zN z37JJuvaR<~)xv$)D=fCUvrp^KAYe6Eod*>Gr{Pk#9FXLD0!R^+G>yR%{nY_?(_$t% z7)ZZL<{n!;o{SHSOHxCBQzNGfX)9z4W)a2DJ-4$piiHwKc+xa_b3(@3Pi98z&tr&J z;aA{^Gz89C6Zs;wuuzueJ1ak->XIFWu@tOn?Pa3dOROYYd{nJttg3WAIa@;N<`|*0 zS;mXJpvS%t z3=U51y-FAQ3Pu8)!40|n)lm%|^p6bCOW^04xFo+`Y79FH-BPd6eU&hqciiUg+2&H? zM$d~nJxu4nX{2%NOYpc))_;*x1KmGYL4d0Rhu-Ih|J7*+oIrq(=@k%A-`LpL+$_%$ zTU%Qz`9frA4G#ufXLImbYA2ghI}a1!+NMd~$H0mcj+UcmZkNkvI` z|M}f`EJNAFwqgYC4-!+;Vtmno)ZU5mYo9;sJ+4r4Ar17HY0}$`JM95_0E* zpzPpW>ACnr%8jr;H+D>Ra-^4jP(7OO&h!%;RRRF99yx8t)oPcQ>m!dR)G7YiLaVFN za!ASH@}VU`vhD|*lw%3|e=>*_S{&hjB?nKk{+c2bsiGT|ZpqH)v(dPhfdAn(7vBxkYpCOI_j1Ca6sCs&Osni%J z#Xmo9csjHKI(`0TaqAvAY$u=dXj7`Y!K-n6so{R$kH>of`+bVKt(#nmyIr2pXBXlX zX%nL0-HnY09_;^slHXf@P3@R|^3^+{rP!qQ&UJ?Qu9^yBY2`D?!Ny+<6ZrL(T{RUtw?w zaLdP^-3Vx^t22ElUo?xnO4@MB;3#j}GCy3@eQZ=b_4+VW-tA~G30D`1vU--p`(Dw< z<(yIB7JxZ_+_`e)idt^MzjXT+Mdx(tiS%w?Xp~^61#VC6AY^QDW#$k@u8V;bX=_PK zdRfq)(b@!lQc-00aq{5|w9a?sJCR&LW~vMDCif9r+o5N*tynN^j&_0{}lvEp4x ziU&oG4)hrf5V&#RYi33?odYqk6FYtQvAq27-k%o3;5d`#`a2r{8I|ZEiTxAgyLou* zu&^HdDQqQNVE5GjzR{oFrgrp4RG)Xab8ed89}_&|C{sZI_JUMTNJ(Q!(CWW@4uAi; z^`o3OC$qNKi;KBWeiVy}jpIB}=)79^=QqqAS~3Uvo}CN*VsLDGO!GZA{hL?3|0l1w z65&H%-lw=~X$9eW`h`7>M%|Ur2 zm8W?@4b9D^dn51 zAE1nL&v&W+0yr(uuzVJ0g9oO@W@bjR#;2$Kta?21fx-gpRm1+MmGzRvwsvg(RTIO6 zwdA!MoTw9^;VCtz&`ejWfkBBj?D z;1CXtzn?oM`vc;feX1TolPO<^L=-4ZJf;QvRpM^e!s&0dby%TV*}l{TUF(ppqVHLN z`yeHbckTz9w0JTg#%`@Cf#I z$0<_meKeg?_!(Zy3Tf5n4aCJ>6ITKMymBzevtR-rM_R5G8uzN-mF=2HQNF&jj+~&D zt3mkmZ5w!Py`%Wj>y+4Kt=rWST};+yTEl>o^_+6_dmv{L0?2o;aKP(+QHFT#3Sn<% z(4U{f%C-v8-mI}{Q~1~VNU8WB>qKyBrKbd5(EEs>wUy#)k?d=L%9inYaoea*ou|7) zp%-;=ZEzB8k30zINm@eG0@=rY%Y;HmX*)9lCnrkewFl;Ld~))hXFsclRdXOT{5X9; zJIh&i0)&gNdKWvM5d9|^SWny!^PfrzrLcApbgs5un1^ffIU`w??vl9~(j6%V-?BT& zMS;dSEVbl0#`GF{0?&>Bhjl5UhM%ygRYzvC9h{7JQS-JgU0@5!mzke3NwN}a1R^z2 zFOdyE%%&;U9#G&#YfgZqU0}CZWvtmT3OJ!GvOBYxv}OAVnRoBeQS)7kM#xfJXbOZ) z++GI#d!EV$VPyJFWHYNK+lj1S-r^P&+~I`G_IFb~pA{Cpw`1p-1bf8Imk1U;dvTyA zM}+)MBwq-N1Il0;jiMfT1em9lee1gh_!bTZta?A0I>R;DTKI%UlsVGQ!Yg zG3}bWuv|_aTdjuq4_pmf!3g)B3XRk>^H_Jm4O|foaoA^QD9*4m_9PUEpRFLQPSk1t z9eN3v0X9h}a3i!|_!H5%k;qh^{)H+@To8Lh!gXRfF0^awHN9{4M%CR+@ChD>;==pE z*=fqWoSaV$SXsg_YH<0JMT~5ep_eNVwNI^t*5z0l*#S_SsTxD%}KgXe{=tNG12R( zhKxs(sM9=pmJ+l87>_r*KL-Tm#Q*b-75{QhH@aYORi?2CNM*JCOdz>=X7h->Cfm3b z$dwH5*;XXX|E-7vj-5cLmo5l|vs$lU_}I^P_}gyF`d7>i(dm|uM!>}T!FF5n>qCBU zgWqb#T+Syf77l3OMyEh8sjo)Q_vC6EyA?pz1pvWXRKPp_!S-K8_Wr+2%b4jly#C*S zQEKOd2>R9_K;b%unc;-jrZWd#JRBLz0G`Zu`rAiy4<0f6vb_9}Y*1!8Ga zxth85Adp!I01f!~_+0j4oB(7kmKQ%T9{*>J@E>7k^PBRgNB@T*nve;#(9NVd^jAiX zFiM?G@=s1hz>L@@{!`TyCJ$cE8Vn01rSVYzY}i=urD(Yyu1N9BKwdz&qmy>yqUQk& z!TxA-qyCUO;}ofQuqT?UG6p1C?lxAd@7o@&t%-1AfVkSRS`Ow|UtLYnQ4Ib4P1NhD z{l$35TJ>MtS+fj+B<%zE`drKO_YFBUnfnyw@CFF;_Cf!{Op=1ae-6Rq|KG-Fen%Ak zD?=kGDH(WhcN;$L<@GGceDhu}lfR)c6DGXZ=H~aldcW-Q*SUED7?NmI7)mw}VQi_WJ5;41-Vep3) z3LF5Mww&Kn>xqgz_B+f)S_=Whl>9d#P&Iv}x3@C{VLWk+dpqMpv+W{{ga3$C3J!aM z=J5pd)1q$Vn%#O*CFVZ^(Fg?@u#p81kGEPyLes9h=+8)wy=(=VWd?N9`+(fqGq&t( zufJg!!jRb-^A7^TH8wV8{#DBG34EnWx(d@zF0svha+pQf z!;JNt0)j?)+D`#On#a?wRtwZ$MMchSO|px?*X4feOn?W!@a3fO1LX+;oZ9)tMMoG+ zogp!P^!4l4K)!FWznzxXSk>BEE?3jsyjq_+qXl5~iAuZNk4z&o=7gviZ|yrJsJl}F zQ=$qgr$8mI#bS=1V#VD7)EdxBf&ZVq=C)X2y-0mhGsnJ{;_hPZ2#b`*^gUI)rW;YS ztK?)U#Jk0R{YjTySz6dz5J;~*qeBgd+{EGUbTRY_bXO$Io}$}KgdqcOOI{q04xU3! zeutHs==cfZ-}kaFYnoBC$&J}0Vr-{f%JBoY+WwL=R-W{JZ(~k=;vIeCh7T_pCj}$;_Yx}zF}ic%@cQ*wL!U=2pM@Pe)!^m(9K8r-h#MaI5x!j4(b&*C zVO?x8FUPn8#Jib6=`I~S=ioGlko79k;lW;-s7(tH?PiSykj-?xXRg($muE_>U451# z`tR<0+5CN_X;Z$oOJKzacl!WBf4f+I$N$L2AJG&K&c2gueudr;J4`*#CivD^7F`v zq~uYvC{>bhpU~F69drJsdBZXNc7*vM7BY z0fjfUVfsmeQFhrsuQMFdwDRSvDuDInA$!r|%lGsP8qT{HES;R& z=Vdx0u|kAu-{J;OEsOd_93XZA`VD9gj-U28t{et zT3I&z7;Vpei0JNP(Sx$v#IC|!+SR^JqXJ$UxX6K(>Akr(raB&Dr7N$Zm|=uW;k9~h zcL>!bK=Fg$NKt1bqG}*=AANj8wEW#Ypk=SdVdRq9#IzsbrhRg9$!Kt`?D~@z&$`4Z zU&VBJMqJCE7#|1q_g;{e$Y|C$~DV34ZVBPAjXOlA?Uch z^s3)`JL_rZ9VMq_PkxG&h>h(Po$(Z0WHvW1>|?%b=&5}03moJHCwePH`<(3!#F{1r zYmNo;7JK^x+bqQ_t~gEz#_>S^Npj!04-0H#=mP!~M*6gGXXu|1l&9$g(z2mtJj9J+ zS$MgQyg$bTiZa@Z7V2^7MZdDGm_6uq*$63DIp~$hDsxY2SE%!^F%st6VH<)XVZN8f zD-54hR=SZa5>0asF|rR(d+|!;71X%MJpw*4Y&e!x3do<=`>l>oHTqLw&R!d{?MAF1 z2g?;e{ddNU*z$}QYBaUrW!`Tx&d_YxBhn%Ao$!zDa(Iw&7Lefq3&+*Tcw^eU?%_WH z&o>T#n0xET*WJLa-&<&LkI%p8O{Jc8O|LnG&%=5R3>m}?Nvah$R5o>#u<&1J9WwB> zDnh3C(SorKzM1#7W!9bf^glAjq->X7LPydvREk9OUQ z8%2;zpY;P4=(EGKiGN;8f`m~^dRSo}`PI0VfOD}L zWSA=Md)VxafpkJQ`&0QuyBFZjop&+Xv(@dP3wEx0^jh;AlzbWSH_oX#rmpky>tGcg zUV-V)Xop5+V|dG@4EQvEOgNeS1HMW)y^J8|UsFnTZXp2LKKufT4xgDW=Xn55KjZOU zP9VK-Y>{uqhgq;xpj}Tei<|^kAf7C}_*&MEOTqZmr^uR^*v-mJo3WJGG>by2c5S7g zkBR7Hx2*7To9Jd}MO>OMa|1X#V{OdII7)C4v>2RHw|uobDIxerUxsD7ajZ6O;STB> z7;Y$O+QT%M53T?+(dAX&C~}_ls_C0E$((c5F^U5F7}Nv@FYwMf%_m0lCfzV|dx~^Z zm9VqYCmzhh7nqB)fd}T+n&ybS0Wl~C4#+8zHZ#!`50)Z8^`!@Sp#5wJqM6}L8bvP< zZJ2li3GYvInuiu?A`1r?L!2XvicR2~lbXjeJkLpIpAI#k-}*lXeXwJ<<7&2tk(2@n z{@D2&&j~AD*#2E5eF3+673SHiUU!z)+K^E5u1i~@xjA4aW$k>XSU39h zCG-RK7;t8>wGzvJ0VSi&1Nsm%>gb$akpNUz>uNh1uTUI1R{VPoMsKU};!HvSHumh?4^x@cYM? z*PXjyt<#@A`M!${-TpGQcSIHX*Ec?K)*bF0sk?3-RI87dBm(yRw|u7T(Z#)ETjLXN zWbAdNW0xc2wxq@RV~Nh?uTjT4$8q733%0r8$IoW{{X>-ju0DX~wc4w=|4mVPuQP1F za~jinxYFv^#fF~iMuloE8I!(NSs#pLAEaMO;a81a)MDaSjVkN7tZP1UR2Q~aXH@;t zEGroWbNaY_TD%P~(UE3d;tp=bbzi@=Q}UaW3RQF4*m#pPZTM`S8U#*LoP4aG(F`6-O)@2o3<%oKnT-{W9iA}Vs; z2`#oZu6=zF7hTd7$V0#aLxYjB=-;%c62}h`3 zexeF3a}_&O(&x~>XKF(I0M~Qjeem8w6-&NP28Z6#*P~RE6Oj7UUeDfH^ugvrfRl_c zk>X1n)A9bU|870Mo8UI>x3yl)&#v9$L|70xP^bN9@XdfPMMtJ@r{j|N3h{47U5Wg7fZk>T7J%~>UcMuU zdA24DgX(6esyu8V5 zZ4^GL41C+yu*r4#NBNB6VMh~8vXJtDkbLia#(u1SpVna7S|i6|v& z!Sup$x#DSXnaTlJGhgmT5vJjc*72{5*fv&z80qqMK##Q4>1F6Z2QoCp&WXJvw>iGB zkH3qqG5kI9-0he~5!$tl2S1c}(8gLmy(&5J4^qS}58w27vr`3%c8Rx&ooPci{DEK8 za$4xYd-|s3fFyHvL4v}kR)6V@N4raJE@ARj+4CnF86bu7Kd+X8g?0*j?(xms&bK?6 z@ou>@1j7DY*h4il&>-uBQCYcmf=L7c{_6wdgA>-V7YAC_AG%mV#1wgk^s9+iQEyn( zEVl-+W#9I8B9m?(k&M z(JuGs1|u}wM-{{-n?imSTgg}BHK0A`a*DXKy|X$;?_s4l(~Y*u8984OZQT-n4t0kF zhFS4zb@oayJ#Y41ow~neJQXg}^ooZHxp!wqU@&qOXD#gEq1sHsc(x{g*Z$s^_lEC! zlBaC9>e6zePno>`-BsVHApUeUWNpE?&r$EgDSa>##KyevwU+JIRZnVYM=j`cu{1E} zJSo4z9vD5%i(t$zdhA;LUez{tx#meZh1fNZ@hr2ay}3HFAz;ML_&`gJ#Xv&BiBk|= z@HNp17`Zd;w$IU*a1?L8W5?b(L4R5QGUNoG6^9-|!W3sorb)Y%3Aitox~#ul{2$Gn zX*iqd{>OEhV=$_U>Y=S^)lzF)#Lkq8iZvvm_N}#)s=Z+_ZFNCIi%>Mw8ci%ygodJv zB9_=1R4p^M1hrIbLFC-&^t?FdI_F&fm;X0;@g%vPC%NwDzVGMv`+UCsYtoCiE#_>q zlQ*2NINO%X^r$5{^^&vd(}N!H+8UYPBw5UaZm3yT>Ff9X(u7zQ?AD&RNb?JFX*g#s zeT&-kL+X&^LWlEGSoAwuY%65{n@&ki4<|aB(~Py4S~1+H-D``3yVpc-F50e%zU(t{ z{Ub*Dgd{8MtBj0JN>}jy3|s(aXv+_MqNlVd`cIb za|WIK^@_7!9(d_8dusJL&RIDM6=by#k0J|r)xr>xuDF?e7quj~lEQVq#c{o;oDOpg z{-Y1wn}8G67#hTOJ(BZo=-sUIPQ4~nubDpszFeamyFS$O+9Y@wF;m_0WY*#By~(mz=(`zK5u8l_xnee~luBmV z5t7X?{b(pE#xWP^aFe$zbg$%3&r33%sWfU=K8odRuc(aT>(++Y$mIUg;Dqe#HYRyt z{Xve8KW&@{qsM0JB!B_yQ#58wU-T7M$ibh;zE$ESf?#xaeKfNO*^7lVMuZ9QsLq1F z^R%ArIdxW?s(ks%WzesDa#&J%8cZV;ygM>CMKN!m&gDs^uP=qy!33*m3e{Fa9P?ZM zdpGjfI@VXp59zVyLMi zKFS>wN{}N#>4*o#LYG5hq`Xc=p4KsPKIxNSVrWoj^l@3wJxpV0lh6KwOMxaSvDWd4 zK(~hCJUIp$yL>aNuGqUjig-i+Jf7q|#J8v&&#>u)kJM4rYW!>AZqksp$WP<);u^so zaw)ci+T3HsHGRq2tFg0k78b@$n+fSbF%O-TfZy&Dq~4VyjZQ80-H^K5TkLO8y`hHR z_eV`jX65?u&WCGf15ZI5+b01@vY^{@k|!xg?ESts<|BWIJ<(;yWE?IMS zjb0>ygfW1O_&J3&gY>b@rLlpNfZLbuv%4;+X{!1o&RTo9^>+?=pOzCKw$~g755;60 zmV6Pn?tB456(7{vvX_B`oDq(~I0k$jzRX15F8>*l{odNqQ+i=n?k66+FYxh!-&B-I z-bmUx;wdedA8cNde;bkN7HU0H9Fe6uNQ);Ck-I|=F1A8_E-(aEP8f2SUy6K^UH8Fe z(Oroc1=UfGA32V*SMF3Nn?_k*7+MC_32a|k6{xmFVFr>ismt?Nt4~c{g$j=jW8~3g zdKmEy&wX!``drN@N=da3hZ$vuCA+`AV>iDBApY4i_1t<&LKQz2Cdfks&T@NO%8@8` z$my;G%&*4|iq{jhB8g?&%RdFL=AX1&Q?ru5NajOz%WDZrNV;n>`Tf&`(tK63u%|;Bc;gWg2G@$g0&oZrV*45`>3EpQLAM5FUi#rO3KYuGUrPk zD(s}bYFRG~tyG_AD_Igz5njehD!9NT(P0TUm{6o;)u`TbC|$isRKt_%dS~dQ(|j4a z%`?XjU90q93RP>bKJ8Ab~;MB4- zsD6#Tj1TR8eZ{xT`jY|>N%rS`*f6@iJS}0WV+I%}9n!d&T;yA@g;b+dcd!+4JN9X> zrvKiWRC2vF9^0)-f<@ajubFCK=~k!9FLmKVO$v12hIZ^@^%B(3$As5&b6FMXpu8i~ z0||2c_<~_eY8_QT6@7aQmh70#ep&jfCh_()TF+h7Yccd<^^(g6YaTpJ@2J*w3BuuU z0*G${a(r25<5{9num@6(S)A%u+ddUlJo%yiy&lXt1Z7AhlM@Ce4~<;{Gf;U;^imCj zKzC;ys<)1uJXBbM7mc|_lMw&X?3nDBpkNB=C-ag*n6+G&M2msZ6g~4|8e|j5OxO%+ z>??Z)%Ds(@7DfBmKH2pz8>6ew(Y%BPC3M+nhnIHXdBJs?#axMP z+Ycg&S@(7#i4Mv9#DGU9EoX@aFuT$)fL*5g$vYADJ7}<5p|O^#S%aSn#eZ(B&^}T5 zC^kGvXRt}(#zKIGjY;NON2z~bb=8erHxZM$Ti71I1bgpIJDd#MHrzM&wQr*%$HV z&#>C-;eJ%B*^4Fv*X@%lE@+miC~E~WpR0uZ;1`rc>eLOg>r!Ce-?1GP?}KT0$Pl#S zBhceg;kpYdNd)kmMIAZFRG*DZMT$86&LLo{{2eaz7~~bEZD86#4F@#ISgSJtHBAjF z{T=bc@BX0owKhL%pQYrwyt)8?<`FAg>582sY!%z=rs6}2Y1nEU!qgtAd_SqsNQSjO zr19Ag9;yK^2)(~#$+v#gPOzRZ3)^~ZXB3_uVc+2|5#0Y27UoASFtX^v*^8)k!$1}d z<|GkCre7N$PcQj7a-RqaLx%yeKoz#+fpUm0Ap`8SBf-c;MJuSOPDP_v{ z(T3kdL)NQDVFhm?G2&5ad0%s4&6^OnOqGiuOyM}5%zblbG zz;dRjMr63jU~gXC1jRM8*`bTbG~2bcfZm^&Po~~QIIdnN9zkn$pFz#nbaw9?F1!`~ z@}>__cD7=5P3OZyoa7Bh^ML2Rz3l`u*UmKkdH(hg5x7o<4JGs`ji8SVx+AWO5B(a? z9LutE3rAFYJL+ME{~V^+AQ_^@UD;5&Jhe8cv1(EGX^sQw_LD2Sdcy^M<1^br9**8Ob%h>Dll!*|&B<>}p;<_Bg1Y&_`4i{cHr`Wnz) zEBM@J0O1tgG&()Ra6Xmi5i6E7ghF3#sKU40))&Rx;YkK1LoG8AqJ3C2v*CbF`IWi&y9^0!-M^ei3=Jv`z0gx|AI%~>8!8T4f|Q;s zA;`k(v*K2Rm=Ly~t20?_s6CBg0YY>&?^=sZC zf>+n8b#DD?Mi`1rk;LLKLvDEnkVVZEBoXmnv`9(T$QaMizH|RVn3~?0E=K}_Cqa< z6Kp^JRFs!n+vy@VP1V0W+Cso|hcJf&Nl3_`e0D_a>@*&OAJf)^dyu@XWjD&}=PBkE zTK=$HW0E;xko)5WHrz7BDAGFA~=DTyP1qvj%2umJCeB1DkZ&u{*+qlCo z2)03Gsv!Vz5RL0)tj=@-SiUiQA*1?2mIX|oNAV%}WWf!C9pwP0p5e;?*l}au$aV&? zIzSFcde~QLrDNR6U1Bet$G$tO#yE1HHk#3u70n3n0PtT2H>)({l%gnN#}}f zK-jHYS`rvh$?`x%*#E|5pLjZt4RC`#ep8Z$*y;iLH8OG&s7IpZY5xs3NRe8&0UWr) z-}O7j*4FTCIHfY{Uzyq00HM?Ed;mPT+aSATRkiTnGdnV7G&F&9hXr}MT;nc`PQ`)V z==yFl7n1xA%sw$12Q0$aRUgoU<;F&V-<+FQvKX`4{n!9@-EgwObkDmRaGig94umPt z3H9>w;+rsKy%lPHsI~*NGsR+S_Lw23L6r+;!UwURX;wq``VI(o&g$8c2l!LN5=~3fRoCf_DLYZpZOg}I-n0ve&D$b}H;p?3GIoaJ!1D85 zYV%c}U+1X8Kj@$8m>N*m=XSq$`*Q9S**5U9*-;~VcsX2zFS#Ls{bsEJHW)81lSL~O(5d-X-}Uefq=kUF!> z(8XJ`g`2yqL4ovJhzTw;rVU!XAGfa!ip#?xK_Jyv$;(!G+tQwefAJ#!%=ZA~_0GU`BlK7BfyHO@^<3BG2Z-*e>yv~iEsCdHo4x~cY0au(d@ zZJFQVKK>fiB(@Z6?HhV9%^CVKIEbo@`@qlho6G`$V*v-x4TZQ~(rmaNeLqE@kQbm6 z%RgAjrjZ)SKw+ELhv*m>jE{^szLUF7A9ypa-yd@N9DtICaQc5SwjK<9$PrH98xnis z$-fD9%H~nq<_{b90BzaDTLvR5O6)`7fXtV4S!!-&bm| zsvgbiLV+-M5X$xEYy-|DCIWs$69NH2BH>LLwq=LLG@4y%sOMF9+*dNhC9^o3BZ-g0 znwAz9&qhBC{Q`{OdeeHl#OuJI8(&;r78%*k^S1zyLp0Y*3ns3#gA5|&He&$tHzy}2 zKLi}=-AKr{=VsO=Fw%I=nf#w$kz7uJNAD|d+zRKwrGt4+Msr8gz!4rZ6RS%VM(%h1 E0m%d!iU0rr literal 23584 zcmdRWWl)^awk7WFbV#t^+RzZ(-L3IJppiy`6G9+(a1HKmjavcebZzm`N3tYWd`xv(MgZt-ZdE($P{T!~@}>pr8<{swn88prEy*prC%j zK?B|?rCvM${zLWDQM))i7a&(iN=?ekoN-jto&9H;}bhc#500!#OI9J1d~7|6Gs2 zrhKyjy3e=%rLEl~Ke9sK#GQ%xSVH?Y}Wg1>)Ko5vEV@(*w>>e8dxmY zj+KfKcopmLMltmMZBr}cGvMjvLokbG&t=4CV zZDrc$iS`&z#&e{03j9hsxIUiD|1@CLsF4`~uk;z?s%!6cD-~dC71H5Mh$@p#-ImAZ%&XZ6uGoHwqa*acJsjceV=or!bN^?t3bLd zU4M+HOfdaDMK<=~h(cebggiG$YpgkYpl_^b6~h>!u|W`pK$uww=_V>_EDAu17~~q_iA$^{M>Tic ztA{ms9?^ndoo0MGEHoa{VQIvgPGQFBFDR8_6&SO!r^_*wEaU~@?68RQKcw|Un}TeW z;&`w>)2!#`i+dz$|DHc&(OSv0d$`?nl0dV6%&N-FygE)?J>7h6sd|w?+3*!Pz1%AT zjDc4e@+sk;C0Ejo{n^XbGdKJmPKe5BVDA`L4+)Ok&N4H~`!j8j?pCml`ZA1*nT9%4 z$y%l{z2Aa2x!UF#yu*(bjWeHBDB^$amC@>A8rSYsx+-!(r9W82>)YyBSQK+z&PdNd zt_zA^(ZO_GHoVx7b6fZoX)V@iB|L93Md3Me#uZCz=xRDK9<^;&V6yQW#Dx$w5b|o! zGHs^aQPMAf5mjWXNF`ZJ){?oyB3Bk}4)gL_;iu8OwS!a=0$6OhOjpAiS<0#}RvV zW0opMfM_n>JqXT!bctui8K>;a@E)gVj5$+<%mV{&cKxNPA#JQ^t6i37S!}7nVDS+9 zsNhi#5%Nho7rY3zm?fc*O5Eewy;Fn(KBLpr*P&(a>u+19MF*?3)Ps48D?TzQv&V_> ztd8>9BgSzO%awu=qo%6|Y%k+8k)T0}&$@XSWBSD$YxZt2!@ffG_`oWy!wkcQK55gq=J+9Wi{E;k?>eDbm$b<6OMrX!c<2aEm79I--=;oUICXAH1{7PKkSaYB%7PD3D#i#YukIEKYawkWtI(yVIs^HWl2 zY708vOG9FuHc}ocipB?0zER8+1{~0-6j=0iB!w^cG)k&0?G^(_S9GT8!`TU;dg=?z z*UZj&q*D|L(hMqE92H7Nh&EW_`u2$Mh>0!Yd#pOtHbcbA7)Ql~3u`aCirgOiadJB5 zPQ^+6cAFrHCg-+oCDTR&Q;JU5up`Kqf$520ek%n(&ng{%#>)hL!@dC--%)-ZY=$^a z0dR}L9wk?hy(MicE3kd|&bkqr$wfY)i9N8jf5)1X@?iUK<&#>p(3~?*@2m1?)HR)eS6QRuqqRgcZnkO}RJfdc%$Hi`g z@@ks1be=BFh7R_35=yIpZGe33{LUepd=|X zLlju2LOT*A0(|t!Snwl$N`<^uP{TV}i|DNr+_yX_xRglFjWIV+)?$Uyy8?|PrvAv8 zIYLC4U1E^Vm*m1KgUUVORpIBm0<9b!K^A)=%!J*_4>Jpt!g7c)nJVa}N8*R8RmrV0_Phz-H88F}cLIroJF z44FvK@axIxglD{DL;J~1Cw1Yj;k$;8kCRG2bfGk%g3G!^;v>oM(nfE|L$l<9TQAe1 z4R_~JQ-zq}L|ZE9aRGG5K|@31xCU)Y62=43g*p~0Y)HTgcNACjL~m6p z7$P`T0{TPV4v92e#m+LQxP%-YrEmzsQwI78+&_(A5R_nkh7^M))VTTl!q&E%y_wP6 z)ok?=gBZRDYMbjoU7%wQkR|J=6Oydf+n|Tq{zoMqQen?)tpryc`V|CbSl{T1$_v^H z7*sf(qIu8zGjG$*@8K)r(BmPaC09QC8yzh<7SXLOZv;Uqt8qxXUWHXss@=R?;j~{f$`k!{ zeQs!tR2#aUGRRSR@ScuMC(*5#KrOrsN5%3d7(!%FJRe&vU>YGYlfz%(S{a)T{+&do zLt9~(TqB3Ma9n^vpgqo{$I_93Db??s#+abkJgn9fYMds6u1MseZ=y+>Z}VAF8B0_{ zokpF8SrQM-mnQqGHQr9i>5yGD}fGif#*DhNox=&7_z; zc>Jt(%Z#=O#ot;;z($4q=@FeLG-@+y3N%x~K^EHX;(KD3C^N&6szh1A=~)Vrmw&`G zWxT4yYQU@tg<>sQ?*>(p3KAzB>za(nv{t5%@`Je|J2yzwgFQFWMqXeQxq9_XL~=T5 z_9nN%#gMt2M6-?+1mK$}7t*xVB04zSd$NDZ1LaGwM?aDTY@G*-U*uM%p3<8E4f=Pb zg_V*J7En@~wldTO6fnp(lnpg7ILA{J8z955$S#zqW-_i5qp_1Cl|v;Mv4e9wB~&re za^A_|{uJ3Z`~tHO{l)3bTE`C!7&He!k(AtvXB0xZdAU%M9|fGdLQU2<1Hlq>s0}Hj ztyx!E1T6J4pf6k5L>FZ;i?2@|(+WXcOt8-w%qrm)9_WOop!hnA_?&d6IZx}}RNXvN za8e%t&PIGV6I4?3-J1kj!9OI5r`^JiMq&)X&xM-bi5|CSKvww=4Z}(8Vq?r^x$0sC z9O8{R_2)FJ3I!mcHaIF(ShEmYYEkC^gYNzZs35JWben?ahh2rDs#83}z5p^BZmTO} zDB}^*%!*VZg`%PU$vOVXTWS@{-S)AJ zLyMw9g9#xjLeIXULbfrf<4g1(Q`g=#gj9rE+}212ZqQb^VxRAu4u*jIxlaVIpzpSG z&XF$2XA?|RguO*pF2;}?Bayz=reIg_w%89h>rI<~e%5nOC2H#7`~bnw;Nk||6Ob9a z7%br3!RFqg|M}xIEr^8QbzK}U@#7aEuAg_z#147xZuzgAynVs>8=w4ub5N-UDx%v% zPrVP$AFKoLH@?|_qGh{Tp>O-D?(gkHApIg zu2iWd6kbcjpIe~qvB75nv9ZrU#;6Es(FEX?5>h_<%N+qX zm#JJvwNF1Pt@easmjd@Y*1lT@AC9Of7!^%dE~o1v$&Vd~!OHE)dJ2xSa=b`Qb@-v7 zEDlZ=+?;jDVUO>kMobjg<}I(|0uhOVxz z#zv-88CgEz3cNXh|IJ`Njlz29>Q1v$A2p9Y$R<}g=ulEdLTG%{RvJ|5k%Pk$nJBI| zf$hdRh=#{$6s5S~KcPDzsvpmaX8^_W9b7eHkx#~&{n;BQP*DvjBDvTQY>lF7H(;%? z*d*z1JQf^83um6?oQN%*6H}-X8;rI}xNeeMNphf#cABrH3_kd*Ka9zJw!gx63O3ku z0BETNK<$ox^Hqeu>0`+EZR7Ci=b5Pash_muB{Hy!FXq(5GCV{!lo8KMrsHBzMGp2T z%SrBe6v2YJjuV!neN16cHJXH?R1}OLl@OPH>sW2KVkdz1(QdreH=ZU_F~0byxwOoW zG9R9WvoX-m!&+MyYMdO6P5g+$!L1(-`QWvyR~g&(>eTU2c#uYr?E@KM4n_`YsX(|q zQ+${Rn}U=Ud%uYy@J=#f}Y%>qf$Xe47SFQ>o!PSX3 z40y`}hO%Tz@ZL5~hU0*lhsh~Y<%1+wSZ(8Vodnzq1)A4180Q`jCvo(bcucTug)vW^ui1>?0DgS$5psf&uXw zj7RxMThJ4iMfT}u1ktGLOCNpIZ*W8(z+yA0fw+iI7NJy-5?Ie6Sy(?WBys8H=#_oL za%DuKsSMiC*Mv-diq(=D{vyE6Z0LR@n*K?~q&#;p+9s$OcH-|C&1p7zo~Ti4_%y6H zZS-*#QGbsyXR=G;F!Nhs+qbbP9=%QJS>K^t>Uf;w!b(G$QIZ~dvZrc&3P`uzX_kN8 zLoU0!+OEWuJ6apAi29mw5s5OsTeD8?>$DAWoJf+PM>-RzTq$e{ErbEGXJ_uWiZS7#p`p3Cxp8rEEiElQ&)hDKHla-^ZazBB*O#3g9Zy~IfMgcX zB!Ubwm*FZP3o3>?5uo*QGy42ql;v`EajC7VQ6TYBE4NK6H>uK6GxHHEr?{+ocBco7XP;LbfgwBs^6|prV!Qu^hpQz_27HkH z%KI{J7yq=cBm>0h#!pjSSLaj)l%H2}Mn$MKLDoCJ-k*w?PxjywjQ{A{zYO#0o0yo` z+e36|Tg8Gqinx&V4GqX`qx#7&P6QWn1P<}VU`}9D?V{&K-p{F2;M2A2{5wPMsk|oj zeAk6<-;QJMb1|0~DdDBdGMd!g`Ml*#wtvRb%Z6L~jKGs0^g{ug9r=ZH6PoWYj#hnM z%b|O_ceEWF(r&HxS>8H#IX)db?eUQ+$G{2=zOyI+51vG5DfC%ev4`)dW(;Sifl0t+V{Wlb8nrvVY(%DSxMOQacz&^Oy0jTH>P^AI}jch zN7y9~jOeD29LY~d^yJAC_0k6?jk1OWXv~_N%nXg;!8*Xj>P2{WP|EH((!?xwiL=4BawZz` z#L{5+#p5@%?o2}#$r)Dz5L&r?c?S_74!84waqR6m&gX~Z{INh+$}*@8!&F{EvvAl^ zfj9?PIelfLsh?4k^^moVisB30n03qEKdr>)BeS$@m&kc{zqnIT@bB*@YierrcCk`= z6foWPidOOIUy0J!9)Czgn^_JYE@HgWx&0kCUo5twUex2N4PceJ9R)~rO%0C>gnOHd zkWbR*{BW$zlE>0v*j3eF_QFCVdBh{VZ9c0NxPqrPTagtER{Wz2><_HcNC?BQ+^T_s zyz)xk`H`{(%ggLZh=P83QLuwRZI|TV2q8z-2TcySUwe8%SMmy?!6`kJkytxB`w)%m zKNx8*)r<6Sq2BTH*ee$~w;9cMT7W`(5)I5mPfrh;6n+%LcNF|3hJk}=WnxQV>T(uP z=gpCmnEAHfuHqXts%Im!2qB~Gm%CSKw`b%)Ts;Bes=l+cGsx$oYx_$s_oe=7Da>r)FmBw~qhVC=o@d;eA$Tzye;64yKhrsIP)j0jyx#eb1mJib&_P{Nr;xAto*^K8*RefbxEdk|z{H7Zw(bpFUNT z{F_I_-R6~wNkP5b@5bo=}F@5@WEX<7S8ATi~N`-sGidGs!Q`TBKD3kVX` zgNu)3z?^wfv4POynL79;bZye8njd-uix1o!U6BG=;5&uFU&Z_${sJ%m?Ta>n(J-(|Udq^8Yh|IwzAg|BVr`w<#gT4Jq2 z=${#av}s`@ZqOs@m~h|wCc*B5rRZ=y(XV4(( zm5Px-O>$l7?C9#U1VH~5cRd3VWm4*jdk9)NMjR79G*Dz^A&~}`p)a5WDqNlz5$L`| zjZFi^q+51i(3EqXlZXVH27zWk1$i^^oi0^+Lr{o57z9Bu1XeH^QIxN{fFuWNnBd%n ztR}r$LpiwLS+xVE5iq4Gb*WM*rHPja29G+r{9=53cYcIWTCMe9G)H8lVp)#-i1K@~ ztA(>fe^0>~vbibWeh1Qw04p$S8#A|Nl08u^In%3=+AwBq#knY^BK%^V_~4y9$p&R|or&ZciAqHE zY7ulqA)Gcu!yN1#_5HjeDnAK@-^Y7$=y8X2p@1M6fK{N)2V?xN9^)njjh;j!!u4sb z@njemQXecnJaM78$JhW+=so)06RJn=d3XET7X%vKr?Gws)es3>R=RCc;N3xxZAVgIG-jRsWj~# zFPhiF5f!XtQI$EKp^>WksTPoi5>nKZs8Iq6TiKRTL{^BB5$pONT!VeJSfyfs8KjP8 zR2kJ#8Np&rtby{+Y4iYWCOV7vYwLn83r+x^9n|E?7J=e9k_i}Y%qWhz6>|)ImZ3P( zO>+1;qVqI}qyLM%=qEIh6kO#rbF9&<0E=k`IWTXHDHutos9^@?*8Hr%F6u-<3k}aO z8u%HO{RztRlB77M9g$MS$V9JHXiloxPxq1jtsru3nCMse)YxPFk{%k2et-=En9E=f z#{Z9d0}u_vpDze=QhPlqnuVcbDn7RvR2eQ?x+4qX8Lfh7S{Ep}Eg|@jA=p0*qp`nT z!4tD0oFzTDu}u03WrpN@m}p$LznQYHg5`P0Q_-pS(UsK<#5{Iv)rQk)56hPDKiK#M zIP27g7a&afKL}N3d9b>tD_(Ix1V<I+>#-` z;*V&0YPzn zqV26#q^{Fjv)$Bnj2XjN$2`|JW#NIIYl+EYV=Ap}<}+j!tZ!X03UP`W3lQgDYKlgM z?Wcdvdf<&~2q;qDgXL?rQ1F(<{bv99`D?s)`{p|1{&(k2gQ`yBBSS4wt)%u(GhA{U zsLy|Q7hHVDwQD66X3NCxjj#~ok#V`e!R4Qhsb;5`c`4?rqo_}NBqQUb5nU#Mp}88B zROXnHq0Tx~u8uL^KuyXHw+PYk6)6B^j?p-o_V!O|%IH4=>sTLshA>BF8BiI(tT?u- zt;=YN2}G0IMT#~lvNCO=AvA)zkYRW%SbbtmA@rT!^EFOvkx$CcM*KRSrKbyS6tnCf zks4mLdf?bN3yjx@^&!?3?4uIRq~runMjy&5b65Dy;x+zw*2k0Y=DX-Tzj&EnBsB|S=| zV%cQ#-&%t-+sBruEJ6jE)`g9EZn>O=r z(v3B;$jZmZ$J5hOgs!%x=4q$D?<_ahVs6hfeo$PiA#kNo+H``+FuV2q8J~^{pnZn9tA8--!P(2@@ag zNcJi)ufE6KO4~)jD<;^Xs6~a79#-2u(p?8F9mM{J<@>bP=S%c{>l)@Im$#F*Va=)* zO*n@`lBolKF^nOEfkFf(EG$e!L=;_V@7#GSjC~OJ@^b%nDX_!m1s_KLAL2Vz!8MoK z+FH{mz#+uDI*@~yN(%YPvxNKe+dt*qh}nf({P^)>(c~|@e_bq(ET~gC`6Cp57Wjv4 zw$P8L)+g{M;dp$uI1PaTpc>4O1F8YQfmYLz%K`DL(?-jP_-~$`yQf&q-~UIF(Cu2( z@fv1*eENQJ<|ElSzyzkUDY6>>!mB9w!qU>_{1j&U_RYoJ>9K#t>kYoU1_<3D{oOa> z`n#|B*O49~PnNbm`C&=V$vibbd-2JK_Ir)xwfgLbj33g0=Wddx)}hj0fS&$6e6I%> z+`D&%oVkbM^UE73A1`j+tKY23BkndY0@+g=LN`KWWW0E&gI0Ri-EyxKuWPy_Blk|{ z1EMycNL?!3(*eJX(4J?Wp2u!q?-xV{fV>cp_sw#ch465+?6VS8TMUIclD0~5i}SB} z@w07~XD{wVxv-w@VEs&WN2Q*zX}t7H`WIXdwv_pJ8)?ph6H@;p4)^Ko73R^;$oNjk z;RAZf>#uUhif^2i^>#pP9zTVm+AO&_0-bn&aZf zf52>?o4 z|3vgNT8(%`T6Uv>V784 zyCj2Imfuzw$U$@WTP`kFN6#*_U(((Os{(-0CvO>WL^|Z2sDQ60TAo1fFMIGi!TTtJ z{G>>Z1;2j7aW<>Uv;8C(YsvQRqdKtLh;t*cXb7-?m@b{BrN8(TI2K`2imRm#@wzx(+WR%aua+{swtmFg^Tj%}7`zdPn@gF9A}d$d1WP6A1J;3Q zj|mIcXJUE;W@cuKUzTrIJb|n50Mvbo{%-g94)XPORoeTcZCKGlV>Pww_KjUh-JsXa z(8qgu;+_X2y3i0syuPI$Rf(YPe0O%g|7Xq!p5EsKVAC=Aj<0?H{_OSZrD#C6eWku# zg!;nAXMS!jk?8vEo=?vt)1pvEchLFqU%YPyRPwOfjd}}jKnW=M087gNhU%7ZGFg{| zzxWYgf=*Jv%?ZYk6Nb!0dg3fGpjxF-;bKytpE&_1^|)7ti~eDxnPC6_j~4vX^Ha_M z$^*E;s+%zC-DXmx8m z+xa7^eZo&F!iQE!e#@6rrhtV=qYT)os(pEW`^%D0Qj&%{UJVHUXw#&W8D}{g$T+N> z!ahE&D0uzAOS_*<<9qc=S=1sRW=)r>b8&HL#{m-T-mh=()w98a5>h~Q)cWBt+Fi8j zY=v~A`m(a3%%s9)06@hxn^*dhuw zWQ3vt3M9x>wIV7cm`9zA(q>ScyQ#34+R#DLHy40r?A#y&hzx4(~=hMf(?tNIZv zku9%yx0b_97X+H3;KG6u320?A=nU{oNBT*UrpO|3V5vF|k!J5*D5YVszH~sHaEGV9 z3PDHl`}sBnb~Q8cK)mIhM=sOP)KykL=f#C%)<@4`kI_GKaer-uVvQz|X|}=avL3w2 zA@huNZlQ3e3ei$a<>-&9NGZZ?HnbWMb*k~mOM&TRF-=# z8uk5(!J%9=9RsHX`XM}f&ouNQ)z#G!FAoY{K7eUB0V4>>)fInQnP62nmMtz0b8dtT zTrk4lzPSMlo6r`kT`$-RiVEnAXTrbD#%t(naXhiLYX$2(;<7hWEavb-s~OGzj#Sqf zXGWV4<2*NEQ8gAdV#cFYwEd^@xYv?R=vR<+ zi%N64%`|dV$7XV>LMaQsC{~pSgl?UVXi_d5f3_JL%VT)z;Uu&&cHegq6Je5?Bl)i1 z9tSQH0&+*s;7|ay_{$bSy}3NIUtdF>>-xQJ4!MTr0!+;0wIadeod+fyebFi+00Yur z?m4b32tKdmbXgA=nld2++!8rV#VVy(%Hihx zXDzWIq_B9=U{2LSlMUWX&Q8RKHqpikQ%{*#Q7x>GX;phn2n>ZkvA?aYNpxRlp}uxI z`@IBon^G<_e$3ZVy8_C>IFkbUMsbB0ThVS(Hmi$sR!|b>i%~D57Frb<(;ZrL=6FnF1=kH3xcrFMxaqySd^pzz4tOWB}I6&*LL z$fyO4*56di&6-3h*4Y!yV{W`=*d>!QAb#qnUdtAx69)(pq{G7Caj?Vdp|4mdK2ohYZpE2be zB5vQ~ub3W&tgmPG$!+9BkU)u;ChBP;Ov-4}GG<&z@^lAylS-Tk_L6oxe>O*hloY4d-Gaa`26rFg7CL3qnu0^Y&^dPWGz zBuD3+6c~M&e`F)upcWxyV2)tnkO2S6qgGhASuc|VWH4c(xfpNXsyobPC1o+o*#b={nm6e+q zwz&36V??5;I!**?mO8Y48YB_U35{hWFjCPED4GquvrmiFA3aH4*LT_Ko|J$K^(;O_ zxC_o=GiDd{(1$?=b7F}U(f!Ox#JQ(Zs#1R#*HeC#HRpwh{G=ZZ(iq$Q-|%~=5o z>#)vx;IPpTi2=lxo2D)VlUB$USf=-6fPHe&ln^yZKJ_tFR3~RJ#VM+ZchXp zK}+5*09%Z{ZU`@fANY|EW+Wq1;ryP#u+Zdcpag6Ogp?25-rf$xP_vM-o40weAW|H7 z0tRW0MT{ZbK;w8zwKd@8Ls*EhiOJy;o;a{}h+>}}?A}jm=UWdqcKpj8xQYKab&=Z? zLPtmU^XE@zXJX82RVVi#FeT@G!onfbIe4?`kOVMKxd? zoTjkFHc#xD`nI;V&Q4y!o(=$xah**AwTI6n435**?OIExVxS%>%3Q$M>hqRp04Nq^ zfnL0zM4VzI&OmpMzQ&ew@52o#fWnyk0RWZst|7$jgWI4?zU7yIt8MI+mCK$gK7SY> zM!w$bjj`WkGUJ_Qy%0z)ejr9eQ2hWnU4$1q=mdmrui;8ev(fwBGT@hX;MHWnnbGaJ zh9!N#JX?lJ=4@ZYqW+yCD*zyX#zgq|_&6}Yvp+&u6zE-*M&+4#2$1 z=@?Ap>rdPg0Tus~L5PTm>>SUtbY5JzLa~2|emuDd@92>1S^$=%qlg??u)oFg{Wu}; zX0~f2;!7O0Yg#z-?asV({LQGJw7h6ew#)J6eRBhAZ|#-mc8$PTUqsjSmw90TI2x8p{L3LWIu6#U)Mc$&PJkH4O%!`76oT z5GG}RDE@fHy1eMi^)Fg64=hgTh>NQ$F&4V!;$M1judEx@aLJN{J$2RC0o|^u>u$ZZ zSN1v~9oFvL_r!4RtVsN&g7r3ZD&-ks?Rp(}a(gBcb`pgjT{69hM&FalY; z`hBpT>Dgu4Ii0xjwgPe7k-?h0$?I7sn z(=m9d+}&@hpiZ?Dhtp>~H~VZr*t!B_27uhJQTJc0ygam%8spS-Gc7{>aODcU4<6d} z)xN#rq!?1d!!F*4zQUF4zY~xOHy(>2RR1J;%a`ujaVW@IkxmO>bsXl!A=FTg4)*)-?%m+ctOn4SJqZJnDM3VEULeap&{UfPdM4&T_pU95gP*j6 zE7+PQPHAy&c~thES^#zbMr{v$OWg8q83>(qVD%)-=D*HZzS?c83jhZ8m|7;-)rNP zm{aJ_ko#&t266?|xS*w_rPEXIlF*5~U%!6c^9fMqX4uE3mX?8BQ!}&V@5g_;65D`r z8G}yom1R!xFgFied;`rV`fBrx8K61c9Ff4qz=Ju8|0clvyLaaQ$&W?+%xR7RqksB` zd!9=IB&)vF1K>FTj#Op~-_6vrL)B*#@srt4T+=RlS2yNJc@bZ92VMfU8$InrLCp=z zJ>|5Z7EZz;-#=gM^UZllFw|@bRE4qQ8W0c42}1SF1A(cD*>H}*DjMi{!O8FSDA(o) zgTu4T&X(kRX0|acf{{-oob3;qwbl&zugY-r@V>X(Z*3L4*Xtv666btv)PN>Gpulwk zdRU9oyvt(iAs~@Y1L<+=r(3up`Vb}3>mB7xZ>2)$+o-;b6HZ#j4JCc{Q1d*^Z1T$_ z8(D@Fd#%(t>QqTY)vrUON5#^7MxytHkN&f7q1_IoBQC z1ppm`N<;{$ldDQbDE3}XW@kaaO_lB``4E{e1)iv>7M3{jh%pPMHnaf~C{X_mWzk60 zEfCWe8p_dDVS(BQ5u-v4>u`!@V+@tb#lX*p$xC8JMN1{p-AJGdj-&zrAsDX%?>voi zZgXD`2PEi0Zs~GX5Q5qKS*##2qKPv(yX@iK`LlB9tYbeNs(2n}%pz%7ZVb&Kfd@51 zXIXM~J-dM?W<9%BrFMwn0LI#sqOELqJ^y8Yj-mx*af5bgHp_G336oezT5Z-#H=yBC zL^P=LFixpd01H*u{Qi29!1dTY7Yw%JxG772iOfc+xA@9TKbbJ9_^@Gva26#M@?s@g z*PweZ6UK?ntrm3tMU%}XRXZqmH4CINMUfnRjtZqSDD$?yW}vec(ae#vpsPTf+eCYl zQS(`F?>!q!1($j#xC;T{dvcF4VM>rVI@62qg+U3Uf*CI>v_Xfy!?FQU%KlWcB*PqcP$267q*B~d<*-U2C;@0gat{4=X665J)@bthbWT5CWmE;zs_dkNz z>v;8$3K*)%DFM;^N!zH%YOPIN$|~XE22=cd*4rEE6NUvU=@Rz;Bi4BK%Z0UD-7_q60z0K!xXY4+x1Jz}gn=>Bn z1((xdvG)+nQ)yQXf}%`Xu3kxZLq;dSL~pR*O)|100iCJ49gyauCs; zk+K`v@Ofz1m~-8N+^AUf)b3wb)`6g~t(+ThQv9G%#Y>tLo+!6|s9%kn)9~ZxWPehn zARjrl+eWCi6i!qov0_s4BpF*Mampx7X}KV@c$f&I5&=Hs+-_%}Y~Es+CX}_HvYv=! zh72vLqgGvPwV=_NMu&g&*{5>gR~qC7UC-b59tn^&aDLXnU^GHhMiBeY{e5bHdxO;z z6hn7&uFrBq0LFEmp!xtd_610)+#y$I`^*mqS6bTzKyiRp4!!p*<~;nb<=1GyGXvy& z0N|~Kj1GR(%FGuNm5$IQc{rbUkn@FiC z$Ia*6`}ev8?(-FCet;LQES*~pPyv4tM#u+vKDD$w+po4K{mpQuH685Ha4(zF0!1jm z{viQYWVqC)H$apA%MRMYbzL z4V?1o?j=ww^Ss*<`O1oYYwGGe?Qf*s0N;osQVi{6LVla4={zV*uaZBbGY8x`MRr5u z!2SJozu^8uKRoyZcaLCDTe0z;d z(l@`PVO|{z-?fE-5*-M5Je;3D2b%t=YWD3X$U2Xpn}d(8DVKc_2GVC&fx4V9>=Df1 zpdC|Ql&&{Jt72y{=hCgOr4cI~hhk~>Xwu4Lp>*Gh2rCp=@ji!phYu=%oRIL(r+(zG zzA$iM1t+nll9HInZ$IRgsM=ts&tADYsrM#=3RB^WU*${n*j*OZpJtT>sra^zl~b zCiN_U^`GMSO29>nf9u4L%m2|NvwH6yYK^(b0=8WS%YEkpuu`3xEz#Z4J)M2eR$)zG z>&98M`YWG)$2j*&=C4+QQ#T>z>c%fFE&aeMW~CDHoj zZt-S5=e^D59M~7$jsFf{u|ZzxH~YMRIwXA$VgGu*($(x2{{zGp&UEdce9Hfo{(nOp zpU=CU{w6JbZMj{HjJ%5RnzFfvvcW`(eap*_x?*|1YetuD=5#D~dzH`t6W!X>anrR8 zqz*GN3c>>E+nMbMeKFD?+uQa3FCUazjD zQ<8{QuCL$U?@Q6wlT$5!PSP!2uReHOX9DnUz}sd9z6Y$k<`5JQE1=`y?VW0=cf)&b z685o-n&uVnEs%+}flP#RGh$T|dTa4`_F+>$z`P^;N&*Ao%)c)K$Cw-g^f})o2Tqcs zlq0``g^SbFtioPE(`pG=hSKnX%}d2|pGkq@)9_z&ga6ku?*Gn9{{O_$;TN9ATjPMo z=Ah{_y_7%j2yDH?)z7BV+YEvTd8U+6+TanXyX)gp>qi6RQgVP;0zT1#>?jc5gX3v_ zX-;JKmy587U`2V%D$*zM1IQYJi5z3!BV`p#RFeq5v)`$gy;fo$sEe|4V@o~gT(~qZ zOiY$m^m9_cSeGoIW|o1@zP5?95)YqxnAC6f^X=DZd&x23{!_dtN3NbPJ;jgI1$ZhI z&bju{-Qn1Ho_W#zrpk|j$Tv}E6mfOQ3*;*AK`0^DXvst`U`j)aN)l` z>1jX?s5!F<$EgZM8Sjh>PNT>;SBkrQrwvg z_`Qg{HAod3XvD2peN$ydrjouehtcIXOj6>{*;x|4wvdd>Vpm|72rVoxb~!5CfsNLT z@*7>fcGRBHto8Huxlt@5P`m|A`kRnHqu*!pZz0mhtn8DH3<9(t>E&qgO>~Emh+N2r z;jSXJP7U~9XRcvp zTE>UP8hlv2Y!8Myh%;Y=ey%bYJQI@^*sX{%Qm?VN*jh_2=g+RDVPENd{m~%rl_Nk7 zfJX@cv+gm*i8=&c9HFNT&yLU45-%Q|#qFP?dQkCaW;{h6^RoUZ9a{eb z?$l!4Ub%F-d=KYp$Yy+IJ2g5OMn6gZ+2xU@LNOhfL%}4EWTu>MriW*gqL=MkFfZ^B zNzJT)-H|z>1rKq7MFV?L&^DxrEMa|7jiskN&c(+{3SkzlAeikJJc+{yvRE}KRZeu+ zjmn{vWvwOHu<>{sB$>s&fn@Y~OlS(N?XJnvoiJfuBPo>0)E|DLC9jdK$f}MprH&7n zi#Siq^FDZNMgt^3TdqqX^ck@=+cXhnJ#>?Yz-?;ljpTmNPoF)rTs+y9%q`~NGLfgx ztbMwrT~iD^yZ!k!7JX+8lFqCv7IBJ1vYy(Mwrx0WSo+H4y_9+?AZQpQ=MuuX&G4^H@^Ej&x=_8cBtnz?2v-|VRB{+Mxx0TcB&S5lS&HUhBy+P^wx+fIcGW3d}Q=L@b zSjY@e7#2v?RRGvk-$9#0f}(z#sD7K+$5o2O zs^r0rS%UYst!Ch0kNA(9rre`ZVwzFZY#PZU&^;afA#wFW87))71a9|6dl8KxfIyZ} zJ2M{I?66@1p=Sd#NmC|{!F0H1AL80+bnS#N16v(z$R|8JLv#H2#1vBhWPnwr@N0s# zQ}#QkPy%6L$43LuH!tUuFXd==wAn3#P?yClI)zkiyg-G zNksas<%r}M*=BCBkX&{c2A(-NWG_Z-D7jQcx04z3hii(au>r2+rO>4y-vZN%lZ^Ce zNq^H6AF(jJuvA3t;`?A$$>di}|HuP&_#)19NwmzF3f7Tofk%sM`m}rfHYtaZJbMA_ z1MyY_r@WSiW|DELDnU6f9(%q-x}$r=)^+(f=KI!%UXv~$Yg6S4R^!qd!vI89l6|Z? z5h)unwV+8fJ|XRO4(oQwdiu*XG7nr5eJq6M ztR=r9n~xEc6m15BIs=7mUG^!Q(j4n`AydC;m!O1YZ{j!<1VoQB>K3g-5C{TaN5|;; z#3x>8TTRMDV`%vj)RChS~H>I;-sw270)L0XF3%U%d z%v}RPo`-`ZCB_MLj&D5JQ^P!Jx7e+xj6FkezHk_5W57K_cc4O~c!4!2ZzMR-453Sl zb`xJ}&{B0i_hbMq2}@rAJ6<4Ljuo`I`(XPq^`(wxDzdFLhfZZ+CU<#9DFmgaQbK`Z z#7S!v>nq0%!i%9GynaO0#h(9^8#LDFes_Db_kesS9PmRLgJ}f$fN$WF6N)*hZ*l`| zinQc!?_HTG?p>W{zn|WrI>5GK6y>c@ix`)SCF!wi?)&;Dg!ef4fAQ4XtH+?_!@Gb1 zz>nPNf3dd;CF*4>vn;YYkiLC!>__YmaKKOLb$RCLw_Wo*AT6}2!K2h@00_;Xi<|>L z7!d-Tyj)RRm==~s5))2tjeIudfK1i|uy23SY8cR$_cT4RNe0{DHo!#~fr!kZlKf&5 zYXXc>EAl@*6mZv`*Q{LD7^flOCD4$ryQ{8rcaR9hyia>5!@#TlA?e%0=`^_|;D}eniGZJg$m_bS>N4e29=^ylCF3fG?FlFt(JHZOA3>u zly_x#s*5Nr^ACJNoeXwj&b7wnDuIs=~bmn7i5laAGpzM95aM}5|w$uOjI-OS*3Q0 zv7w9MKu%>nCx$CRX-X8q=1V4=;|UptGLc(uYDfiasY`7bq`ej%A8=Lml!STdLI;{x z>&X!Yru@%ok3-{vk9dZmmjc!=T&B&nQ`zF3Vl(-$?|fX{j-_h?ZXTLE0iLT&Opd~$ zV%smgIGCa0ULzRZkOUrpujknAJl|O;gZ*)RL~MK{t9L|`Og=$U_)?>7ef;sE%}hDW zGXxqwGgX<)Y&7(?EQgw0?Hj2hPpT@3{=?&}jSNxfL%R^)LqU3vqs%xe=^-PG!VIQK ziu#RH=XeqK%7$lrsR}J`qgi{U*(&>OCU>YRV&(JHj~QiK)L0X$7%605q;kZ*jsrgh zyPT}SheD=wbU~-z}B0#fb@gY zd?b6~E6Wzn6unThnt`9B@Dzml;Q1yDRy=GIlQGXWqJuX6{aoR#W(x3pp;cM5 zHlsG9p~Kf#dPE-$S)b^>iSjHLk|@kd?`BJTh-g-Y9;&}4kX@@CkyZ|pAgvgznG;Ma z1r5-6S`*#wFCWwecwW(mmr8{rDCAFrvFd@`z@sR?jN$!Znp zc$p|4D7GbtMekjCefZy+IrDI+`*)9L%^JdBC|g-3WX+7oPBHeGP{K2|8HFsBUC5T5 zWX&4JSjtu?*}_;ONs26CBng8^_O-fiYE z2W+L(&K;qKnlM>cZ8k?1MQcQ##Z4hEW4*bV+e`2zVYsEC{<-nY8dYu`Ln^Cv*W0RO zX*_*OGH_Zg)yJ(F?R&h-*85*dV`ap)aItnjkG^wxd$W%L9ua{%z)-h=*Zp6lm) z`HMJO-cJyX{&Z@rZD@*A8stlv(@U!*P@m9Pn>H6d{=PLhf3WkdI_?Ge_=$+PP~8qj zMB6FW*4a5X<*lKZ0H4&ws!9vJ=m$@6V?%Wd1JJyscdc4e=6n`6%7m^>EaIZ{-!bYI z6dL3YT<1o&Q@^sJ3S1|E8fsBzHHKI%rP3^-9f&GP;(6{zq)T&go}KOU!zf;=wzQWT zU~D%=(jPpR@7GOCy`3=DZ~J01Ei;?%C9)#aVqPL~kE`;8(Y40F{J=Rm@YSng#7^Ip>7 zAn}hIxF`e1G+ZNfVP;5@e%yT6TD!nmo>I+6@M2!wKCN~?Dmhpvtl~aq)-ThtqOkFH zGNL)_Dq7A{EtCO4LfZ0S^)h_V!bIm`Ze|ZQs36kLkwS_#sXu!-tz2+uUBVTnCys=8ynKY`GdbsTj+3qRn?;&9Eagf7kF3#s2vr(=(~)EU+KbLN zzI)am%A<`SUO5RvtBc@aI|aa{!_W*$FiGR`O>iu__cw=g3Y(7<&6WDYs7{IOM? zyl1;p79yH~Xd}^GlT@(G@}PEraV}i?!&*97N0EtY-exlTafhg`c5v(5v!BGn=4B_= zr4xDzuEBq{<%GoxH1aKPV=E$GwFzDnZXPlRN$$UKc44?NU%3|q0%G#BIc>T|N9W>qe zA*|vrDWElSin4<#y?KWpK(z;VJrL$cl))X(P=01xFr;t&R~2#EPOb4*(Li0k00;t5 zZ)~o@4$p9oi2jc55^wvTsqO!VL&LikoUA-DHogEal$dySD{*}wTiHon`d*~Dzf@$$ z%r9J!#PRk{nq->0FA$9~KCLb;eVBdBj|?DIbG=d}Bg;T*$r#|_3O5SHqB)yHhx3aP zroqX$_f%#2la8u(VQ5e)Djf4QZmV$SrJ<(;pA@vDHD$}q6SRn|FRAdbs&ULpN9LQh60xi|$KDez81fY^03P zh1kfL9QeM?yQ!&`n_u5sbc6Ak9`4LS&g)97eXYaQl2-4_5kkgaO0f3nFGUJ@3f3WZ z=$I+h-SQFRo;hi&fYiZhn~VA<#k~B5)~IyK2XiNwx!5I0EZ#~U$#XZ~xgnJ#Bz#AX z>tOs8D$QYU*UHLnbnsf3qOk>8<;mhHJ%+=}=;A9CpUiY{@Js9*Y=?UN9`vX-AvY51 zQyvhOMIcO=Nmqu z+|T>E_GUB{vE|vDUn7FgDHAF0&riNE2(kdx~zG(h<5R)dyPK( zY`M*RQ3AJt*bnFRAwPJN4!+kmBIP6`6Q(X+rMK;fB`m<*SS3%vQRM}MUJdKi-dnYZ zq+W1XmfRJfjTQ*f{6qXBwHSAgWvwZn7hcui31=yk+7Rww$qAXj>!;7==^WeqC8Np<#kQ>7lnl~%`Y*UF;>&Iv@T@73{B>3DMe|kWDVqR%cPBpfK zK(NszS`31rluO$6-7UAc@!2u{eng4(a8lmu(OM4ttcI}iXGT@`)Anr4!*A$B&r;)i zy|dTf71KXElMr1rQ>Q-!-3=3Pw1mQ#2_y0+g5!>N(4m}qINRDA%;Nnb$k!CqO{fND3Y+tqdC=X^=TgYyY2h{KxoHPJC6 zd7yUberTBRXgtjz436MZ$XbkShRUrw-kYEU(}fY#=27rsp3l+fmrj-<*wQ|%M?p<` zp8JE`v~J-K=PR57@g?ES1lNrTCwgocnBCem`)>k|h0?Fslw*jUb?e_L)E;gfIjbH; zu07`KwVqR&^pr)Qh7EabUOb4g%2mmf{@If>&#|L?v5^VH{5`D?cHXZF2{N>0XRIR` z439{NP(@#)>o!JnzG>*CB7khUZU*BcOW85-hh|8JcHYSX#8o*5CD^)o|03v2Fw4C_ zL_v%QBH|bLKsu93hnfxDk_R%E1TlJb&hkuE@|7bHVWIeOP1w3?T^!&Sj}bPc(>^7-&}I6HQlqqz z=|?p6xI7#NDM1QqU$gHmZ0HPRpM5pD^f~LYL*lgf%{anreq}+->wF~-PL{T}+G%3e zLaLIMMjGhJY`z-4&f|Bp%~`SNl-vAhfjJWa!kzdPt)h;)3r-AGlSx8o3{?S!!3eOD z{Ic#<^a>Y?!fwkA#o2C4knEr1qk0saCJ0LXL&}NgIu4Qxyq*mCRJ|?L%9Lo2tFAke ze7&D*_G8RK4a4#Vxo> zIv4Ag%nSCYO}?h&XE^dcV$fOhDCFlT=bDodq5Qt&jyT%^)CEzov(j*hnZQ!}td^2+?=ofLxK@Ru zhC%YE&N}A$Tpz;zf7cI7Alh=nsRO10QQ zn=#7Oo3tZvPQxPj$;iFD1KNrw;bPnDC%S2+M!S-4RV@T-D!K3nq~3hWP$k51(G#PL zvg=|sL=Rjr&f!@jKf%w``7qg5a;w*}nbN0uI&-DbT`A<|a_e$MO$%CN3>!-75}Gte zQ@XN-bek15jc7@{`1k{z>m4Ag^2Rr6sboSE(d7~p-Ys&<+2@ga_0hq$P-+EMQHk?q z0^+x#tVH6>B6FVfCeyb$9xFfX%n2`14N#KzlXU*x%h^WE_j`f(!wFyJlxO4iBfROQ2vR4p zZqZ!&QJj$hIYS@>1I;(HSMAeoH|9yB@nf>Kdc8*|C_$jpA#$!Qt)qLI6!@bReb;Pql_|0{y?^X;hTm`KDQ}jt67~AJ< zZj&f#P3Y%iF5!l8XOlY_~Y-ACUCS0Zk|11^u;vB{w}d;3X1SgAb(7Tp*x+`&JfHE=psUG0mP zupLsLJe#|4zy}0Pz`sgB!J~sBcLE>u55mn1m9%|&>dh{`R_7qEqw9FE4_6xEB)M*EVM}SAE6wbfmde92VY1#vb#jP zeFq$TR(=1ep#4F;`VPnZb@!%$^zSUe6`@THD_`$_lW)D;vYk%2AvYGXzdGZ;^7ZRZ z=U-#=AmvA2Ua9W`7Yotq9(?fCJY+j*Da3DI(7nL>%sTkqU-aw2eoJByvybhV z;Ln|zJd`UrGZMRmQndNedpWM}%7U$+@dvO$*eJNiwQD|m%8`hDL=(Zo#I%#QcN(SB z0W7tp{{|CeKN75Z{&!qQ#;b1O|D|TPI)(ca>jeb1RjZ5ejA+PC;*M;&VjC_d()i%T z2xak5c_4B5hT zy!MhgP}&00=f@8Rmd>TWIazDanf{BDW!?syY(FBPIrQ^+x$7ptcWY?LDgiJ>?oa{t z_RRHnJD%1ZlouxtVc)WBwL zTjJ@UdFhnXBXDz;@V3^x5U@s%gLjrg2|yV0-C1`EQT|o|IFWE04eCo2q(B`Y1<@cS zWONk$hUTz|TxKoJEjMts{A@@JwxqzxePKE@%PT7&CrI>|&(<{$k10SEj1Vb)Ffi^` z-hiWpHm~Irh)hv)@hlXcmUz88E1>I))BGUJ(_k@ixO%|8s)1 j+3!@3eo^1 Date: Thu, 9 May 2019 15:23:44 -0700 Subject: [PATCH 125/149] Updated with dev comments --- .../policy-configuration-service-provider.md | 8 +- .../mdm/policy-csp-windowslogon.md | 75 +------------------ 2 files changed, 3 insertions(+), 80 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 70e8359000..785873969f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3699,10 +3699,7 @@ The following diagram shows the Policy configuration service provider in tree fo -
- WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart -
- + ### WindowsPowerShell policies @@ -4129,9 +4126,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [WindowsLogon/ConfigAutomaticRestartSignOn](./ - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) -- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) - [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) @@ -4994,7 +4989,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) - [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) -- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) - [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) - [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) - [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index bdf911fd67..e307f8f433 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -41,9 +41,6 @@ ms.date: 05/07/2019
WindowsLogon/HideFastUserSwitching
-
- WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart -
@@ -399,21 +396,15 @@ If you do not configure this policy setting, the user who completes the initial > The first sign-in animation is not displayed on Server, so this policy has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Show first sign-in animation* - GP name: *EnableFirstLogonAnimation* - GP path: *System/Logon* - GP ADMX file name: *Logon.admx* - + Supported values: - false - disabled @@ -554,68 +545,6 @@ To validate on Desktop, do the following: -
- - -**WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart** - - -
WindowsLogon/HideFastUserSwitching
DetailsOriginating updateStatusHistory
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered 4495667 (optional update) automatically. This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Next steps: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Mitigated
Last updated:
May 05, 2019
12:01 PM PT

Opened:
May 05, 2019
12:01 PM PT
Devices with some Asian language packs installed may receive an error
After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround:
  1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
  2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
  1. Go to Settings app -> Recovery.
  2. Click on Get Started under \"Reset this PC\" recovery option.
  3. Select \"Keep my Files\".
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
Last updated:
May 03, 2019
10:59 AM PT

Opened:
May 02, 2019
04:36 PM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\"
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround: You can use another browser, such as Internet Explorer to print your documents.
 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
Last updated:
May 02, 2019
04:47 PM PT

Opened:
May 02, 2019
04:47 PM PT
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices. This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
Resolved:
May 08, 2019
03:37 PM PT

Opened:
May 05, 2019
12:01 PM PT
- - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. - -If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user. - -If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Sign-in last interactive user automatically after a system-initiated restart* -- GP name: *AutomaticRestartSignOn* -- GP path: *Windows Components/Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* - - - -
From 66d6f8f1831a3489e9d4499b3c9cf975dc9acb75 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:25:34 -0700 Subject: [PATCH 126/149] fixed images --- .../enable-controlled-folders-exploit-guard.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index d761ebfc85..fe87bdd2c0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/29/2019 +ms.date: 05/09/2019 --- # Enable controlled folder access @@ -59,9 +59,12 @@ For more information about disabling local list merging, see [Prevent or allow u ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) 1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. 1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. + ![Enable controlled folder access in Intune](images/enable-cfa-intune.png) + >[!NOTE] >Wilcard is supported for applications, but not for folders. Subfolders are not protected. + 1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. @@ -93,7 +96,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. - ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png) + ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png) >[!IMPORTANT] >To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. From 7b826ecc7aadf0609b764f4681ab6772001e6705 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:34:37 -0700 Subject: [PATCH 127/149] edits --- .../enable-attack-surface-reduction.md | 4 ++-- .../enable-controlled-folders-exploit-guard.md | 2 +- .../enable-exploit-protection.md | 4 ++-- .../enable-network-protection.md | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 1a68651c4f..cc1cc8023d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/29/2019 +ms.date: 05/09/2019 --- # Enable attack surface reduction rules @@ -26,7 +26,7 @@ Each ASR rule contains three settings: To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. -You can enable attack surface reduction rules by using any of the these methods: +You can enable attack surface reduction rules by using any of these methods: - [Microsoft Intune](#intune) - [Mobile Device Management (MDM)](#mdm) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index fe87bdd2c0..c17a0c7285 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 05/09/2019 [Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019. -You can enable controlled folder access by using any of the these methods: +You can enable controlled folder access by using any of these methods: - [Windows Security app](#windows-security-app) - [Microsoft Intune](#intune) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 58cb4ad00c..c2ce902a34 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/22/2019 +ms.date: 05/09/2019 --- # Enable exploit protection @@ -26,7 +26,7 @@ Many features from the Enhanced Mitigation Experience Toolkit (EMET) are include You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. -You can enable each mitigation separately by using any of the these methods: +You can enable each mitigation separately by using any of these methods: - [Windows Security app](#windows-security-app) - [Microsoft Intune](#intune) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 8df4d37da6..25cb0873bd 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/22/2019 +ms.date: 05/09/2019 --- # Enable network protection @@ -22,7 +22,7 @@ ms.date: 04/22/2019 [Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. -You can enable network protection by using any of the these methods: +You can enable network protection by using any of these methods: - [Microsoft Intune](#intune) - [Mobile Device Management (MDM)](#mdm) From cd60824364d7ea4119b37af656ce8fac1e09c39a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:34:48 -0700 Subject: [PATCH 128/149] edits --- .../enable-attack-surface-reduction.md | 2 +- .../enable-controlled-folders-exploit-guard.md | 4 ++-- .../evaluate-network-protection.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index cc1cc8023d..6a2dd583d4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -131,7 +131,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe >[!WARNING] >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index c17a0c7285..d2b9eac2b9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -96,14 +96,14 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. - ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png) + ![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](images/cfa-gp-enable.png) >[!IMPORTANT] >To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. ## PowerShell -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 74605b559a..c0ed880905 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -34,7 +34,7 @@ You can enable network protection in audit mode to see which IP addresses and do You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks occur. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell From 12a7d68480c7926b83d1fae527be0529c589c201 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:38:53 -0700 Subject: [PATCH 129/149] resixed image --- .../wip-azure-advanced-settings-optional.png | Bin 14186 -> 43333 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index cd8e0d0388c3d30f4e4288d6884302ee048c3bb1..785925efdf7d8f2daf549c90c5ff84fb6f2750c9 100644 GIT binary patch literal 43333 zcmc$`RaDhq_$RD@bST}O(jnd5ErN7|bVzsS0S?_=(xTGc-2#%*2uMoDyZQZR)_Uh| z?&iXE1jKW8JMvfv*uQx3(g6_$e8V!TsC@bJUmE}KU-wA{ z(m5?HM$?Rm8^;_v9xng399Qc$jPqW;mXnhcdAOJvN~DY3?ATtYGfkvZfkZ~KL+W`W zBO}juCq#U2zd0RJ^Yh3n zbb`_7_`Ca?^^E=aSu`GN33JPeJ+WcjT*ZeP?YfQQkwz#K+I_argLN@1M4Zll!|mNaExe9-F1>46$;qkzG#f43@^%4(U?9iz;r3rRItd55Ju>bQ+Wur;G@e>SSsDH2 zHCZtK#-5XwKWk!(+tIH&({M0ASp@}&G6<>AC*mhgXksEB^T%Gp&1lqYD|v7 zXEzy6V(9N8ffrkV#SnDFT2eGLH1zlP-(2@{-Jjkj^P4yI@bF0IFhAR!$mO(DrW%pZ zuF~S)KRU7_eqtWWc&GcrRwsc{DrS=jl8eP!^VHsIMS%YoVuopHuvQ{6*7}rL5S0RoH3gJ{po;280rvPGC||iqbjp><5aRJ*685c zmD&DuaaUK@{X2*Q@p;bCT8BvcM-B&)r%BhrBhxq`3t}^!Rta%&cywYb;-)Srjlx^a zGSzQZYST=J+~%=_?@T^)3)@WO2ptBUZ;!}4)^t32Z4D;Ol&aKUP*G92AFpQ9sgUZp zT|aCN#NpAa28`h?HNzsHzrK(S-5t*^6pw^g&f@L*UirbT#x`)s%&E3JC@6^d;X2rE z>4zHM2Q^O!G2h@~yRQJ>0EDElRTgDVeJPpogH^T9&DllD!~SZU_tnwT04ZxQ%yLmPMf`cqz%!YlFSy&dFmI zcSj9t=w!l*>FUMuYA=>Bzp+!rM1N)+2@tN-Z%L_Gpk`+^A4xGE+(J=&9sEVNfu%6- zaduWStP{rK&cVy`&#vFt%|A99^B4vPt`BjQ1)EhfcvsWa&-qJ}lzpT_SW^>-8rTC?AziG=~-NiGjyB?=I5Jh#*7G3X9L*ziii|nzB6Ts zQ4!HmR^(^IwJ}0=`N{Sw5%Sa(vmE2BQU5LN-EAjZx~sGHsHQA|a{A+9$goZUllWha z(}{1<9orw_N4}U+Zv8C$%&$>rA{Ar0`ePyL2R)Mwj*V=k;>%GQ5;lFTXg%6fbW3oS zNTcQTyS#^kt{?A?Mea`|cA!hBJ#`3M_Qp;1(Y=hn7dx&uP`Co1%ie1~=drDi7ysrB zT{u;3$FulQ@K~tB89aBh-L(-EQRj#KkXtyfW=GFx#2`otDe|(ljXGG=e%HSdJ{3}n z_tl6s3lPgbtdJ?q33AM@EA?b@~Sa0XL>lofhoG-4J3HgI4@q z@di4T97WwqYmV{|T|~0*DZkr&I?rid<8HXDjCu}OdwqUs0v5|Rrh!+h-f`oJLkzb= z4?Shp8G(a^zh0r>s)k98CQXsuD*DTsvj0^q{~5wi@*yVUmO%JlqFhayj3lB9yN0GL zt$}t)uMqgN}1eBC7HK!n~HTv zYOH)QR?Ce})c8q)Nj0H*BLe%W;fAtQq^d*vYC)$40X;i0=mGAka z>|Dc2>NpjYz4|yzO~r)1rfxHhq!Ei|4G;DvI@%;!1Sr1TZrZ$Ne5GgHb%K{@ z!gAQtb~zwnb=T4(ep&Y($;an?yGCBrs{OWf&nZ?V59onRAbY3w< zChL+a(*X#zqYo1k<}w@HfHoFm9O1iRoneU0-b^V*bin7ITMA;>Z(f0xq=S(T|7g_=XWUHB&_8d0hSuW4nM9~Gibb` z5kXym>?9Y93P)g$0t`X?<7NT@l~SSw0U9CKpy#R>fF(t0fi{MIH|By7#9!;Z|2FN) z)(-Znygb10r`rdx$OKMqMnZ1=ROvjU*4yLZ-#pD&NnmVHk@d!+Wo|N;BgXoG+@y<( zD)nA+Q92=RL(wZAN~&%|=ZM+Q2R~!y;_TT=p>lNPA#z(KI7DB?e>FHvjM2X0cijs} z?6YxU=7}-eAYApkvy;m-Qj}Z&WQ~W@71=n>@T&1N$N$ljyAK*nwT^x~SCL8#qt#cj zA>?!brK<1Ys`IC$Si)Wo=fxv`Do!;hc&o>3Ffm$0;TdM!ElTRON8z;AX(s1MD}{?g zQW9{!m78|1FvCTi?J!mF3XA$ik?{sUg$UUtz0i9*`9oRC%T@O^UnrFTogB)9;5jNw zGF<;akt~PX!EzHPUlEw4;r>vrbN~b_aQ9%(%`-BRd$yUBo5#i&(<_BeH>(>zZdNs{ za-fBVxOBv)@j6jbGN&_YRT?qKf9ynDu2qaB{;JSfnz-)lgx>iOK_ZKa&n6lZ1GnKK z`&z;!YJ7&hBn@Yyv9tVdrL;>myM7$05H)ii!9@sB7T0fbH*yMvZk(U>%U-s+V=da% zI4d;j_uHw4)VX&FguGI8i_wE8fp>Uw30%M7aH#^>>VMHBlFU)X37U9S+59%Z9SF)# zQ*|OAB@BkTOTF}_YVv;uooLEsGKA;OPtF+79Y~6>DXv=zbs7_{AW~=Q*Rv*L_OEFP zQm>qGwZkisFB$vmR+Mw=h*mlizJ5txWI{CWx-L<}22a zv2OS(6?~D)_ApHxwp9=`%Nf_{-U>Z@cA}EU=BFY@pgjI7q|2PMUPaN4Q#}tjN}@%_ z$c6LNZ-UNAV#bsoi(tnOh}U21)a+=iiH9N&&2VRkzI8Ovj22h;o|d$fb~gSMVi~r~ ziM=k&L*|`fL_DnU>oW_R^TE$58Z`6ar2KGddQ;(*g2aD+<`TK;J69;JvEFuoZbG9E zp!A~&%O5dU^P*+7r2L8<1ESz~mJiig#2l1cDHM|_d>z`tJ+L&@XIEDPJ;Jwpg|_aF z@AV=ohErK{`AW4>LoK+sBe7J&(oJT@vgIt<-soCfIx_K5ZRX5DExsKhQO+;H;S_a@$f zZ@y@ji)TC#4|13m)Fm%up={Hd#K=}w@@O$M;G1G^rZVYFs}-IXt0ML3IqAn={L~wQ z+s4m=E3xoZr+bIxVuZ^;zJ3LOf^7z*Gg@Ajtq<`9Rv`Q7;B1(|54$BTQd08je+Tn) z6w;<+wO=ZIp zcM12li(ie={^D(DezZiOx(R8ujWc69w9*ktBh2mOmO^IxgF3Q`Gdd{RNH)c%MRndc z9^lgt(HWhij7u6S!ceRhl(p31wwerJi07a^i-=|>|45_JQyr9zH4@{+n}i^>;Rg3D zJ%`-8zphUmAbakYntd?w^F=SH(#D1kUklbYn_){uVVA2FhGpS2{%p-$uxq(pio#)( zhx6Y(Pfc_$G&<#3^(gfE_ox4qEUlWj_MNy5F|YAgouoZv+@$S6iV?zj+E;LH10_}I zM8kvUSkq9)(9cXP(;-C3H{9r1AK0%p+{=DerdKzY+$e0*^L%7U@03rT*D3F1ib?Gi zdtKl}RDWmDmB3&*_P36I+j#uDYS_|hYl61+hWvtg{qSPGOT)UxLahADPMCXhef5A? zqC3nVD7^A~cOTM7EUHG7#n;D^Qq?<|B*dF3^lU6|J7ejr6L=VAN|cCZ70zDGdu{#X z_>Boaelm93)HWuJc>T947(s&>5?OzEA%&zEjns%*V!%YD8qoGez-03pV?m3`;kfOJ z^jDY-740Ug7^(W$MV&_mx1D^iX_8y_o??DM#o>iM5hi{HpSmD+eSf2)OOwm4bk1oe zhTus+7LH@IBp;Laqci=)3)#k>RN~{4vMsCfWeJB3h=bP(3u5cnpq*xj!+CTIwxzm-h7tp(w{2=J|X%R}*ffUs()^sOi*90f%}@+OjdJ_~X2fHrlWu`*5H3 zSgw+6YdGV(aM)zD6;~B^zwmT2n8g`IPwHG2qP}i2AtQeku$U@5LQ%M*Iz8WgD;AFU zF9i@ZUG124%)s8mg`chQzw5Vpy+(uh-soli9z*DSkG(U#{e#230mh)&_wF*0R*AC9 z&ct5Dd}zwWCEbatcDxw&LK63_*}`1iT@kEy-1}c&-ZN5NVKgph`6~YTWR^woj|jn? zo8UMq6W+ya!PX+c+Xyi8uN`50E<3V8zE=Qbr_Ta?#9214=Wkq7YJHjk=6qM=T04)p^vH6rhLp*c!P&7ob zl~v3N)X*;x2#S)Hk_FDITmDjxK?0Rt_|j5RY(eq51FP_VQ1&O!M`=gdE~PWjLVVMb zbbisN&2CeB2}LZ=io%*l(AMVMVm z8YL z9^QA-H6S$D(PaqmI=ezBGR`O+ zfhfCX;&>)&mD8pM{M{fH`OY|T2BYSnWbJ*L?7U@cOa7`t?;Te{It>_By;qm21ItNSbEuw^q$Vw77e7?;iU#<>*?j^W_P-Lfhg zQ5F;jXKa!DUs00Tho}`w4^i~ts{#FCyZxGIVbj^$#DC{Q4ozdXYi6diS&#rEAcw1p zlM+r`dF8hU(_3>p^94+p^wDocr#2WO_l~J7`i(Es0!nkdx%8s5BKE7$%l8 z^Ip#2v!CYsP^CLck7x@GXLs}!}6dIUrt#@-B5SxTBeQ@ zdE`~1n$uMHP=^`))nTo@lI`*k79O?nhdvfTUXfgyOW=9;qixTk#-z-v(pD(b(VEn~$ckd%UNGp_(mIEA)SQ=qpNNvqK07k5pzhy2`ZV zH|U=Ua*#4^fS&Sqt^tza4ddH1!b>~tJdIN2i;yo{$fn`Z*ihDTCd`=O!KATH*~dD+;A$w5X8Y8Jpcx*vB6UxKkd(qEui1jZc`Ay>RS?~{%Xrr^F(A`_vp<%AyIUtaTfiMN&fu!2*FQ9*lz?2G zO+D%i!GHU^HuJo`R6}%?Zi7~tYS)uPhYzhnq57xJVbcLu8RqsU#P;@f;1rOuoAd(D z00DzkuTUE8yoy~X`{d-rX|sPUlV{?eQrr{k)YOzMLrk!Uk$H1FiG&)tkPu1D=c7+@ z%E~F>75%42J1g#M`t=rQSKnKsu4;Pa&EAqR-Ng0m{Jp<9&)3-+dG}~8DJeNPVmkN< zY4?MUoS#;Bz};v%=VHC3yKnI5(?}#19WpLcn(-6FGA1VGe%|M%VB^i}sp#<zmOl))1}*;{|$R16Ld+N_}?pvr{B zzvOt@Ip=iSZSXd{6QElt1-tIdlvcmlRp(DX#_PA>tr|!sWcMq^b3-}MvkXlyhZ$?q zKK|Q`6KMwogc>la3k(tc-R*np4c&|JeK67E*#h(b?${C&6T{JnxP7iq0De2?dGzlH zhz)E#9~U@UYM40bY6r_He1Fmtjmyjdsp_9oIatw^5Wj8^p;;N6|IXZl?w*2 z@3Tyx+vVRC-S+*HurN8F30k9zy(vVI7A$^2^I_~D>&@?J z_dMT8uAx@`{J83Xv^((vjetY4-PapvZa_1>IqAUwt@`cDidrE5m*)CqjDmmO1n*LB zIq`P~?sPp~^$<+tYJ)>=k;v1%OHl%sGp|W+ghDC{MfjlG)!&shuLI_JR^L}i4xovE z2GDrZBy?d7q<=uXP74ku1`%iPCnYeNgul>;7i&K^afEKTXduLK#9r>t>;eG|iezkT z49p5k)nIru=o)*;M9l54T%im>PmVtPk{h%`f;`x?4X}fmb$=YrmSgqkwRycuJ_x@8 zUYp_E z*BAnWr~0UnCRMUxkAZ=aiqMKhr>qCS(l!M!286sXFV4@Yi1q4BURh#cVZFh>xd{UA zowp1aI>inVn^9+xTq0sBryxx6IHgq7Ym^KX8&;sRl91>Z%j58k=88OhC;L_m1@@2# za3Xe85+-+>KOd+k`xGNe900?|w{R*D7NOv0K?yz2pVa~>6!_0qEAAL%!dc`{w$!to z`5*-&`ARuPY}4>AX|eXtzmmV(%vb9*K}q0yShXs(>n+Bpf%sy7Bc=FkXZ~1cXQ(pl zXcwH95;$(!C56!_f@#{Q)vEeP>^wX$fPh00crSR;3A;U#N~a{Qx!bVj$LSyNnmwiF z4>`KhV%SMuSak0Eeqw3O7%GzNk`*KD6Dx#=m>_so5K1Ytbq_1)Ft^bU~K z?TWJGX-zJ9RD~%h0v`fzyrofp=(o7Vs8tuA#}e_dXq2E@i#s-d^Efq`4ygynG$Hq$ z{dAGs58Fi+!*<0hRWbHgMz~>e@%o_1U6M&Q9Kw&16?0JhN->nomy&(}qNXvzblK-H zx(RT!ccMwGn1q6j{oQs^z1j4 zL*!ci)93O4dGpg`-b?mv;B-c!N1`Al&``gE`wAE}6h2AauRbw>G8f9wb@Bc9wKR#E z?-zc*dtQDouP1AVEN}E61qD=v_KQY~o86yMsUS|tXo;x&jiPOm z?sqmn4_Djn0QTdw`N`BP2R=J+!;(e({myqIrZx{A1;4uDCoI((!?IfeEJ1B(bhyLn z4O=LED3|B<;pzIlS#O#=zC~D_O9X#^Z?Eg0*>a${-qT!HYnDTuZZYU-@zm+w+Dk7T z(kXt|0yUk340y#()Z^LowE#*%fpgLar2F(5F_@2(#>5F_1X&4GUlva>UY}y%xZfJ<}ZnB=r_Z;bnmr)%q>%_h$;j zg$ZI}Vtb6~1fqU>F-}Hxf)|q#XU3#IU?j6x+b*D6D2VuN(43jq{|e3E1~g63ivT$S zy2yqze-kj)z!&)uTU6c)TcDQMBGM{lNLntuRK=-s;d>>U*FqzoBwBR$??A?G_5}Dj z3NF=ymKKsq`uSm>=DrXhJa4g*O(j7d$92)oL9|KK4Yp;kOm4gTED?>)wTK8r>;mAx ztB2(!2C%B+2;#Bm(HpdSfSDMiCZyVvd;@BzPOVWFaA64<3NW{j38YaNHOm72_&hya zMG#Xs06bF6?WO!ck4r(K2Yyj18dp#178GcvpFr%!Q3u4I2hh6 z(6@a7$K)Yh#9vr9_VM8kD_Na_C=~P)4GM1Ki7rT>30yBI%etVd+38n6v=0H22ljU< zJpZVl3Glq}1wjV_wQn>>s6|Z~Bq@d@r6I)S9jJ-Ph!_}8rvqd>whNurQf?T7Cm=WA zwL&-jJbAQvB41Pf$;!(^ZzyShe5`76-llw;tnvJ#okRlljFgm=oE*qnYAQSq&*^6q z;^)vsL#8f$@!&2P=0p~s%k9Pf-ky~!w$l4|pAk${ZSjeT508(JcXvOu``mDt4-ejj zfJ&dV)K>+a2AaUpYMa2^O`k-ueDW~JVTg(bwBj+?{5GdS{zhrie`*(IUsOy-BV!ON zkxBNyzF7k&-tO18a@Bko-W)7B(l zv!!{sb_TrEVTb=r!y)Xuw>&shL1HMe6#;)tKh1n|b_ekiJl=HYYfm=@s{rIbAE2~f zoU?)HNRJCIb_GNcG~z$MzT2#?J^o$Do`59EVZ`y{`LXnE9GExJh@}7F-p5sN{kR#n zXxXk!&eZD-#8+?({wy^(gsJrYhl2=pt}0 z>ILKTz=8*gTmd)+Fs#OD9qAW@-{#0?@Yi2?X^MoOI%;lQXA%S{`{VR(P^v1 zbvT&3Nf1z`xw*Z0XS?9|oS)%)UY2?Qg8r_w@GvorYB*3T)h`mE2`P08w`D!Fd_@pp zcDnMm^jpAZw!HImx1P7`Yv?evb@v$V&PKXS-|lxGVJuyyX6Sp|EaCMo7<+TNQVGR` zd^}9K${pnV4mM_6oUZOs1NTbHzSUXsDNTZqcSiQ@5d*ikPxGeXmoc?fv`S$uUDscK zU?Ek~`9ZHXH#bd9O}CQ(JcIIiNXugo^Qz{HzuN4y>t|_;${0U7zUKF!|Iq1hniu3- zst1WuArm}zHfgn6xGyt4rxMY}Oom!`JALYvPEDI588=W8@MP%Q@bH}-Y$BLu!im29 zXO;DkueM7`sm^RH{8Rk#L4^Nc)9%PS*RkK<~(bikOWK4KM9f z`?j`o^stzL-%oEwxK%^uGU>Vi+m{A$vqM^3qnw6Cc$sN_G~-8c?F&az&bQR1OIO)S zb=Qw?R>M44m$25#d;dHFP&QU!I@j~IxN^k*xWj5VPFv< zeGYD!!2s?6s<6t#t!wkxU%T(P<44!XFduw;E8Q|*z4>=u$6bN1UGE|Kui$YJrZSch z4re&M?qn>mpoxHtzgE|$t;({xXn>}AX!*Bolyz_9@+(_-s{ zbg^Nil7l)!e7*V~+PX!BozFfLVZDVq4 zw9;Cf=84~&-+To7&ic}Djlr3p<6)#&P3+NNRSV|B=1@)QeC~c`&zm#^ZxJol5La8< ztTBt38VpTPhs^+00v%k)_tw?StjOt*)R+I_pD?iB($CzjAD=JT2~9` z_8}o51Ek)gyyIUhMY1McuNRXfGv`jF(0C#xwxHKnGP5yT2%ezyK*%{*RuV4%aZCpq z@XW_+$Q-?wM;JXYtThu}D=I1iX$9B6%S~2O1=2{*K=9}0(DAw*=tCYJ*Z(C1nMPL3 zgZ+Fc{C~W582CU>{(&cSQ-aOPOqp!cklSH^2P@&&?t9p6UZH=9gR%_L#HMYs{Ehz% z6&b($IB-;=@K~$)zkqsjDZ$9!9MBr}Dcb`y%W2UN=2Q#{)eywD#1ZDJ>2(&Bl z+(2$*EKR1F+(xjjLRm;O8|@he3ReJdKU!&N01$cF|9^Vf$#F7(={}&h)U;h@`1G?^ zxcpK7qoTXPO(NHdnfmuO`Aq{#=2#BZ;9dJCF_Htz2^?E(kEI`W0152_9YI?=ZR@$m zr-$wO-x6`#FE;}GyfcNPR+N(iIm*bWD1MIKF>sAP zSG3ANrv}s@=SMa)3hYHs=X8-*xZZuvUOpMeGUU1SMi4V_zbwWx0?_2-R zUZVv*%FD!&w)sE#ZIVZ`0sUg7#hnO&XMCzqrUQhDp2MWq9m9a`b$~!9fEw`@1jGVv zif3S#{}mOaEe5Ds9b^H?Ku8gtg#THVkgoOy%k(Ps6S3JFusF;xjxLf?Qb)hOGroH_ z$NN|VO-pNZ*&V;W_Lyc02I*7zc2FcqA_j`MXlTqQ^Ta?*s;5$?9&rSbAqLBS{ovqW z`*W#C5F|F%Zte?CwIMo?vwwXxSCCtSTU}j^`Ss~L;lR`T+5o;g|9VuAn>v41YwpiR zR6u<87FimgNHG2X(vV;!Gp|la<5TXfpJFz)6)41q32bE#sM1DFJ2=_U8leHz}AyfttXhEVtI( z-Tkv#UqQ9eeuZEBH%MxMX`h&wh%*U^q*KmXf2$lC76!I*d_d$l-doK*FoGD!4-j-! zn*q>wT7@Nv7JuqzmF~7DYx;dLr=9|x|IKzPfVs&`I_ep0eEyGu+nHR}8^^~g=|H)f zMqV*hCE~H~6~<2=c@8^36pdu0QC^UJ*S8TIanyIswj-ydLx};8URG0 zdQHy0xBI1U-n?m?0!ow|YB;A9wjDQ7Uw;fia3Zrt$tZY>(>ROx@Xh{zAojM@OLOfc z84cZoQ+{eWZkO09N*nrM=o|X8fH53{EM*Y?9nk--GLT|SNH2nqZpx+zLqu`f+@O}39A70UR{hWmw(-2|>Z6AC_q`5~yPGD~}xz&hN{ zzX00*b6zBZ{t0AGHnxX~o^t&kZ@^-{)vA=u_Wwtnr36bNnxe|U#Af%4i>n;OX0?yO z+{=h1u+M5DyF`&7JrsE(3NllQI}gKEb$9kA|2q5!3_9Ix)jSf_6!Z{PN(Fn1@ zR@Z$@nsfo_0f;fMK4%pN*vJbl)alQk`nS_En({=LGC@7QI$q0FtA&|51fPD9z6i7t z2GB;3l0n9B6;x=j6E^%a-`PmhuHN+F8GHnL5(}{?C8bJ*R4^WFV>mRx#w8!5G3o9O(g}W)Py_mfQw;4N7g#^*{tf;n%V< zOa1|!>$57^w>oxk_@er5y%K>8w;h8BNFTmqP#Zx3&Alox(a} zdE<@(JugnjA z3roY%4pgRGj}4^T{=COOk=01=*;y~(tfI$W3cyx(U+*Hl_dx47Q4{X}$5P6`; z*a5}#^cOKSvV|HIiX3Tik~toYis*WIy!Os=xoD$)MNhC@+t^Jyx21K`cj`sH{$hG=vaEBH$KN zQ5(7Ch~ppFvp>h;XJEH`W zbsuUBTrmsTr_9uuy9(;_Ol#FKU7WNe3DfCvn;dcLUZ-)4xT>H(!Ee~I6e(P!$4Y^+ z#71(18uebrvMB8t4+9ysPh|Lx`OPfYU}XHRh^b2GU!Lu5Uy$>YECWZNSQG^Cm2(6= zZ_doA!^@(xfcQVq+spgOsagEK(2DvMB0?m&+B@{q z1zq2!khDN3vh`K-Sj1qF-~4z0VgS=%w3^higHDRx^_lV<8lJ{%s9lRVW2x-KFKCwufMJ5o`%W^ zjUIynw@V?nY3OXDWbhkr<4cr*g)I1;Q$nH3(Sd1?&Ly6%{jwB<8%XA65wNG}>-s zyP%V>)WZmbSvUfvOtRj*2%Jo+w53+hdhAYBC^@!ns|UL-?mm1=A~@TWJ-wlWf>Sxz zu$Nd{K=RW;uVeEa&*Wj1xVszItTA{19Bo#SP{XLfMhc=J*|66SIsy%+pkUTf61H2_ zjH19t=aPN+yBFs;ivSCZjPzK%WW%a{eK<`fSJ=Ct7d1t&wdmuK2P!TSsJN%*7PeEM z+JdgVaRIEq7?oq-0hTIfM^u1@LjNkFY?Asy8XeTh^!WIAVDA=za{`oBsuCm=6e_aF zf?wd`L_tZ}$a0el2<1n<6$A-c%?Mcqb}V8mz;D*PkA=q7--9N88{YFyLXI4bejCV- zD!uo;SSr9D?pj;Rg>Ge1U=P~VxxPm~o$VEJ-3J=Hc>p~D-Y^6FbfFB!MGmgDvfh0N z5*Gg1vl~>cF95e0if2HccuSCQPAQXtD;2IdXqFp@|60AC&ZzZ6wVv1y(5-xLMytyc zo)y@T=Q}5Up%Mk7^M?Lyz&&!U0XJ24Oy9q(SH&m|U`C`F!hQusKS}*|a1z*tk|;jW z6y=sqm2T2(H~w8y97ch%?XY0avcvCT;Ua#Bp$=YFZj@d+-ffWwO#bfPRN*LtT{cj{ zLE*A6-j7Rn3?+frf(}Pc(KHu3BiBE0kmUnG$_(Zw%q!$90rzoUbv+}VlbuY5jIQP1 zJ>lV~1VPiA-)VM#0Qc`W@8Yjd%sU0JBBXBmU^{{8H=aN>0Oab0(D;|zbUsh$9u@j98XdKOxl_{J)2rzg? zxp4e|ge27v20YwdbzDpACWWESU2ylOWCPhmj z|LcBRA9JcY<+FDxB_&l{Qc`k%H1L${5A)kO9xKT7ruySEL%noHDdrLu_5-d$sY)*H zJWyeeH#dVZ@k^64gGeIBEEMGBo1M3#8XB%ZBLwZ|{btsGeq-Z%b$NPso#Mr>x9w5EF|>q-O4)Dbxpnq^_>c}NRQj~j(j@(_hV;p=jd)=+zbE%6kMjp&pK7vK=%9fM`k|*Eko9dxVb;R2=|3VuC$XV`fJ{T`w1!&u{s;q zb$V^Gy)q;`Iqe>Fa;bTJsnfdcJ`i(H)R$x5K=&)g ze~7?ecTB0$K&zqy@AtmKnqfx$J4hD5!DbUV`hGLI|MP!Q6*Dj}0OP6Lpsm^I5J`(f z*28@~Isd%c=h}r@+-&P3Q)x{RdN$F`zhNtmc@lYij)UQXY{;72Kg5>qL>ZR$Pe{%x zQd3jZy5p~p=gCGMEJ|zLNin=@4Y(D8!soCn+qHC|N1KKP1sfzHS?VCu2Hd87ItW-f z4g%oU0}Kjg>~B}D;*GJd;x6kr-tfK#dHBR-;?U>tEQm6fpGC!8NQC}xxloszL!rd8 z>&ECLB=i$)TcOW(qkSXg;~qf#M4Fr$E{6Hhs#~OOpBp`8O~+E~H$%0S8Mj;4%j-vW z@iAt^9^L<-WaTsy!tb{S{HbMYYil(%HD~GPX&@G)5(f~DQNQ_{(>ix%98LS<%(mwP z@}(8#uR^E27(5hB#y?N9sd&8R^$YW)^29fi3lDR_6H+Bh%$EjZ;>XNSyFA;?J;e(b zV={?MZZeXe%vN|WUA-ZC!il*f4L%MgH8m{C+Qje7_vh|?l~Ir4TeRkk6uz!tT2hIB z?_FZ5<5qxf@(8S`X~=x2O38JnjYmft8#h)|jLA}eo+<<|Rp16C3P>UmH%321Z%<+T z9M!5B&4szqnHNO)(f`!UlYctNIaIfwY=BmCV{u)d$dbjEn{nP$xKYak~7o(4K80ROzX5oY9>dX(Qu{n<<0iM zzqdy0e)vmhK5e)HWKMTCw`cSB<#x|9kqgk)X{o6fY#}d3e4*-0y9LvKQjysp*>HEB zuMj+Ex-%%Gg2dY}{Pb+^Y6}v*wpeu*SpOVMt1Oe4B)P^mG(Z`fEOGAKVl`^8@0yD z-g5-sx31>mSu^Z4T)84U>*hz~_Ico3ThuMNz~7y8+#3bdaB@EfS~$=qWUT>21d(zx z;>K`{0;BKt!YO9N0+CAcadC1L2Ft8tN^>{5&Y>P)<3a=UYvyPBC zaDJs;{DOTc;y!m8DraB-VWs-!p@XGyBv*cU&*xL!;dH%Qq#G5=SIqS;`G?^34(oFT z&IN<2(r>v0k-Zq$tCP#G5D%uSN{{+00#x#~UT`b^&k*n5)va-W8d)N_<1J&|1(EZ*i% z^&)yBr`a;V$@=!O3dAp*<^R`dC@?$yX#A5j?lJ**SYJ_{+2R>+XBcIUFIHq}2qS{RMJHxXL$r?e403CV{*5JSL zEXqH%*J6vYjQ%?B*F6+vcm*>^E1$5>pYHctp~su%%!Ug!_T`IDCL|#`lck_MymYqJyV!vB{F61 zTD9iBdvsv{r+=VyVdfBWfjd3q#<VEaa`nL8hk1`qe5oz@hhWOW^ z2WjTUq)5<*`EP26WSc(KHg&zFS3bN~*Y*(Ket@s!Q(0Du*1lPv z1JE0V%`gq(FTRnQ&oLH9g(7T#5I|7mtKWlH<`}s6&6$CSj(!P^3ov77t%UIKPn`;g z$#i}CZnEUE%bLUM=`}E(efZ(|`cx8O>3<^ru9jT+5Rlh-?0&fdi5ZMJ)9(plV$!e_ z929i6GZyXh6C}m~Qttmxl;?IDDF$yYrS`buaYpiAe(h{c@_)XyEdKxawL4LrkbuB* zO3v1nDIA2%p3Um4W+_x+UdOYop?)zfa3{STK)PrA2ysYx)^mZ-#Do5o>G=j52xr9x z6VcJqmH?;?lJp!9FhTZMq>0l&+589C80qmAkg#Y61_tPOd9}yA;sInQ8B1|BGRo`d z=qPe{1#XRk98fK=Zhd@xff%IK>}tJvZE<>jewP_o$ga&GBm^$#zgw{V0TOeDZC*er zwj>6;xkA1fNcYdKZ;=B`%p~w7Kv0EX;8|-&0##L06Z=g+$lj`IJlp8hYoET$cLz^S z0`Zbs>A}FD;e_BHh(+MC=vfhaz_dOAo~T=@Oak86IP;9>M;lPLw9YOsxgic{+Kbn1Rj6TnWO!FdT$S08)n|mBqt|d2Z@Ca0F`1*wThLRXG7BcYZz-m`_ z{qNc`HRcRT47hOPzCSI6j)L>HcMS-uAU~7Q`114`%#Y&(U~#E1&(C!Ltd$J_IZ&il zfa(Mu_5h@=QNRv>AOIBI=Uc(uivY9HP*eL{Ov%tFq<}1iz=!g@+Jf5R=aHBlZQ7J7<~lr%!(d$oxlXz@51=aH|~L{r)`t z@*_o#0l0Ake0czac>(GLZVM2ka{@9Uz${54KLlDs21tKM0F@5ccoAgO_U_{;B)}sb zWW)FE0B|Jry_f>(+0dkw{o+@1*R)T8UJ<_t-mH`)0!+>F=mj>+`wA_Z?h;2pKm8tW zEQhgL`33Iifa7AT)eejWz(Hhtbvpcf1s_4J623d+^pbiR7OZMq+}OyQv1$99MtZtG z2b$D)Iwu|2n}7+ZXF7so2sjqd^!08P5m|;q*vl<}{xphRp8}q}KpQH*GoBqSw}@Qp zc?;5rk*wh4eglucxXlHkp*3Qmu?sxCk`K^?L6E>y6%Y#pKq0=ouYiz=w1aI0$Wr}V zd=%f31yE0b8zjk2=nHc2L;2^Z)b#XLK!9`&jvTCgMR8riN7(&^m}3>N-(1oR8lcY0 zqHWb)J*Q^)z<|3SU6Z%PbYm(!PB$RUkEy_Q?r*UeBcx5R=J&eT1MH8DLB9>BMFLp0 zT!Z1oz#w;1VFORt_%Gt%Avz>xh(rjFL8|BlECTQzBBZfgFEzkM%91+d6%g0PjCdI@ zTC9q=Ol)2Bx9w`xCCMcp987>nlem;G>jp@B789hmR5>sso);o}_bAur3<=6${gOnA zb)U|f<#4KS0PMAs1EEqWX=&&q5I&1O1mtDRwcq}!0O~e*AoZHdgb-AY zMum?ecDVhd8>P{7+6uopLNmT!#uQ5)1ei|2U16D_K}r2dI%Rg;FctKKNnM9Fsc!IO z62jti{?Bi%hbQgAqzQGzC9|atfma{~BbOKP4YCZi;8#QewkCmR{I||+RAiE53ERO4 zS@Mbt0tI2a8R=fqKj!e)<9p^~c7;+1obcn0~%N^`iE6|5*1!N0< zmQlq*Q%vZEyd`D$TC&soc&TegK~!ppO|JgVm}McCFZvz{c}$zP&r7;{D4(?Y&q5v5 zFIIDK>J{VF;)F<~IKU-|u+-k|Y+>Jz97w^F;+QyZHOap`XV)?UwSIpo5(SSh0ndPl zI^nYWh5fnf4y)(8^$dIh71jrXa&;O8YjI&`dTZAp*>9jz6(J#)ts!Qc`5XAc|a)-L#Y|#NAXvmLe z)bXk^ClDZ+;AOEIjWvHyR}y>(EQee^ddr65RmcS(0hcSs9@NQWTOoq}{p zNp}bqDUu@HC7>YEje;U2An~5-`RzNivw!W*?Ck7c&y2$Z_kG3rp7W{Gd?zO&DGA@d zp9M-OFTpO1*3r9|&vYbZWIo}{+mVIkB1*YZtl#jODJ`mIuV5rDhW4##7ayP~q!~<7i*fMDd53_JJ3=-}aH}06^DsfFk_NeMa z8rtx%cdhBk-1>}u%zUkkJb4ZZum*}IryE0t>R71N{b$|#>qE)6V}^{e6epr@D;K(p z+`7EHL_t9T7j=^N-K{$r8n=L&p~A+)PI6vsllpl>N8er!dt$UQ0-bwe7f}m(Liox} z5>Dn-uZU}D%j4{ip{CMQaFi61oXK_%r-%#!`FbA8X8x!fi_n9fyPxw9%EFC?^)nMz z=jeVk7QRGoQffmT9sF83R=v;({Er~;B;1S`>v;w!@I1S}6uV2?zw0;dt}|mk#pJ@A z$9z7+h5thh#S-Lro>;R5Vtt@=;^3pvC1zw>M_ILC_ox=) z+$FTD;gu61$6l`r3i5GP5520PS{Z8+3qvTS$gzq#?A<$P2tnhj?UH4 z@Ym*!1!wtt3@Nb?%hGQP+NJRimJYRyJha5_j3}O*a*%$tVe$ccLt0jsxTm}8_qPrd zg61Lx^pI))C-lzkepzR+S3N(!ynB!#h8KOlw**{*d=lp4y{B+&rKPYo8W=x<5mA{K+U-^f#dxZJ50N z2uenL2CXJDB}-zHiN=SmO{EWqo`UI{T);*Z?g8iywOf^{AhtfqVSsG&G4fBz0=m`~ZIz*>*_c`rULz{8M$Fj89q4M`UU&so9UodtiX)j#&|D$zd{e5xgAvgUNj|p+@GtU)YEbe5KxOO8 zFTSo0+~(IRbKX#lA6Cj(%%$R?o}W#OBz)BVU&<-jLcXw znbe3?O_Ig&-kD+eB7M4++CBG(mJA5Xe;MY%9oQ}2*P`2zLzrg~ph`H9b$A6hEMC)p zaZks^|8fCm>HTX(#Sh(e3W3h33oQ&@DMwssEC^ZqIUY<=v2su5n~xw>iPQ(LpHpF` z)^-SFCCo$`#arEfOJjQRy($sVzMsEJplEEEMha+?CTI|B)C+p(p<-I#eSTxadn}b1 z1h^+V%PA&~9MzYUfe(dHjv#QT6ek4yP>bix$S zp|KKZ6+HEIrF;jMt|JTsD7rXKrA%IvEwXlk=`aE&#(t17GVN?hZ!w?VN% z);VBG6sE86(f{Z^;bCa5ah=^~I&Zt3@J94qn@1pQxAD{q0kCE5)+XzF_q`=K$Mki@ zzL~{p`7Q1iSxvWHZ$;g-D}j^1+Y3n*J^ea!OTdu;<2?)BrG(YD?J)1b_w`z_esRMH z+9F}+Ik96|C(QAEP?sgM?%REja-xcW1|YY3{_o!7vMbwY_u=wnV~lN&$Q$K133j2e z*8#CH$Y`{)1Tb!U!6ks!>~%?Ou_@ULz30p8>t4I7Tawgg)RdHt)a*QK!&wIqaFHz? zbOvk?qPc7n=mFY^z^9T*zG z9JF@eH+c6M3N-W-l$6;pbG7_xj{7tn-1QU@i)ImX-QP?94+DhQEg!fxE-t@0@4a3d zE0BShGKw}?9u13nlk?Vh3udIew{IwK>~=cVyexg$+ta6F8hgioXYCU02A>lIGr%;l zb#@^KpGn=$U858c+5nfNBnN#i16oYxF;c zhcNWDIPbRj{5EcIeh3Xco!?sW+eUquoKMM?{5a;}3l%HHK_1JW$Dbrchxng79GsB* zx?;&O|0(1Ovd`cFPWkfeGq3`0@W$RQ{yxbz@2i`aT-yFsP*`!UFhlfY?8C^#ksz)< z%pGGuT7crWff$+R1#W2vle6;hIQPVoApW@@64}{yRf5cc7o+HLc>IMgRL2Kpsw6k) z@{$uHe6>%+_m_1ycf5xb@T7=|iG?6==>H^#uCZ3RfB!y+DH2w>G=94<;nHf?q6dh3 z4uvL%l+5TqIo=XlH4kjQcy7-02Qx94fagZQ$Reev_x3$^i97rK;HqO}WGwyfemVf> zH~sE`{iSKP3Ie##eN0>rS@x|7W?MFuA!mfXO&OW0FilaK{L&yI`pSF|#PK(}jk;*?D&F#;`DwFv^%vwIzZC4lgQGoTABc)-}sYTkB z;J1Z~%iJ5%oX0aW*rx%sLr2}oCM>8v&u=@#G!(r&CeD!>an}AIekmTTHY*i$RFg0B z;{ApN>VQC*2B-~VkSK;4gyh=Y?mU%1{+e*A_Vd3xVT>*%8~^~0mT zXAT~Bwn2*IPEJ9=Q4UuvZMXvj!BkWa#!vqZ|4MbP(y527?*g>h{)EWNUen7?TT}f{ zS04!)ZFr)9z4;%FcB6(BVYcuQEShUr0_*!DKWfMC`cfA!&O7TCO`YzK zo_@UP+!pRwUs@{pdhhtphD-Xt5d*j&ZxiiHr^d#3IXMT#T=7<3cN;wL3{>`$+r%VG zop7p94yJeq|iE#N3?CQpi^~C=4Sz=0~2+}a8$o$PU&J$Iu(QRll`F$)@*w;q4f8;WiAJaBi@W*y z(p{C5w+o59fqT6_&VSpTJWjEzy5G-G#_{Su-)aL2ydZF(LXoqEfY0`?;<$O*eyeP& zOg!a0<!wb4qyp@{s^R;mf9FE zdk#)2gWmMN_o`7klaMwrIZDu{^BHAwlyk~<7v}zUswl+JLrbu_JdM#JJeV(8{#;Vq z^qrYuKz7+?Y4k`RA@6fuFDvz|HOkdd-r_BHogJSd@) z&Y2&q4$6&iiko>zx$T!06qo}lwe}YIJmS7PlD?pfN&(ac+9|5Oe0t$|t+kEylLSF+ zDV&R|tX9_MfA(ZtZKJ<8Ta0(2YvzCL+I!yN{_@Kgs~BUg_nTYj{4p;@VCW{Y81DS}v(@ zZ=jVm2<>W1Q(l5hq=HiHsw`|bZ|oz)i`K*V3~hzl)qkvYcdAUSUEMcC-U8?{Sk=D* z?`#^QVcsNa*^zic!+#p4*fRYe}ul~TDmI7TgX-f z7m=z1NDW|&CdS8K0)I*FkX}D__UN==US9*1e=<0)GSkvBGd*F@0P8s@1usHx&|+dA z43nK9RYY{~U5Z|GV&cMPHwaek>XKL2*K4M2N%sE!V@+CeSz}Z~gQ#w>g@wgvZsKAnzdLeazITJf0R9K1Q=k9;Xr-}VOg!j^$Wl;O zLX0je%NkB3ld>5pI^CdYu6#0X8{`RhoH<7pM$;wR7Q}Tu(Y|!CN4S%qgEF5 zypDVTH~*ZjLPVcVA`kri{Q-vs90^f2rnx|^KulpjUX|C{k2w>2?f;Kkt{Q}}r6tA1 zy@@nbR8$(xFhf9kM^at1oT6g)C2jeh6+$e_wVr_Ep!-TZ7(!he3mNGN_{OWps;T2qXZr8rYz(t(V1P-Q4{B`*|Cf zJk2AZlwN5Idd_Y?_;n`Dp0CylC(-SJ-(lc_n~2XT&+Z3BRUBKj>Jg4tiWv9??3K9L zwI6_*#DnylZj0>)2_d2U;Wq%S;bi%SpQI)v4t^94R(ct)A5+OfHC&Pe5;0~evUgd` z;bpOF-C+im2g64z7dhN{iwt^OXyTJ)h1}uy<-X9Y031SLiOb=-QV4KcFi?|&PM}nJ1Q6s)i0R1JME3&Nl$tR$SHf?uUp=3?p60l;$;IM72Wn8&(nyD1O-BIO z4OIdMp?Vn5JYNJo%~gs4%oYwNO{YFfa8ZJg-Sy#TRAzhvmi97@eokdyNIKm@o44zS z*`g4~@+UmhA`TO!Afs!Rwyye*y4Zpbt(9Haq!>d8F7^emn@3Fz@RR~xIvRF`MuiR0 zc@(tjXv+C~mZ9rHR40DUC5$(H9AGVIZ)i%Yyp( zc&?G({RHA3=&8be^k!fx6Er2q$Ct&7{+scLP>Er`B&E8VkNG%Rg;ox09IXj`?K68! zd%NtV-U%QRWv_uuK&m(-+nhjb0Osw7t1_}GpEn?%4DD4(Csg+Im%HAQXL-El(n9eX zrOYu%zMML30imRxFFe!;EKU!vz^dayt9Y^%C|m$Oi5xb1XL2OY#st`gs55n}s+fim zpa%aySF5woIPoe1z!;TjHKMQ*gw9Jo$w^Av7mzi=)Lc()2lMCWV4jRXqT;|07&z(t z6A!v`G>0RE8x;o;OO0q$U#S6lZ?|K8%Cl8vVZhceCp36_y1QXS#8=Tqk4(P<(1!M% zKj;!ZyKmwZi=!X8y7Esj7 zNy!)Rd;xI6)%87*ydMD0bxX;8wR=uvYsBusz}S4MMZ($lwf8d9R(`Dyls{F)e^|tV zo*Zos$p=Z)#KgSM?XM0ewL>8H44$rFD8GtMy~0}2sentg0s{w_RvQfPaGJ{DuCFVv zaF#v>l20#X@S*Tig@bu1J84Hn9Wk#T2H8Lm{;nXkP0>eXNhU&%+`uPqcFa8~NdfsD zaPFD&vT*N4G>J?UkH{bpCejw)fe6bZ0ga9PCJl?ALYo>SeX#SvOLe(1_#!SBMqsT1 z>Aaak_^s&ztT@z9Hg@7E1i`yt-4-(&e(NrrpRpPqGgknUIs@HtN}WPMLc-F6Oc*&` z)_PFC91ghUWt-s*u9yPlZnO%W?@}m8i9Mjig)63=1HV#Ao@@vMTxkSgame}q`2sT7 zPvf>22ljmt*Dg%@Z=h*N8%|}zlPkSb5TBUHdX^TITZumfg?zzjWtOeR;>S1OsI+m^ z@4aMJ01p_n9v=H^YJOeG#+eqs0MkgZi{I~M5g)!bYgnq94Eb6846$)14C$4U&v6P1 z(Z9m`&JM)@u+RYz&Z7|c0f-6YDYGpgt9-bXp_E%_Vd~kJY%DBUHNrvcI)zVv`Xa{@ z738*`0qnN?7D}|Z@7@xqt4TgO%{L350-E9Xr-uyW>AM6>%B>(HSi`>}FmGE1X|uFj zkj+g1RbT5Ag}E&SqQ+F<>l5k__5e_W05OzM(*_mU)n?A%;ANUHjo?(hhlPc;p`rpP z-!vR%8D{_^a#z${BHGu4)*ujCwu3S?y582Ck(g`|NKH#io0++U)Y z^%PwXi0*d3dbGj*2vhkuWK%;kfO>Ml+>BVuux_Ra#z>q#;D)m>*l14Nic&cJO@3t0o06T9os>yVMC5U@ zw+ue9sK`iZpw&W-cJYyK`ECQiH#o?XCcuSK3x}9;y8B~QEiJQJ8?2Ue`+UER=EX4N z^UXPeaI{+!p!hcEc;a~59@*I1R`!%JUz7g%>)qzCGhU$1C#U=CpfGTxwl_}SP5dp% z!N}d?EGPZZ`I4s3J7+%MQSh?to76u!dI@C<|7E=&9;rOPB-T%6F95CwAz{Dv7V;Ei z#Xw#FG*U2n2;ko7_*U`$D2hmwT5T?H_|HE!R;&RL0UwE@)y^;P>!S#tD~Sb54>RR9 zrp;Pgg|8Y{iZc2iJoil2c5!)pu^;Ml57Y5JM}=ardEBbxvDE9Ao?~PFznliCWFBg1 zd7bZXLDT;a<}j-NWJAN9f_kxuq+rmyx^PPg8T~+{b~mcv(o=0Jv&^U^*sJF6TJ)6X zYG41EX4BzX2AQ36q7-HF?0#1r6PeOQv#6X_)7X12{&E7ls6=M`)j;amql*Lb76&?rWT7vm1KmP#eL|0C$m#63)rHgqob$i``rJOhlu18 z+EFN7_5eWCL=ywy`nAdKm^+$&m(tAhcUGF*B=68SI?=vLO4E~zzRpoowHD$WX&2d! z{JRNso*t=hus+=TN5sAD-M2cK)8kxs1Kls-cfP1fwb6WomW;@`X1S&P>~nD$7;$@I zPfBW!Glc@=o258M{_qaWyF7LG6rR8Q*`_!l?jFuq`QO``6%UY;fPes~yn92x2i7yb z43zt1e}%6qL-#YB)=&BY<;PV6_xXlSqNK$I%`)4HCxyoefD&IX6Eu_&#pSrv07D?vpx)?!n$*0Crr^caBx^>H zCB~)KljJTix2MIq?T#!zez+BQko@W3mO03mM@?bgWJv`zs#%kJkG>3DUYgZnAXm+k zcUPxj-`p|I(E>m6nB866H~YMlE8V9;^8K%6&2Rq=UgK_FH}|aaUw?*uE|_0_vm$!( zD|oBNZh&fqh9DILYZqf=rf467C6jdOE9m5N*t-9HiE=mj`OEogyJ=u--DCJ^4sVga zF>lXH@k^ge)y9#H<-UHTTr7gA9#p9bF@H24Men1Z`3+>?o#PoQcBbUoY20l9n1GE* z;&XcL#(?PliN7%bV83qW=u@nw?rw{;yx|NGKl@!VyEr}T^Mggh@)N)#`V%`CU4c60 z4b>0iQK{*kC;LtIygVWWI zDh=VL9Say9j84BCUVTYPcjnC-6MayaVX*ESoa4w#yWzt!O0e%AV9aDijq+GCjGJe` zu&A)0g?qMQF5^mHPtRd!dOG=k#Owfzfxrj6;&z~it!g-GVl9GT0=GMlFP@3on{hmt zsS1>n=@eu7Nvgx1pNudKHb21Jusk>{W{&Nl@)w5)Y2N z$W5)Bd3jZ)vN!S*C7QFH-kA6P@swg^ja0bkWP%E=*(<1LQmhyQ2W)}3N3WRo^TZiTf&=G2Ww@=n!zvW$$Tkg{=TlN_QfJbZcp1KR4bFZrtagcRK%g<{uX}$OcA)&zkgay4d{0W5=2tG&H2ZQ#d&i3Fh?I!{Mo;Gwk zm!BUjmDVpL+3h`3-r0UB9GCr_CZzGSpx)0`oAXBKZxFfPc+O@Vcw zD{nZW_x1H44Inh4R`Lmx$TRrvzan-M06}ZDZ~#I?H-Bv{tI_J@&sLJ)Lz`Nb zae`Wqrp|(b^miUvAkCsCI_@8hTI2IpOtXiR$~7VJe=sFFj$KQ3CjCk1XJF|;I&4(} zn}6OW(#C0arkdN+5fe|r;|DZ6Gn-`F1TRF<&jfURR~k&msa7nPG!wns0LcS?d#}W$ z3nQh7jKgs?|v7B`UUOrbd|XbKwQes>9z+oY0ozGtWunu+obxL zW_Hsd%A{W7x*^Zn3H>%C6hZ%!nUXRANDWwg)hUpABiO{EcXN4p8JK@*@Mm9s)XI}k ztN{JX{=+-Q*lUwxeLqfi21nYgeptRuPb*!E)=0J=GoP#TF%Jw31Zy;i*It?rfyCFn z1&lK{z56manL$ak4*6B!dj?sd=*1;X4~aqQEp_Osq0_!!Yct^V?Q)Zf^uKGrLHa+Q zo^!IjHA$qaCSLy(^MBZU{_n4``hU9i>i_MZcTgrIA}T2cuCoMgw_e?^Hqg#PpWkl=3QWjl zwOm`^0+rwcpqXLnQbiU+dBWTz>AjQ5q=L(__qV&J2S6PM5ORPijjz`EHaO8PU{*tv zbBMd@r=2)pMlXmt^uiATOo{CH#=j>DU>V@BX#x#-@87?Nq)5=qHaLFy0a$9a$-CZ| zkYR-0V`4H^1?j45Nz4T3)bbWmdLyBWfk=C{krCA!z}Kc(euTb`>@lDN_i(ceU0ht; zL5&O_)oZ{2w9h&aBF07cA{YcDATz(Mmz|r7>@=Wkavq0(H8L~bQ1nYr814WYaR3m2)nDhvc$PN0N{(d zKeV_&lG^nj=GK4)cv>?wSD*=+clZ-J!mDEXVy;W=&?F-wPQ;X{bp4Wl7k3K0)5 zwopQ1!0`ZELFvnvRt<1Xz$^(E~wSMNwdpbX z>wClVKoLtQm~yA4^?@+WyjAe4tOlgrZ6GqB%e-yC+H$%DF6862_uaO2n&O-yEC`uzr|G{8|JckY-DfF0{ zC`fmZ9fe+hi{ypR&Wvt;f&H~7eCChI0YuJWCIneQ8%U5Pe0~k9)-Z^J*2h+YTovw$ zz@sj}^!UY&5xrt#5;a%kt?e$@|3Cg;>H?du#b-Tx!%uShyccqYXnGMsO@YByPm`fQZOiqKk$fK(GFO)sm!Q zcG^-<1ka@#lO50dN_a*DeOyDN@S71%{S1zO{(})zz||={(5=gu#SD_?e}LUBe^ULu z_=%3ceZHULoFIFR{YgVzM~2ajKUM~+Y4oS8Vm|Ma(1jt}Y#2Rb zN-E|PuP=48a6?Jc)tm6uTuZ75^HfwsFHw+p-D1Z_m1RXk(ykM84##A!?mQZ&=V60K zRU3~&0R5Eh0!;18eV?ZRi$vb_DOuK>>zAm#9nQ?4s!rroW%Uk#?K!2)&8l>zoJ8K_ z6DYFZA>xkRp)deyt2|!3H5>39g?KnoLLZdEbqpsA;Dk1xq-4cO(qK+#g5*)9u=bzu zW-$Xa*CoWT=OkIGWfv;MxZJpeXIN>fHpX%RVT_X~YJx#;ZxUj1tH+$E1z*n(_$6MN zjc&(gmZ2H?%|^5fpPcpa)A{(dx{z#0gT>NJ_#vn_kx6hDCeC+t(RqI+Le#L?rB>$~ z-B!UdfJyP~fvPmAGRCXiPqkdeoPZZG64Hpd7N#)_+St}IbnT?1qId^zv87X#SQG=E z*FK{*xdPc53G%VUzL+*bL!S&|wL5kht&xH^nnC?xS4{GtgRF>QA)y;cq0>0MU;wDr zmWKFH^2x3kwZ$On5ojWnmvN($h+F>u)` zghD9F5BXuhJ`!Rzgy>+bE+w4X&w-m^UWd0Ef zm4Kw4JoF9b$&9!q^~;=gY^4khbY<>&yGPLbDX6m)RN(%@{{e+qKoeDez$d~`>;X*w z6ZiExt%$fl?JgB5dr@g9JZUi0Y0;~uqNGH?Pn110x-%P$N|gsOk3zIPO7jV(<@_=6 z-()Rhag7^>y+TBLMz)2tWezqnm^2dgGlHt;6d|ivA9H{^S{t@>|1h zM+|h-r7BRyq-d(uar5O#JD}!)IFrEqITO4Mjm8t`7l_dzfzX7Zx%))i%7YvpK z*95{@Vbb7y*Wv;oW!T#y8;fF4dYq zZ-KX=`yDK>Y&S6f!N4umSC`7MyPqK~$$5rNj{7l1sEu|A-_z`0o9&Mb&3Nedz4axr zn$*+SlZ)=u#rUz@$%=;>An%ojTkSv52Hz>WS=%}VU>1>Z%MeSUIEJdJ)1YVY32D^W`acoP%8M6hhL zHT&+iDZadhuS8i!BAzy2+o!O(-3xCk6SnLqW90^Z_3Klej&NPT60;99T(W{*rKWJP z*&`3J+Sl|6uyM433j)AY^9E;{Wes>KW19EK8uMYXB#^$k(jrfdiunRO)ZH85Oov3E zFm4&zq-vMT^HU%|Oxgm)<*=H=Tv9g6rWDrJociRzmB`-p3fd?t;}BVoZ~_DO!!2E0 ztlK>;%b)g|Ov9{MMyUktaQu~xu%bs?Rp?6sxY-pBAi+++lr2xt-odgxn?hBZJ+)oJ_&B_s2~Ccp>uDMJAn{Tb_hJSZp&b@tE0 z>oyu;8$kP+<;mMyufd(`4bRGesAXSoehm6`6-8q-&D&vv3_+=2$t?CIbvZ{h`z|)< zSp8?y#nV$LKf@E&m$_2-`kl`M-`e!#yGS=728(PFIRhnUgq=>NYv_IGO=0bY>MAf{ zZdJ^#_0fzq*hN(Kr?;n3J7uF?fl(u{S53rvSE%Os>@mQs>I&VOVzv@p_t06+ds;pt zDo$VlVebXnw3F#hc#4qvOn6;a4G4G0$~B{vw-jWyx%1?l#Ut#~gn~)Quza6XvZRj4 zLFw4b2a+F_3|)JtBRFrNa~QjC8W#=%)dJZlUDqNUXgG8AnfL1A!@S*Ez_(!$>EZ>3 zOx85wzLAKuj+DbDn6txoaO7Y~L*$2w1oWUn_m|hV2va)?UcOuinB_7-_4p35#5Z80;OQ69K)7Q)l*G<5f=jeOAbcOF_Bo-oM8$EetCI=iM%@ zI#aB*zIC{g zrbJ2n@ORLW!-JuO7tggWgOl@2EtM4kW!QzHcCcn10(Bo5POL-RqhI}aY!=VA3Oh9K z4&wpwzN{Az+)!MFYJc5H(wjC)d~qcfo{t>+&^vw8?}SwvDtBH($YVovNKsm3czFLb ziQml?-Ic%9)zy#97g{`E1nn-NFcbMt+8G+Mj5wzeA?0Nr-hapdi{QYl?zYjpO>+s) zFMW$Y{pso;c@ucJ-aiiLZ&-fmO_Z1mzdBa!eePt6t?K~Ai8p)L;YjOa*cbQma=Y`) zLSSr)=gp_icRgziAskj*Ih!Z#$IxFMQ5RBaxr;ja7Okx>1$V zV#l`n2IDd^r0a3nv1iZ+1g-QXZ`r-xt+e<*gpYHP9z<6bvpfIc&CqL^zx?s0YS2ZZ z(ztE|Qo?>f%sG&sYdiHji=U9SmcOT7O+scIge84~_!I~f>s<%Y@{3$(ZF6&{%>uXw zPO+WA7=y^^rGW#dXsg?UU>Kl3_;9(>K~cliW*a6h(p`> zRGc$dEHc2b6b((&1gt^(dG&WF8TE(Vk4A!H9tRhc7;J`nN0B5-rt^DTd`-ke?W^7He9 zpP8)8xY5-TW>J23aM4u#dt5?(H<;$QASpfl7_=ICP1LYTCG>O`Op!mUKDGHDIl5;e zy(@zWRIg25ap)|Huhl_89fS56vZS_}KlyDALio_gXe2skv`ua7_!5lXsa^XP2Y-eI z#|+-yCm_i%Cn`456r%aw;#0MHc4Z5i9L;o)MM9ecZC~h1O0W(O6ce-STvN$XqWJ#k z>*>dggl9kH<^&z5*a^2fB!9OuWi@_=NJ)(|KpEk|V75z9NQF4Pl^Y1v;q8rnR`46?&i3{>I~LIoRdbj zT2b&#`luA9p=ao1gtZzk+k+p$<_G2(A};ebQ-Oe^A3e&U-C!q_1lw%nIlvM99EHJa zxx!r$niS#){|^9Ak`1IE3_h{>m!(G3Afl-%5;)sA{naHWSal)G6!?p^kwHTpkuJCZ;<0~ z_-L6y2P-Q@Sqo6A*ngwH&dZ$LlkTB1nItEhWq?o%{60DDCbTMo=kTEhI20+b5IGA} z@rHgmju`9eB9XY#T@6Zz98ki(GIPn8*iUKj703~aU*vVc2xP}B8R*XJHL7PeI zuS$a&6-!Te`GbR}?idssCHzypm$G3ZH?5aJc?d}caqK$kwa=EF;0UxeO|#@&Hvq2t z;SE$LY<0-vJzI4Kpn|DxxH3#=5WenXlefAh*Ev;3;je%5v%p`YxPWbH7EeaqN$w)r z1A&W+i*>Tr7%S-dxmp;-mDH3KpO7awYe>h1I|@#{1rC`g&(nY7*RN&WpQC-dLbcA} zA*WLDd-Q0H+~;}cjT~zrY-`Zk0Qx)n=C7HWXTBJ8eH`cWVAG#1(;#~fJJoKCMei-O zVBNwJhT;){=XLSb_n4_$%_jS3=(%EcRZ;fMC?b{T$?b5Q9_@V77r2Yh9VT)%S^wC` z?};$jlM52**scJGNwLBt9}JhyI>HVqDN!^5V061s?iqD~r1xuH$8OTlq&T6^R4?g! z^T27UY*DgwW__(+Bs&eXT(I4#!Vxrdo;V8Nh*wcXRhAVaaB>>@@H7`X^Wtde%k5ji z3nb&d7X9eDE(dq9$JSRbx;3kts6HYRo{>QVL%g3f?Ev1?F@KF3sc_rrE_BmhT6|nQ z>cVbjYgd1J%a_BYg^%^pPh;+ z{7;}{yGB3z^||Cmu`nzmHDQYy1-l&TMenx* zT}gDWln3w)z+;`~t&zqqXUP?hSv0cd;fIV$=If$M_)5*;{E}Wjm{lY5nt3=!Jg&{O^*8k{{hBt5R+-2Mc$2GLbmV>7!k7&MQb#jbR|YHuKcCyBOQt@ zaiNW#@z?%ib`*CkT5a_Fn*BA@9}&3}W2`s~PL^opPL|B7V|bONnp*AfGzc6JWFVvtf)>hbiY3zNy`z5;G6!b<| z2Du5a1^tQV(}fg;Mf?qjpcY|&^xDb1KjS7t*CiS)Kn&Yg0F-ZGd3Wu&$1bR&>Il5H z)rs%Pbnx^(}sZ$m@dm8_iI`cVZiJQQ4_iqO?3-wB}K5j1`P2s|#gf zXBnzt57SRLQ;XduxMgSW3V@mQ7zlA-uOA}7tM#Jq&e+@=E;)$33hmhdUA%M9@Ca!a zvi%8O9gZj<&QaA~LD)L)xt;#}40F_^SwP@PY)JtbF885@lFEsv$9YZ}akSSO0i$E6 zkUDGP^F1&uaDoz$$rS&Sa-qVEWpET@e%`0XX*kds(pQw>q}MD|ej3Kv-=YAr%)~YN zVZ^fU7H|9(o}Nl8*N2ZX{1q(#YYLzFbUgdG6j<~~{1n*@n)Tc~1{>zEW#YR_8AZS& z_LJPz$if+Kj(-Cfi)k32D;BC63rKZ5NMgWZH>i;_;dl0oIQbOLPJ9fBIC9mz2}`Ga z*bbpGr}iva5WS7Wu(J% zWdJbiC$Y9)VJ5<`qMwS#ASWY?yC7hWX(}T`HJ{SDDOu?z&1Wx4uPZP+@S#1>FUNxH z=*8yyrx#c&cOy!eiAKo3o%KI67V|%3M@xI(j@m^$eT)B_(dP!bOW!!C-gQ|zgwQ79 zVPjikGoB(B-m+so|Fy6*tN7*Q5euH;@WpO-KoeS>jM3kag(CNo6Y{GojgGO{e<1Su z3lPCP@UBZs7GdP_u-*xOB?U%Wpx;*S0q_cgF8yl+4&M+mPh$xdmtKj-ePG~Q z!{7Gap1`1JFHomfim2c^f~Gf*^r87prFTk{p_lj;Mfdt6*Dx_@XAeMJxUvN#1(F^q z06k51TAHFgzJp0}R6-}52GP%1(o?7vmCXK~QzfBK8B9PXv0c2FXKU+usknRGOrb*e zTzuS~53poTyjz@7mYeyzkm+9I7w`hMft}Gy`%*AN9V|m7LyVaH_=HGyk4p^Qve};`O26Sqy=7;$V)eK205Y}Tu zS&#iU{;qVx&R)Rc<%0Cg*yi$Jsyu2XUHZ8~?fLXKAM$CjkTRJ?^t4bAu`j=qh6QmG zjiX3XrIfFb;2A@T><`yJNE8Yo%olRGG^f#7C#LOD!1Sa1H3F$C`aOYx4lhO*pdm7H zf%ffWowEXdf%%YNZ=XFum7tCGVe8MzmbJ9o!<|4qLcXS4xFY|#aAM9iTwXeSeEQ$9 z0!8ich#=fAE;>zF>nYFr&rVfn0*w$<8r(BQM&wbqLLU+CE8Oayy#H*Fg2s&YQ88Rf z_U1ZVG^bkcT@#)rsN0C5(72kmSUwM~p5pL{M*U2nFZL1cma&gzt769paS6EbeJE=fy-odc ziIBBtF76r?Ch4^od}cAk5b{ozZQV9wQPko@S$g0UITJ9D8bX|nJ4vcw_cd3T!s3a| zOyDGGY+{75Nj&c3H0}rK1W2<2@<6X3twLzT_)FcRzY{xLNJ$jUvRlfS7A3AA zJ;wVqdI=+8qdWCi7)TV_ZEQFO^H2h~iWguofhT>wUk?)ej00A>0@Pa_sn2;unai&B zr`2P$VDKxIcs&=2pHFD>CXsXS$y$}?q4H^l#(&)ZoTGs{A~xvZu5C-BbZG&cL6>;U zjcFyNe$o3-DOG$|`eV68{he)xkl>Gq*R^;~C=pM2hCA-M3zvbQc0%G+sLx*F69|yV z2>H+&>YcM1a1Hq#Jx{1nwg(b6AK<+DS8&2N91&zhSe)`r8o>u*`&^~xM~oPZTz~xx zJeEQ;Hv8{0tRL_HzB2v4e60Wd@&3R5FE|sBZBme6!VGY2JvqhBKt41;S^nE)8K5w+T=PdgX2E>s<|+km z8lo3kTeDd`acP1N2}nxa`{DCXFpD_C_XOQtuNx^dZe%*cfv`G7M1j%qJQq0xsE0OG{vTr-Vd%7*g@&<%Pr*Kg6i)dIvyL z*!J(2P!j!HS*;TQFr6{`S_AP_5R800HYGVJR&E#;`Yo}`@4Tu5by!!4lp(G z7}qjyBO%?-#yBr;ioCsnOPvY()FiE^B_HZu4*5ofheOcXxS0F%MabRf;CKZ?biXoO zNEQ!hLL0ZitN}^QXd$x|x=aFpXrg&K@GWftp&wwNAtF++SM>-{R#H+sgF|o&MJq`t zJTkI44*+jiA14;IWefMe;#O4WGAz6>faC%An0nk&az3wa=&EUI-f>^U{1O=v5o4jl zrss2Z=rD1Dk!t{VUDbo6Gw|1(cx5p+2uLK_*AbA(30Pl+Bu`&ovFwp?1m4Ql$$bB& zbp*1G^9YxtZ5iuvLmk?Iwuo_W7M-;?Ot;=>3@ zR<10@`9ce@{xUKtgCL8UPyRYyoD|1oqnmZ4GG0^eUW8js5r4wKxLD8i=tyu}04DWV zmy)tfaH@T3TrJz86xR8j+m;@ZcIn}?=rRCvfU7p%0Q&YpB!KpHrzg%ate~`RYs?KD zA48T}Q2fX!(j6w@DcS_^hK*r;Aniki3_$dHni2!?7T$%NcB!n@%t8IYwK@E-jQ7O( zXDwl90e8W+A4kR8x00SP{NL07xvk?CGijk94ks+8)b!{IHST9tCJu1#-U7=Y~jiTinN+J21j5qh+Ll6}3BCM0#Rg?EL-Oy@4wKn`J$`*H3YE!cbU(GmuI2M zj%5pDKd!TjPT6*a&hgPSdlCDU6l~Mm=I2)i=VFCL+2r1fSYVFIT0PRRM+>?8RGm7!5mv>1LX*Ga7 zK->(570C7ukT#Knk|o;WJnV}D){_X;nW z&X6wI0$TMK#5t>CCLf$)9#~FmFGFYhnF#gn6dCU^=#YvNPsEs0UzQa-T^Lsf77t9P zHt=%$R)8}kI`T6LHIKc68${i_Pqb!vT?t_Q*&mn}mp(sT*2fZA=DI*^ljLN=)#e>W z6Zd)}_Ke;bjy&qZqUrh>lLir#cXOo^R{k|o3%VZzIz;q0R@EA4Q4<~VxR|19P9^}i z=8)WQNMln@&<_SSJrny(5EkB^b%oakF)$Bi@X|$g`cFNpuPHwGDiKx5&vgtH>)i*TV0M#smEV4W|6VAG-cECx^M)qSiSYa3-n1)KxW zo!BdS#-LbL}1t zD52K$=GHoc)~E-vR>vPi_O8$QC^IOX{tjI;ZlrTX|MjfAD`&}A70Nh~3(KjPSa&44 zvlReY%zIO?Wyd?;v;E%OkGUjx0atkwEnsg(shdP&CWzEf$}Nb!I`bC6UO=e&8Nvru zt4Z4B3iTi!vM(>WtC!-2Vwf{xQfs_6Ax5bffliBlgG~;HCv(W{YpHG<++!LQO_NA) zy3^q^2)z0Mh!-3A3aFY|Ql8n%<*JVJ(9kd6{2qZU1gTkSWU&X`mFla~Z&JwCX68p> z$?B}>MFGs@*ui%Nl5b0}Dx}sd^&yhEVWsS)r_24usqjfY0rl#uH*xX}gsZBT8oVFF z>(%Z6KHfc&atd)r6FlkmriX?Cq1fN*lMuZBUE!+$Beu~!M`airfFElQ0wc9^%gzrTd; zx`=MHHZi!C*8#Fx#Ccv`|HIVL8!d!I%6(hTEa<6`nV(Yp^JAu(lmV_BK`lQ+N-Sqx zZ{3t85aof8t6u??$iO(A(RJ0esFWk7hO6PQ%|!MjQ~xw zXjbO0*;h7k?Zh5`-RNpQtZ(>3M(6!Eb}g~{bm$aEGmp!B3jh!$yp?1ZH@HCB$5yVn z=0`vqm3hzoscY=_lyPRjaVs#*V%Vc*2&!TgO11nQh`lDNEft&tuUn6*hNM21Dht3ZenFQTiy9l=kOcaB{iD*-W5Y;$KE< zo@dM?w5KJCJJ#ICB#7p;c_ctOi2qadj*3yTrfF-*)=}ZL<-$^aRN4ceh-Z={SW<%- zMZ!zBZdu-(i0)hCO;L#Akj>^MxXcK|&EgeOi(RfAU|6t{vix6-on=(iYrDn)K}v}s z1nCB)K|ys1^m$DIUY+@;lF9a&G-AIJ^u*^J08ZiIa$|YHTU55#BzU~stC3U zz5CHO#7JEbZi(7PD!A>b@VEh5@9Gtr`{vpN{48>Py^-8gMpU6h?Q>O{6ziebm93Pa zo1_YPGS|Z5^v8rld$fH<8e zr1HlxkpFp{tfu;Hx{H@yQ9-q%dRpvPo;+GN7dw6L2`<|H_zN(4$J&GqA(FT zZlQnxCVQnIu`&p_ZIs*x?(%qzzfbb3@T8h9lT^?AkF( ziy%_PNkCKzF3k*Y(BEush=%kbK6GQa&)0=X;`NBjX=VBz>SHl75}?U~sUcYHLV+x) zZruloR#Xa$2HmO`6oucBL3>nRhWt*;^e{}irCyjm$9Ua{omP0(&$RE%u<%$D z6(uD^fE}+|%z9-YcZ|}<+~G+z=JB!|hFbPGtjO5O(ZToSd6!qp6X+V_u^L7t@Q7N} zGfC1`7_3%1*OR?akfru8ZF-|7VOdUbv^ z;Wp?Cdbi$@bO@(kO-jN`e1Mk{{iOmymG|zthe3RdrZTmC;umk~Y!TP%dB5!!nytH8 zKIBp7Bb8k%lmjR+s*kOt;1`CXZVAdo5q2ZS?)Xh1PewD`(okWEGjQ2wqnas|xONH5?HhbMC~`SV zWgf|y#ty($*=1Au*_Rj7fA~sx?XlVzFj0~^8AH=K`GkJ+t}*ev#Z6{4f082@Fi65k z^4e(%mH4rnGqJYo_K9v~nyojn2`b#m*rSZ?htOBO^` z8h?g6%|2&4OoOAVB)0`Tft$)iL^rAm4MGyEqxzMl%y9j~ogk4b47m&5RB!@{k5Qi_ zY;!Lir6jOg`Uy2P*^o-B*TQk!O|*Hi=W~Wj`&aYVsMHc#$w-m&BU)}ZnIo77En$om8-y*P zR@4?6-fAfY4KqiBXhmrYY$uXnE2YA%iv761=+=;+%}i_{EKAZYX7)7%;10}zMt3|m z^rk*gkx?brrEr8|rIIraF=kcLBBfH91JPm{ZopI5hI zQ2TvE3SF)Muh|G5Sw9$W)r_L=p>ph!1vSCB0;i`ycTuKyMBIQdGWep!H^GVAB}hPD zWGrC>KC-GldK@P|OSwqutUM7jGs{%GQmgcvcUOZs73oqfvp+uV#&n&~Moo48}!tB%0?A2z6 z6m@$0@4T(7Bl#j}3W{t~Z2@mAU<(NB-VPZ1LqkK+{Vwk?qdLwJl@^v*Zr&}ZqH?{~ z@gU65D3yUJeR73hecdTWw516ya5iaJP{$@Nii5v#PdTbjPwpn0nt-EDskvW=8KIq& zp2!?I%?)fCJAU3zEtXy;zt-Y%Pd&@${}_KrqbN%F3n9pEEIWJkn_XDzpY8g)o)yZt zv;>cLA!k2HAd!v$IoVv4xYU%omnU>VsD6SPM(!I&p>N$4Z(;H29+*EUxdZ z(fCtK74dUTi{M&&L`i8z5iM-z%k$a{cXLr@LX7?V9)Qkf92s8gRp_E55 zD`N6QhdGEfp*w@OqXJ&5MPgEZ6EpvC?O`s(yA=Z}P8Mwz5vD+2>j$mtwkQ&=+CwlNUicP-{N{W`yRCIyqB?)f9W|HH_f_X1Y8PBuCK`06w zic(k0MeJn-y{veW4^(;GFf3RUsbzD8Dsc%2lYV;RGV+|~E08(?50Ug z?BqvF9Tsq{$u0zMlk5@;_7?3QfXhA0khfwNh_KMI!-vI6L!fh5PY&3@YOXvYQ zFF|t!L+2cUey<6laLwl^?kD^lPC8vXO8Q!_{4xKXvR-rlp^q*U;OvxM8Br*J{I8VH zp*<3b4B98dQ7Cn(G?g_mnSl-+5Yq*nmp?0`Q$~|5JkOeZzykv=suqyk4}yb(&oZ*) zg?b-zZIv4v(wPV)r%{5`K|!Gd3kG=o=?o#7Am<5YL657Px{2>k9aYutN1oF5=lTn2_9)Bqnq5JC?)kT6Hhw0Bk*sg-X^ zr%QUNZNw4&S9#tXx(B!?>1Lczat0C8 z^LACWyUcvHPc*8iFKA8d{_YUv9~8hEBuqwSrMo$=6fXt@1V94B0~|BfZ?$C59xrZa z0)%iFBYn@#=Hk|$B7zRnInC(6G{YUgE@dU9Y6r25n*CR@LcJzxhOYd(WAY16G^SRX z3x?>)SZMoP>ZcPJUu=)lK#oFW08d=5qe|VlYMD;EqQ4pCf!2!Ixv?c3w*FYf(5*5f#67qYTB zh=#_a83K*Ew1>8{#mKVEzYkiD2}z3sr=wLL*_|GINY98tN;r>`#@}ocRjjSI)w+1G zgoUf#_@CgkW4Huq+(d~NQDoU@Zy)l|CcUen9P6UCy4_6K{TX7k=5TqZig${%@8Ysg z`FwZxKiD~KZS6+cQmEKgR7PTgPHP(5qMg$!ojp(YL|)I=~D0%Z$mm zOe$s2z|-?YqYp}8vd~RF_`_Y^;v>77qr3E6;MG#82Av;}a|+1a*-YlU+AS*YWf$5F5_Q)h;+^Qx5$K zOVOh0MfrDsbZmSP)k1$VFR&pn9f*Yk0a9pg`cGgw+}W#fJze?{mu@rhFjJIJg(K#3 zm*WS#8&1yqLfOV6S5{E-@f*K%uX{YhU~jQfuE1H@|NK#AcB99+p@Aq^rF(N}Da?TG zO9_qGWnP*+z)e*ZPV)%A&-HMUqFdb^M&7|GvjSwQmlnTP^`!H4s_b!$C98j_?)@0- zI4hKoIuieTRp0k@k5rTn%PXpjDK=>4H+#u+OJeSvsv={;Z?w60O_up? zb+TRADoZ~5dZR`9obCUJO!HFi*juz2{sr!U@Muu5J1zsWt~*5d_|y=@0oWR>gJYti z4u(#iGQ6SB;AuK3N$iJsGot8R>Rni!KkibLdd0Nv9ZslfL)Nl=2lf{#)@Yuz^TxrX zpWyNAE^B1W0*|D^)^+oLQq$*>u<(AUGSm0euJ_$rG?V z{#@;6f%vDw!;wW>8SmFjbBY@5hFEk=Cu)Rm{}^6A`r-9ubhk%tmZXt2y`?X5cKD71 z`AHj9Og5Q4u_(doiQ6Vh0i(d09_w-2oEY{pMjzX(lE-v)U{8E&T>l$3D-P9$$0ON> z8qti~FSp6LbOoCbueY8~3r}wyiA>X6tQxO33NH; zD&NC*DGer2nRwZ3_)pCb;s3wp=c|hU4-|UK>3Gv}Xm|Ju%x-G#=eB5ICw#qW-Gn72 bPcJY6zKdT+GBb=}z>l)Lx?HJ@Y0$p_z-}$b literal 14186 zcmeHuWmJ@XyDuRnBST0dEl5cWDFcI)AYB3?4FeLAA{~Nsqafh`(w!sSEey>FBLV`_ zf^@^Vd7gKl^L}{uTDv}+4|^?UF>%K~uU}l(9igfI|vC4-T)`1VVY#ysU#=@$KBfc=l13nWuD;c_BVUcv*ys-P6 z3azlPM6Z?QAM1LW{QjgBZvE|b{?e+~u!>11bVYC>#Y=fllbJPMkcyCqlf;o+_`o1m z1{@I@`&j%|ZfYw|xGSUvPS&HBOJ0L-hWT zg`ve0kR*MShMSe?{3@B4?l$kbJ=>G^_tK7@;)tF;Cu1}w$^SRc9-`n5(Ki&Wy4KLT z!LRlgmqY6{f+75=cI84^BZjsRqo=gGdYP(ery-iZ(FNa$3MSzO$3$g=hO4I3k=eOu zgH(!VRVPA*>zm8GwN^Yh0)ENTB1kX3vx+n0Dl{TPmPA9^@#7=TD=x$!SER(f5{8c@ znG$~NsfIox-!AuVx`LC3y5z9bxFGgb5FLkaW%$LH{S>U^kLS2L6Sf?U9_y3oTpZHr zPJ;K`o%%5H^iGJc@P0;ra2SV2Pi|m$H|}978#z7L%OZrgMkLn%MD#&UK_UfiQSoBU z=f_u%-4gQ0nxi6cJUqDUK}5q#;Y>N)=DIkyEqcK?l}kfH4L0R8$Vi1PmY1@2_H%e5 zlDhhBNxQnk-O(kTOd8y@!seQgQA%*fa$Jp)72X1iTny@|Wms|L(@scvlGd*f@j=Lg z9B|=7&{4t2L|i1nUc_hDeoRTIz_eF&LXz%oZI<=tG0m>kZ6Qv%eDRJM zdQHI(q-==Y8Z+HS?vFo71AeI{%&tck@YDR^1Z#p2=(X1Ok#y)1hjw7{Wv78xbu?hu;U_<-?IE~Yjo`0o%@cxS}3;bTzSE|7QzGb23pkn9=sJ>QVAXZd^%~th#4m zcW8nSsSfhDr1e0Jc6SjW=DK=BmfD?*?8>)!&SD;I&)hjGGjp&Wo}SjDR0}<3bmef| z2%)3=SjTPUFpo#8AS3FiddJ3rBNDRPLZS45QcDiqFNKHeMLv6+ER|pVcq2NAWq>06 z++`TVpJU3=A?z~}n77%Jv^;%F0E({?_?)XFSV6F|T1ypQ7N*j1cedn-Hx+xin;;!zkSo({>U4wM-pGb5qEq+ix}&N?Gr7E%`64cvj&|_yhKo zvqtX665CNueuJ&b-LyGOLerUd=SL7f!lex84qA|wTv^OUj_R~6YO2uDZ_h}Rb!FTb zC;}cky_G}DI$kD|r12euZ^`^tZDYYRM{PWfOe&-4OR`Ehk9WX~b0xpxG8V+2WF(it z7H0Wy;AN3irWSAuq43iY;v=bxEfYF4^__2w49T#z6a=-}6k{3H%j3w8evIEfAIjHX z$eI&a-XSZiCNBe(f#M2!b9RG~4_q0Cz2zBA5zoU5M7H5o$S%L~BDt@UGluwA&-!rE z+|4I>rB2ePtP6#_o04Tf34$bSkGSi#-*vnSVK4opQ3EdmT~1e*;G2mn3)nd*0c(jF zpD-(xmZ)$@#oSFuMUCuiW_1vQff~47n^g~1MTxU~zb9#|a6R;u5!yc*plu${7ngjy zsHQ(b%J zZ%ivPZBpoc*7>zu;jyU^b3Swc8cRDQPC{53)z6*f6l)LXLr(k4Mfwv?STkAZ)-ZRS z%p9i2B|I&rwo|c$EY*X?;k{OY%Uk>19CB?_K|umvzxLdWJ1 zaeD&hj>~A4D>Tj6v5*Kdfdv)s*S3)|w+}7-EV3O6wc@c| zw2Gt&(gne03>C|)u_zM*M&A_}{_sBk_1;*885c22&9YM+F6B=0^xl>tGw$&1!Rg`x zApudnLyt_TmjHfx#z)@Bp%83*wTuWB1Z^J@uaR8Y03~jK@tw&RwPCWPo+-kV<_TUx zczo75#Wku#wugJ=s|ZH$n?gzBm#wj|s|4*{e@Ld?A6T1MjBr!^s)Tsoch4^6kCpK( z&wytmV#AsRNfrH7xp?|ge!1w*RtnWxnNoBvUrr(Gx!oX#quS$y;3_?=W8R=WJ3e!P zCGo7aW2Rz>@>DM!#!=!b;(R6Z%dSOrE0}`8+18)QyGSBWZgNY_DNo~W8F*h|(Lhp2 zi*e1}C5Te$@;R7c%a)lW0j60w&!IsZ64TO!*j#D$2oYOFpt6iED17}2Y#QI_zL zH=v5ial^1i%@JSp-R14e;2oIr5)DpuS&JGq_EN!HPRo5Paw_fb3x*aDADoR;G77Nn zr^^jHLj3O3A_`M$8Sg0W2;`(IH^N~+Q^af`y5-~Va(?x8rrCgXK!ge~Q)>Dwp$^qC9?&BxP9>XK+_v_E|7wCBmHpkmX}Ez;bilhLQbp=@*i z>1HM6h+y+2+&CSW>7X|Fgn+!O*r0@Q%g2sHotqI@DV$^+Y>+2EdV|B%vvi=k@)pBu z6d0U!&FB$(Fu&KvX}6DnSUVzy>j}oO?Cm+C`yfqBSj73+6Ou_#8+0bz~Wx2GC z=Kk#UU#yY;-(`&!aE$Ny(Qp2M(?NYI-(NhY*)xyi<>j}jZ%E_dm4+HMRc&v0-u29b z;R{Y46`!~z`uUSy3Js{s=;M8q*u29JfO{U}+1u|gz;JtdYsy8bOYHZJoLUaoa^e&d z_vaYsIgR<00GfJLT83&CJHGC;yDFRX$wH05u6?^{ydCiypT`3%_rlO9U2EcMzICAO zvCdhf?h=t#i@MVlk}fNv<_i0hze7)SfCEV!?8-A~u_vzjoWp~d9H7WBdwWQAWSXKy z1>@zsO-_Zd$`_Z<)z-`NLcFU6=>xblfuc)s#?XUNIkiYI$*UiYhZy?`WN!!dKN^*x zn69EppeBsGJ`Q2~IYqz7U=KO&(qCbFS`bx$@Ge%~RZ3sCdkl1Pe^nU6fJ+-&n%o+T zY|!5(<%~ws`jAy;q?mXY{qte(F+)ClPIX!nDq7D{M|?R%)&J3Zi9FH1Sgo_$V_T#e-bAsGu09NiCL$;;Z`J8)#mRrO&Yvfd z!FKTHtqk_ zcQdJ?^CuXv(VXNP=|j$IU4I9tSleX<<^D{?MV7Z%1C@?r77 z6POzDrZIRf^^Y=+0To2sG5UAr*|L~my=7m+2cDAY3>%YE|IFXG)bmh#uQ`idK-&0u zWTE<e$Ah6GdpwvhcajzUpLhmSz=>`(%tPdu#I?4068>5QkyEaauqh+ zu-7;XZ**HNnfE;o7>HH^ztwnybWab$kDE_q3iv7cf(CX}Rk2!@#)BxUEL&8Nx1!oo zOz(3Yx*m8H3KLA%cbcKZW6 zsKcf0xw&{pN`6+>8Z!cnFVl6aA)vYvP%}ZIZrR;^m!CY;gbf{6C>uu5*Pp)JY`ydv zddC&nH%4@2ul$ zz0mqT_^hne1f|(G^3N6g-&KkKZix8zh2g)rL{zKzN_rr}Tqq-AP9VayI{)kh6swUX?&ONNkEebtJM8jc!l`+;mn{yOxPr9*_BE5#PH(bH`6%suAA_*)Efi#{}cSuqL!H~p=I?wCffZ&wMmQj>s`6+ zzQxDW8)5B0)Mm$L^~pogh`YstwePg2&Mk9-2l!2zX>5wjyaa45;xo=6BTx$Py!cbytx~^|#=TV3w88cMQxFi$PJjV89+d+lk2)R$@odHijb6#< z$$LQ7Kb>*K(APo`%pt&z2&Z_{AEcgy1=Id{T9A#^ z5#~y0S=kF3u0w%sTc4EBgzT?f>av9xfh;la4Fb%caTWfbr+>m=vlt-I^pgSlon-S7 zQX-%#ieZ!}_|dO(%QW0i!O|_7-1WkGW6e(lZgb~5kS9tE%Q)9O8oSSnXsz2Q6;SFl zSjfV$ov_%80_ub^@j?ZzoI_%ZHjcrdVmj>k& zzw7X(?P*~hTr+o=_{rwD^1A^!1t&{jQ!hd>RFB2wJ#o&6cY}H~2JYXBiC~PcY{WOm zbv-za&lN7+3Nn*{#a9lQL{1$G`P|;tbLI`wOt^GkD%x$Y?`I5M7;0&V)ososJ1Y(x znmzyf?meRO$kic)gVZ|Rv{ip+5X+@^QZ{h=hS!_uV6ZgJea2?7OvyJ71%b`>)G;j`!FIbuXu&_B(P$2$iSykY#Z$Q|O(HiiP6wtpvz)M3s#t`|?JQ%0A zr0)DtRTAl1jB$cB$jr0*gd+2#8(92|{wL;J1dN^wz?yd=V`cRjSx2VIQRQ_k5cU$j zc1|G=xfN!$h9t0g4}V$w`8C7kuQ6>${OFK8tmqS5oyq3-N`;dqNIoWHDlwJST=VRC z3$EmQ&im#E%60)l#tw@U#3CwMdHJGd4w(g8pXXx^80}V++|RvglBTAyXo)0m;gzV%$aJe1_HBG@Iv$0Im6y$Sl;%aZaEvmo0EsHyj{_`V0 z4lq+wh@kNBE$q#gZZ&YF3OBcAj1X`b5d2nMkk$Z=V9XL7S+W}>B}#8cw@A7QE zC8pz^dW;rqqeWafoV=AYhg{+{4vi4veqegJAjgI1CCYu5E}uU+D6DB<@I@&*)t z_2ndI+l_=n`BdXOf~4>A&)Ao)RYCi03F{{r!(@aG%pa z=H*v#y+A7ft<8FJ(C>|jIyYziu-!L!<)si?15aJ?fna=>>|qSzV@u*=D-Xo@(MB2X zdH!yR7{+(j2cn1)GIW$aZE5hI{qa5B)RFcEQnqB$cb4YGN&sM~mXI8U%S6PTOa4x? zuEq@UxMo&fOFG^dkD@kW7|_})A`Slu2D@Yc+4L_vs1N=b**==Au6X_@rv;!k-^$C6 zKsU2$Aa~<@E(3G=pKv?>OE~r~JXKeiGeC^##a_K=^*udZ&Ah%?gq=05Um)Wv{**ckw;ZLLc6>S;=cy*e ztdib}t@JSkKoc*3h`f8maNa?{bkQr;I`&px9uDxnXzkc}vZ<9jTIpiTzfw$NX}a=M zQp$~+&~yX@8n8=u09jHg?QJ2>k4#&A8$_t&VSjM#=r}q3q4A#EBBaXUYpxY6GR30s zY;1Qucq4gNyeBgP@iqRWUtqs?U^?$zp5cewD4)g37L53N8^3GCEvSX zqClP@)dBg~qM==LfJ;HjX32&05a+!|e?~hK!khF{gdf`wKGNW}ns%3oq4@}7U-#;V zT?`(eajc#J5+|Ev-UMdh=AG=0jd-*vks{$t)SnF%Ps<)b4;nc%eypPbapu3~HT!Jh z3K(e;$5E3J2`0>mC)3FI)=KV={r*$R2D(sPgr?3xiHh%i0*mLS$7ON`X_art=fUgt zj2d@#-AqH;h>Zn{>ncdAA(}>G-+$Iu1=HG_F^STUBm9nL^1Fx~{Wr_%ZbmeR>C*PE z=`WaEp@<#saEa#ZY`-VD%8$LILx1KFvF_MN7;dA=#B{dQx;58uP|A;o!x|B1OuWvy z0a>te;ND6C6+&5b7D|5WB!S!?&VaI4@z`g^+|S0~jY=l= z>%X06r#qrSs>*)TW=fuiQ~K$5^eBAcV3{=Rk#h>;Cy7nD zfRE20*b-|#pIHNqzm9zeX<&iaZxh=4MJ;O<1UPZ>b`?qN#&Zc!X@v>o;@CB|R`RAU zM+9xy{T>^c3({S;5N`qX(SlK5N2JuZp3}+U6Bh*fQ?@`v56+XE(vLQC)cd zEWopmW5|cOf?pg80cykTiK8^pO>EwlvfEd_!A{p5t$)rQp+{GaFK5*%jE#TO-k@dW z6U=O~pd8$|IXt{H3IoOcuf7``t~~{SZhCL7VZR7=TCiui)NuMcpzPy_|1W~6rUB$f zJIUsgcLC+KJJ-kn+c}73Q%_WQfA>s`C|k?gD-mUry^EH*SJwaxM%(~s*$cy-73lug z<8uc9n^z16_o;4l?0OBZqhjd(^B4O3T_R)r*K=0)Qe1o7yOQ7lh zt0@J`6zldIA3}OVbe}5q+qU zxzSC_c&B4T<9;RUFN@oMe%UIP^A|<1X9!~Kix7R%;8it;j;`#{{Y$pyp!!X(>MEmw6w5%=LYl~yo03nRQk%V=5Hm43n;OVbAgN!ftODq0AK+^psbeWNUg-MJ1`Z%!HOad+s zS18F6&fgu@o>uiS+N0kB(D|axzeNNcqD!c1??7M78bG#+N*Al@OImF9J#}?>R!g&6 zUa)#`y6;}rYQ;)BPWNV8;Prenkh-kV)RTa`Zf9D>IyeDv5xVBN-LN|6fBqW{u*-db zqYORhm9=+DUyh5p>WLLS-XL7NKm0(@!tkpU8s11~8}q@uQQI)|_;dQhHKatZOiz@) zsh^1VML$~{AT{Z4@H4I7Eec?7r+}7M%-d5pltmhQJHjK!;c$jYRme_7l}2IM$11Zn z&XzfdkBCa*V4%NG%Bx`l*hxpYU~de)7{YTgLb!wJRaE$_n8TBFGQLKv-^$eEH%5h5DBb{$JRTOA@ zJGGRCV#8h{%xr0Fepl2neC`8mFCnh>sG|cI-y1t^D1*<|t>Pie)wE@dA-778c6Ov1 zRI#>_Y4FAUI`bkAG-<}JKxDt1we%Sk3$DsHA8uZ2=Qt+GsGdTof?C?oDXWcL*7$eT1hd@DWygp}|-lYG=6 zA7E$=eLAddxO@LVErdWT!q&W7BJ||lS+mMI!|iXxAY;@c#dMz_22H>iQ#R_de4n2@ zrlb8_ciJF5sg1v$6Su^*_Xy>$)o1-+_>&~{eMZ}TK(={qqRYC0NH=S!kv{ez@&2u% z1OE3z3s3wP83Nmcu;f^k2+em0v=#29+Loed`=wCWEuxk-y0DBn@=m#5FLb|C3#glz z2Nw;Nhu~_gvikkTAUQLAg)m$EK&aj3L{GrOi{E*E z)?=}|4VcZlyr@VbcHf`xsGlFa1x18n3-#X9;J4JoCY|C1+)szZgD#>6uX)FQQ;k%5%NPe?8s^SV%Xv z>W%-C|F=^57iP_kF}QR6J0N4{kS+7N?FG&C%5mGf-F?_8J?yMgEjlbiB_*Ls~MTs73i}n4j!UFxq;Pb#~Ru2nNka~cy zC$w1DU@n@jf3~F@U91Oq9S59+#H==iT|+!9%6<316Mu`a>)j!yT0n&PuEy-#`IjQh z|7>3ByzTldoo2RbX*PqeRjlo7{0{lE{mp>Wn3`mpo4X!G0>VltSGBaGKgJOk`4W@70F;!U1@o`{Gn5Fn zOrm!GmdIwNwO&m-sN<8p7DIWf3e9vI=c2z_)oSa;|N7s=^)$8P5%9bGN~bplI#28s z1-(w6zozOPxn6d-c^Xsyn4s8bA7TZP;Y6uP(U55 zv?xfUf)A?xk-q#7<`H@$>iPkd{y$jh@;{~hSS44=>gLXF6yL@E2q2nHfhb<*H2>-z zYjwqtTzZ9R+toA~>h<&COxOq!jUD3;f4ZTNqyD2o9 zPgl|bQ}ig2))vBP7C`rE^Ws-2bi00Q9qDZB2xsmxvQ){)Lh+On#z)dzM$$wDG`HVw zCCKnDcQ{19XhLF@ z)lY8#%-CXrjKX7oFuePo2NToC`qp`FlpgeRsjSroqk13rlhM7ea3i#zOv!}3n;)~z zpM{9gTrn`t`LZ{{|7<;6@S=n1qGNvqHVc_&KJM%?h88|%VEZU z+#YPmOnU$G*RqMtW_JB+3bGgG!VUUgZqqOG_tV01KYmTFy0y&Emn7G`^UnVf&SJL` z@&n(#5Vu-5W36IcBaRKI_h>O8@ww$=A(=^As0w%({zIyVwfRGbl$w%E;V-!_CHT*j z$DmN80-pNzNl8g4E^U8i%-iZ3lR`MX^BYGQdX-W=_`41s__{T2A2=AAns|cU% z0nSW^m|)yJz%8DEtz@IxwR!|o_V2O2v|e>)&&P4axV}P1FmQ*mNSJT3zk4hIa$V_; zjyGH8HF0Mg*7K5`H=4j!7aCPb6d%Ya;&ICmVUSGlEJirb$|~u3M1Riw+=+D_Vg@go zyUWzHCRKHwm^Gpi3Ppb2u}&3j3ID$Io*^ak#MZ$CJDimx{|1kAei@upORsCUiv zmNTFaXHFlxk&S0bDA7otjm3#_nb_`UUY};x^>%dBj7X=`kj==!^HHxq9`y;^SY$91 z?cQCQXdd2fC8oF8-n~l+W~cy4HI{Vh3yR!B z>NuIjt$klk1MgS?=L6{3TF!+BKWqP_`Ip{CjLP z;i&$}wKh0s&t(=$qR-9U^<+hUWp-#x8N#_YE)dP|iJ_j-6yo|&|AO0`MvM9_1(fkj^=(M~=`{c+S7XN00&`Dms-`wW7$-~kQ$=SMg^`Yh>Dm@kC zp)QS!DWT@MN^f~uO;tc-sdPz~d(BL>skp+NY|cU!Zh`0l!m2)Vpv;bBX8P9Z34W~Q z7G+m|>Jq(evhl);JfM3P)G9VMo2-m7_zoBHy>jFZ8J8r-I@IC=wCSMfXk%-QF;5gw8IRC(AfPM>Xyy zKlJF4q7CbLc+*$c9w|e?t(#%(>XJfC#&azOy&t1v6}sQcIVbTvFj2MYeM+yh^=zu*=ruW3nM-%1UKtIVju`*;`xzY@H@+`|14cfnnh6D9LggvC z&8>m)%IO}@qdbLPrV%2aYK!TjD5fwzzwHQza-x9UsD7(9=njD+V`lK>&sK3ha6qD$ zE6wUli~2r_qIQG((dP!Z;pVJL-?)k&u|z+mY5-qP+OBWi0)=o7duDxIVFXj$XHE?& zzZ;L0##O<;S1;8;6ZTlBU}1MlC2DJ5Kx<`j?gfR2Z@RfK(5sti--9cDy zE-;ASc0VO0NP4Jyfz%bnAM*CSSp=31S6thQv0$l&5vS+K%^-@JL4CS$gW)g+T!HEb z7S#{74JWZe z?((EhwXlN>&e=?#!mBr%qFnwAUlxHKb}My@dL7tcfDS6S+2A*25gB-P`|CH}*D|kW zx<=ehAh8Mh*RkSA9Y`|p+CGH{!vDI4&wstt`oB*=m!*Hkh|Qf0*+{#skKf;(M)9yh zmW46CR~M&)Dg1T4pCrEl?9=%tPA`ykxJgy7axsHbjVu$&oDx%&U8IkuEm5yo>8Wb& zk_$;X2tw?ez4qbu(Pox2$v~O)6x%9J`jDJMOltd++UxPaDOgqdpJBg-0IGOm4fQGJrG zKmYwoPAIToHekvj1t^E%O1wB(ireoUl2W_ilLb-~7|hUESHw)_Go#6sEAbWPk`=CD zBr1wl=1UDJ40$Sk2JU*5S}%IN1iP|q5e!&nV`^|&!ao+?tz-VH9d5O``mK4G=rGHB zu8fBS6k+=B?z}G&Vz&_?xZ0cK^_2BGGsN%FC1=hj(ZQ*oP<6fo9twBM%E^5y(A`yt z-i8jOMsPEqa&e_*b8{6YaS0HXS8^jPzUm~9axN&Ve&q=0jUDXGWKF%#sDza}$&F=K z{u!-TqC`OsWsD8e+L9?Q4ut0Cscf_GwuFqabDHZZN)_#yjdu4x&GcGH^$c84jcnsk zz+0MoO3zh$@BAt zEWC*RQozP_8|_~C7_Oxr8^>TXYl&r}>D{o(yEGaR2Dc{mbj4vrIH&OICplc6MkVA# z!hu{dHcfl`bW2htNCQK&8y{Jj=E8L#^b+r&gO*W}_t|K1ab=hGHc1IiB6Rp|`E$!d zA@*Sm_O|teN^w_xj`bp^hF(*x0}k^rB28GQTfInx*eVijAn-7!Z~@vKVh-+1e%Qb) z=OrXSx#HG2Y-2oYdAEDH;ov-w6L-DLb4zt>MDM;Jv}6GhqB%f}&rzBg+hCWxJ2_ib z!-xEn_GW01zik$#6||q zLAJ~M)_}5gzfTccHeluc`0A8oV~RV>%)LLmHgyXsI7uTQM=sU^`e{WOAQ7vK%46P7 zg)8ucl^ht@+pwQ1es5YB0xJ1Fb7x1Vz58Y5+0S8?`)2)1d~PWC zWIUyH(%rz3s=@STp5EV;aNjs6f>=8dal@h@ozZFSQ^jZKvM_si0j@_HndNN#*D9qa#n1^PmuG7CpuJL0O@fj_NRlu?qJp zWuBM&W)hk@6MBaS30BPT7wzAHx|%;-;3pA4su?E8D#Q;YG={@F8rqdRytIIU=K@yO z6TO)XwGY@iu*uuiKPy<4t&;6xS2r9RH>^t8XD!>uEevoJw?4y^iAP$@?z=)X6>Sz+Ad0o2Y3x1IFxfB7ps*+QNSEqq*9SYR)n zD1hnwaSoTcrz+zlB8XpL&{3H7;E9z;%J9_pCDK1t4)r!S<3iynu;N@5rnrh^0Gs(tk2* z*xzkjYORkgZXIH_Cnq2C{ zN>i>GGr>Z^a&~MHV$xs&OS0GBzL@1k%XfM*buwL!F-ZYxKf&tcqz`u07jV&6rXj!5 zONZfgy$;eovI{#AQIWTLQ;4em2I>YDVFFi{=pdq#e*ff2H-K}h*#Gi}-ID~S)9W9cm|1sLl1bqCI4orab@_5xv$y{TgA`ok From fa02b615b06626780481a69292efeb2a4c65456b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 9 May 2019 15:43:52 -0700 Subject: [PATCH 130/149] Corrected bookmark --- .../mdm/policy-configuration-service-provider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 785873969f..4913c03360 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4123,7 +4123,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) - [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) - [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) -- [WindowsLogon/ConfigAutomaticRestartSignOn](./ +- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) From c67e518bec98b2c39d77e35e6e2a8ad20f26b026 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:45:46 -0700 Subject: [PATCH 131/149] resized images --- .../wip-azure-advanced-settings-optional.png | Bin 23683 -> 43333 bytes .../images/wip-encrypted-file-extensions.png | Bin 10846 -> 23272 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index 2ac8f45b5c4f2bf46b77dcbf28f258bb34db65e3..785925efdf7d8f2daf549c90c5ff84fb6f2750c9 100644 GIT binary patch literal 43333 zcmc$`RaDhq_$RD@bST}O(jnd5ErN7|bVzsS0S?_=(xTGc-2#%*2uMoDyZQZR)_Uh| z?&iXE1jKW8JMvfv*uQx3(g6_$e8V!TsC@bJUmE}KU-wA{ z(m5?HM$?Rm8^;_v9xng399Qc$jPqW;mXnhcdAOJvN~DY3?ATtYGfkvZfkZ~KL+W`W zBO}juCq#U2zd0RJ^Yh3n zbb`_7_`Ca?^^E=aSu`GN33JPeJ+WcjT*ZeP?YfQQkwz#K+I_argLN@1M4Zll!|mNaExe9-F1>46$;qkzG#f43@^%4(U?9iz;r3rRItd55Ju>bQ+Wur;G@e>SSsDH2 zHCZtK#-5XwKWk!(+tIH&({M0ASp@}&G6<>AC*mhgXksEB^T%Gp&1lqYD|v7 zXEzy6V(9N8ffrkV#SnDFT2eGLH1zlP-(2@{-Jjkj^P4yI@bF0IFhAR!$mO(DrW%pZ zuF~S)KRU7_eqtWWc&GcrRwsc{DrS=jl8eP!^VHsIMS%YoVuopHuvQ{6*7}rL5S0RoH3gJ{po;280rvPGC||iqbjp><5aRJ*685c zmD&DuaaUK@{X2*Q@p;bCT8BvcM-B&)r%BhrBhxq`3t}^!Rta%&cywYb;-)Srjlx^a zGSzQZYST=J+~%=_?@T^)3)@WO2ptBUZ;!}4)^t32Z4D;Ol&aKUP*G92AFpQ9sgUZp zT|aCN#NpAa28`h?HNzsHzrK(S-5t*^6pw^g&f@L*UirbT#x`)s%&E3JC@6^d;X2rE z>4zHM2Q^O!G2h@~yRQJ>0EDElRTgDVeJPpogH^T9&DllD!~SZU_tnwT04ZxQ%yLmPMf`cqz%!YlFSy&dFmI zcSj9t=w!l*>FUMuYA=>Bzp+!rM1N)+2@tN-Z%L_Gpk`+^A4xGE+(J=&9sEVNfu%6- zaduWStP{rK&cVy`&#vFt%|A99^B4vPt`BjQ1)EhfcvsWa&-qJ}lzpT_SW^>-8rTC?AziG=~-NiGjyB?=I5Jh#*7G3X9L*ziii|nzB6Ts zQ4!HmR^(^IwJ}0=`N{Sw5%Sa(vmE2BQU5LN-EAjZx~sGHsHQA|a{A+9$goZUllWha z(}{1<9orw_N4}U+Zv8C$%&$>rA{Ar0`ePyL2R)Mwj*V=k;>%GQ5;lFTXg%6fbW3oS zNTcQTyS#^kt{?A?Mea`|cA!hBJ#`3M_Qp;1(Y=hn7dx&uP`Co1%ie1~=drDi7ysrB zT{u;3$FulQ@K~tB89aBh-L(-EQRj#KkXtyfW=GFx#2`otDe|(ljXGG=e%HSdJ{3}n z_tl6s3lPgbtdJ?q33AM@EA?b@~Sa0XL>lofhoG-4J3HgI4@q z@di4T97WwqYmV{|T|~0*DZkr&I?rid<8HXDjCu}OdwqUs0v5|Rrh!+h-f`oJLkzb= z4?Shp8G(a^zh0r>s)k98CQXsuD*DTsvj0^q{~5wi@*yVUmO%JlqFhayj3lB9yN0GL zt$}t)uMqgN}1eBC7HK!n~HTv zYOH)QR?Ce})c8q)Nj0H*BLe%W;fAtQq^d*vYC)$40X;i0=mGAka z>|Dc2>NpjYz4|yzO~r)1rfxHhq!Ei|4G;DvI@%;!1Sr1TZrZ$Ne5GgHb%K{@ z!gAQtb~zwnb=T4(ep&Y($;an?yGCBrs{OWf&nZ?V59onRAbY3w< zChL+a(*X#zqYo1k<}w@HfHoFm9O1iRoneU0-b^V*bin7ITMA;>Z(f0xq=S(T|7g_=XWUHB&_8d0hSuW4nM9~Gibb` z5kXym>?9Y93P)g$0t`X?<7NT@l~SSw0U9CKpy#R>fF(t0fi{MIH|By7#9!;Z|2FN) z)(-Znygb10r`rdx$OKMqMnZ1=ROvjU*4yLZ-#pD&NnmVHk@d!+Wo|N;BgXoG+@y<( zD)nA+Q92=RL(wZAN~&%|=ZM+Q2R~!y;_TT=p>lNPA#z(KI7DB?e>FHvjM2X0cijs} z?6YxU=7}-eAYApkvy;m-Qj}Z&WQ~W@71=n>@T&1N$N$ljyAK*nwT^x~SCL8#qt#cj zA>?!brK<1Ys`IC$Si)Wo=fxv`Do!;hc&o>3Ffm$0;TdM!ElTRON8z;AX(s1MD}{?g zQW9{!m78|1FvCTi?J!mF3XA$ik?{sUg$UUtz0i9*`9oRC%T@O^UnrFTogB)9;5jNw zGF<;akt~PX!EzHPUlEw4;r>vrbN~b_aQ9%(%`-BRd$yUBo5#i&(<_BeH>(>zZdNs{ za-fBVxOBv)@j6jbGN&_YRT?qKf9ynDu2qaB{;JSfnz-)lgx>iOK_ZKa&n6lZ1GnKK z`&z;!YJ7&hBn@Yyv9tVdrL;>myM7$05H)ii!9@sB7T0fbH*yMvZk(U>%U-s+V=da% zI4d;j_uHw4)VX&FguGI8i_wE8fp>Uw30%M7aH#^>>VMHBlFU)X37U9S+59%Z9SF)# zQ*|OAB@BkTOTF}_YVv;uooLEsGKA;OPtF+79Y~6>DXv=zbs7_{AW~=Q*Rv*L_OEFP zQm>qGwZkisFB$vmR+Mw=h*mlizJ5txWI{CWx-L<}22a zv2OS(6?~D)_ApHxwp9=`%Nf_{-U>Z@cA}EU=BFY@pgjI7q|2PMUPaN4Q#}tjN}@%_ z$c6LNZ-UNAV#bsoi(tnOh}U21)a+=iiH9N&&2VRkzI8Ovj22h;o|d$fb~gSMVi~r~ ziM=k&L*|`fL_DnU>oW_R^TE$58Z`6ar2KGddQ;(*g2aD+<`TK;J69;JvEFuoZbG9E zp!A~&%O5dU^P*+7r2L8<1ESz~mJiig#2l1cDHM|_d>z`tJ+L&@XIEDPJ;Jwpg|_aF z@AV=ohErK{`AW4>LoK+sBe7J&(oJT@vgIt<-soCfIx_K5ZRX5DExsKhQO+;H;S_a@$f zZ@y@ji)TC#4|13m)Fm%up={Hd#K=}w@@O$M;G1G^rZVYFs}-IXt0ML3IqAn={L~wQ z+s4m=E3xoZr+bIxVuZ^;zJ3LOf^7z*Gg@Ajtq<`9Rv`Q7;B1(|54$BTQd08je+Tn) z6w;<+wO=ZIp zcM12li(ie={^D(DezZiOx(R8ujWc69w9*ktBh2mOmO^IxgF3Q`Gdd{RNH)c%MRndc z9^lgt(HWhij7u6S!ceRhl(p31wwerJi07a^i-=|>|45_JQyr9zH4@{+n}i^>;Rg3D zJ%`-8zphUmAbakYntd?w^F=SH(#D1kUklbYn_){uVVA2FhGpS2{%p-$uxq(pio#)( zhx6Y(Pfc_$G&<#3^(gfE_ox4qEUlWj_MNy5F|YAgouoZv+@$S6iV?zj+E;LH10_}I zM8kvUSkq9)(9cXP(;-C3H{9r1AK0%p+{=DerdKzY+$e0*^L%7U@03rT*D3F1ib?Gi zdtKl}RDWmDmB3&*_P36I+j#uDYS_|hYl61+hWvtg{qSPGOT)UxLahADPMCXhef5A? zqC3nVD7^A~cOTM7EUHG7#n;D^Qq?<|B*dF3^lU6|J7ejr6L=VAN|cCZ70zDGdu{#X z_>Boaelm93)HWuJc>T947(s&>5?OzEA%&zEjns%*V!%YD8qoGez-03pV?m3`;kfOJ z^jDY-740Ug7^(W$MV&_mx1D^iX_8y_o??DM#o>iM5hi{HpSmD+eSf2)OOwm4bk1oe zhTus+7LH@IBp;Laqci=)3)#k>RN~{4vMsCfWeJB3h=bP(3u5cnpq*xj!+CTIwxzm-h7tp(w{2=J|X%R}*ffUs()^sOi*90f%}@+OjdJ_~X2fHrlWu`*5H3 zSgw+6YdGV(aM)zD6;~B^zwmT2n8g`IPwHG2qP}i2AtQeku$U@5LQ%M*Iz8WgD;AFU zF9i@ZUG124%)s8mg`chQzw5Vpy+(uh-soli9z*DSkG(U#{e#230mh)&_wF*0R*AC9 z&ct5Dd}zwWCEbatcDxw&LK63_*}`1iT@kEy-1}c&-ZN5NVKgph`6~YTWR^woj|jn? zo8UMq6W+ya!PX+c+Xyi8uN`50E<3V8zE=Qbr_Ta?#9214=Wkq7YJHjk=6qM=T04)p^vH6rhLp*c!P&7ob zl~v3N)X*;x2#S)Hk_FDITmDjxK?0Rt_|j5RY(eq51FP_VQ1&O!M`=gdE~PWjLVVMb zbbisN&2CeB2}LZ=io%*l(AMVMVm z8YL z9^QA-H6S$D(PaqmI=ezBGR`O+ zfhfCX;&>)&mD8pM{M{fH`OY|T2BYSnWbJ*L?7U@cOa7`t?;Te{It>_By;qm21ItNSbEuw^q$Vw77e7?;iU#<>*?j^W_P-Lfhg zQ5F;jXKa!DUs00Tho}`w4^i~ts{#FCyZxGIVbj^$#DC{Q4ozdXYi6diS&#rEAcw1p zlM+r`dF8hU(_3>p^94+p^wDocr#2WO_l~J7`i(Es0!nkdx%8s5BKE7$%l8 z^Ip#2v!CYsP^CLck7x@GXLs}!}6dIUrt#@-B5SxTBeQ@ zdE`~1n$uMHP=^`))nTo@lI`*k79O?nhdvfTUXfgyOW=9;qixTk#-z-v(pD(b(VEn~$ckd%UNGp_(mIEA)SQ=qpNNvqK07k5pzhy2`ZV zH|U=Ua*#4^fS&Sqt^tza4ddH1!b>~tJdIN2i;yo{$fn`Z*ihDTCd`=O!KATH*~dD+;A$w5X8Y8Jpcx*vB6UxKkd(qEui1jZc`Ay>RS?~{%Xrr^F(A`_vp<%AyIUtaTfiMN&fu!2*FQ9*lz?2G zO+D%i!GHU^HuJo`R6}%?Zi7~tYS)uPhYzhnq57xJVbcLu8RqsU#P;@f;1rOuoAd(D z00DzkuTUE8yoy~X`{d-rX|sPUlV{?eQrr{k)YOzMLrk!Uk$H1FiG&)tkPu1D=c7+@ z%E~F>75%42J1g#M`t=rQSKnKsu4;Pa&EAqR-Ng0m{Jp<9&)3-+dG}~8DJeNPVmkN< zY4?MUoS#;Bz};v%=VHC3yKnI5(?}#19WpLcn(-6FGA1VGe%|M%VB^i}sp#<zmOl))1}*;{|$R16Ld+N_}?pvr{B zzvOt@Ip=iSZSXd{6QElt1-tIdlvcmlRp(DX#_PA>tr|!sWcMq^b3-}MvkXlyhZ$?q zKK|Q`6KMwogc>la3k(tc-R*np4c&|JeK67E*#h(b?${C&6T{JnxP7iq0De2?dGzlH zhz)E#9~U@UYM40bY6r_He1Fmtjmyjdsp_9oIatw^5Wj8^p;;N6|IXZl?w*2 z@3Tyx+vVRC-S+*HurN8F30k9zy(vVI7A$^2^I_~D>&@?J z_dMT8uAx@`{J83Xv^((vjetY4-PapvZa_1>IqAUwt@`cDidrE5m*)CqjDmmO1n*LB zIq`P~?sPp~^$<+tYJ)>=k;v1%OHl%sGp|W+ghDC{MfjlG)!&shuLI_JR^L}i4xovE z2GDrZBy?d7q<=uXP74ku1`%iPCnYeNgul>;7i&K^afEKTXduLK#9r>t>;eG|iezkT z49p5k)nIru=o)*;M9l54T%im>PmVtPk{h%`f;`x?4X}fmb$=YrmSgqkwRycuJ_x@8 zUYp_E z*BAnWr~0UnCRMUxkAZ=aiqMKhr>qCS(l!M!286sXFV4@Yi1q4BURh#cVZFh>xd{UA zowp1aI>inVn^9+xTq0sBryxx6IHgq7Ym^KX8&;sRl91>Z%j58k=88OhC;L_m1@@2# za3Xe85+-+>KOd+k`xGNe900?|w{R*D7NOv0K?yz2pVa~>6!_0qEAAL%!dc`{w$!to z`5*-&`ARuPY}4>AX|eXtzmmV(%vb9*K}q0yShXs(>n+Bpf%sy7Bc=FkXZ~1cXQ(pl zXcwH95;$(!C56!_f@#{Q)vEeP>^wX$fPh00crSR;3A;U#N~a{Qx!bVj$LSyNnmwiF z4>`KhV%SMuSak0Eeqw3O7%GzNk`*KD6Dx#=m>_so5K1Ytbq_1)Ft^bU~K z?TWJGX-zJ9RD~%h0v`fzyrofp=(o7Vs8tuA#}e_dXq2E@i#s-d^Efq`4ygynG$Hq$ z{dAGs58Fi+!*<0hRWbHgMz~>e@%o_1U6M&Q9Kw&16?0JhN->nomy&(}qNXvzblK-H zx(RT!ccMwGn1q6j{oQs^z1j4 zL*!ci)93O4dGpg`-b?mv;B-c!N1`Al&``gE`wAE}6h2AauRbw>G8f9wb@Bc9wKR#E z?-zc*dtQDouP1AVEN}E61qD=v_KQY~o86yMsUS|tXo;x&jiPOm z?sqmn4_Djn0QTdw`N`BP2R=J+!;(e({myqIrZx{A1;4uDCoI((!?IfeEJ1B(bhyLn z4O=LED3|B<;pzIlS#O#=zC~D_O9X#^Z?Eg0*>a${-qT!HYnDTuZZYU-@zm+w+Dk7T z(kXt|0yUk340y#()Z^LowE#*%fpgLar2F(5F_@2(#>5F_1X&4GUlva>UY}y%xZfJ<}ZnB=r_Z;bnmr)%q>%_h$;j zg$ZI}Vtb6~1fqU>F-}Hxf)|q#XU3#IU?j6x+b*D6D2VuN(43jq{|e3E1~g63ivT$S zy2yqze-kj)z!&)uTU6c)TcDQMBGM{lNLntuRK=-s;d>>U*FqzoBwBR$??A?G_5}Dj z3NF=ymKKsq`uSm>=DrXhJa4g*O(j7d$92)oL9|KK4Yp;kOm4gTED?>)wTK8r>;mAx ztB2(!2C%B+2;#Bm(HpdSfSDMiCZyVvd;@BzPOVWFaA64<3NW{j38YaNHOm72_&hya zMG#Xs06bF6?WO!ck4r(K2Yyj18dp#178GcvpFr%!Q3u4I2hh6 z(6@a7$K)Yh#9vr9_VM8kD_Na_C=~P)4GM1Ki7rT>30yBI%etVd+38n6v=0H22ljU< zJpZVl3Glq}1wjV_wQn>>s6|Z~Bq@d@r6I)S9jJ-Ph!_}8rvqd>whNurQf?T7Cm=WA zwL&-jJbAQvB41Pf$;!(^ZzyShe5`76-llw;tnvJ#okRlljFgm=oE*qnYAQSq&*^6q z;^)vsL#8f$@!&2P=0p~s%k9Pf-ky~!w$l4|pAk${ZSjeT508(JcXvOu``mDt4-ejj zfJ&dV)K>+a2AaUpYMa2^O`k-ueDW~JVTg(bwBj+?{5GdS{zhrie`*(IUsOy-BV!ON zkxBNyzF7k&-tO18a@Bko-W)7B(l zv!!{sb_TrEVTb=r!y)Xuw>&shL1HMe6#;)tKh1n|b_ekiJl=HYYfm=@s{rIbAE2~f zoU?)HNRJCIb_GNcG~z$MzT2#?J^o$Do`59EVZ`y{`LXnE9GExJh@}7F-p5sN{kR#n zXxXk!&eZD-#8+?({wy^(gsJrYhl2=pt}0 z>ILKTz=8*gTmd)+Fs#OD9qAW@-{#0?@Yi2?X^MoOI%;lQXA%S{`{VR(P^v1 zbvT&3Nf1z`xw*Z0XS?9|oS)%)UY2?Qg8r_w@GvorYB*3T)h`mE2`P08w`D!Fd_@pp zcDnMm^jpAZw!HImx1P7`Yv?evb@v$V&PKXS-|lxGVJuyyX6Sp|EaCMo7<+TNQVGR` zd^}9K${pnV4mM_6oUZOs1NTbHzSUXsDNTZqcSiQ@5d*ikPxGeXmoc?fv`S$uUDscK zU?Ek~`9ZHXH#bd9O}CQ(JcIIiNXugo^Qz{HzuN4y>t|_;${0U7zUKF!|Iq1hniu3- zst1WuArm}zHfgn6xGyt4rxMY}Oom!`JALYvPEDI588=W8@MP%Q@bH}-Y$BLu!im29 zXO;DkueM7`sm^RH{8Rk#L4^Nc)9%PS*RkK<~(bikOWK4KM9f z`?j`o^stzL-%oEwxK%^uGU>Vi+m{A$vqM^3qnw6Cc$sN_G~-8c?F&az&bQR1OIO)S zb=Qw?R>M44m$25#d;dHFP&QU!I@j~IxN^k*xWj5VPFv< zeGYD!!2s?6s<6t#t!wkxU%T(P<44!XFduw;E8Q|*z4>=u$6bN1UGE|Kui$YJrZSch z4re&M?qn>mpoxHtzgE|$t;({xXn>}AX!*Bolyz_9@+(_-s{ zbg^Nil7l)!e7*V~+PX!BozFfLVZDVq4 zw9;Cf=84~&-+To7&ic}Djlr3p<6)#&P3+NNRSV|B=1@)QeC~c`&zm#^ZxJol5La8< ztTBt38VpTPhs^+00v%k)_tw?StjOt*)R+I_pD?iB($CzjAD=JT2~9` z_8}o51Ek)gyyIUhMY1McuNRXfGv`jF(0C#xwxHKnGP5yT2%ezyK*%{*RuV4%aZCpq z@XW_+$Q-?wM;JXYtThu}D=I1iX$9B6%S~2O1=2{*K=9}0(DAw*=tCYJ*Z(C1nMPL3 zgZ+Fc{C~W582CU>{(&cSQ-aOPOqp!cklSH^2P@&&?t9p6UZH=9gR%_L#HMYs{Ehz% z6&b($IB-;=@K~$)zkqsjDZ$9!9MBr}Dcb`y%W2UN=2Q#{)eywD#1ZDJ>2(&Bl z+(2$*EKR1F+(xjjLRm;O8|@he3ReJdKU!&N01$cF|9^Vf$#F7(={}&h)U;h@`1G?^ zxcpK7qoTXPO(NHdnfmuO`Aq{#=2#BZ;9dJCF_Htz2^?E(kEI`W0152_9YI?=ZR@$m zr-$wO-x6`#FE;}GyfcNPR+N(iIm*bWD1MIKF>sAP zSG3ANrv}s@=SMa)3hYHs=X8-*xZZuvUOpMeGUU1SMi4V_zbwWx0?_2-R zUZVv*%FD!&w)sE#ZIVZ`0sUg7#hnO&XMCzqrUQhDp2MWq9m9a`b$~!9fEw`@1jGVv zif3S#{}mOaEe5Ds9b^H?Ku8gtg#THVkgoOy%k(Ps6S3JFusF;xjxLf?Qb)hOGroH_ z$NN|VO-pNZ*&V;W_Lyc02I*7zc2FcqA_j`MXlTqQ^Ta?*s;5$?9&rSbAqLBS{ovqW z`*W#C5F|F%Zte?CwIMo?vwwXxSCCtSTU}j^`Ss~L;lR`T+5o;g|9VuAn>v41YwpiR zR6u<87FimgNHG2X(vV;!Gp|la<5TXfpJFz)6)41q32bE#sM1DFJ2=_U8leHz}AyfttXhEVtI( z-Tkv#UqQ9eeuZEBH%MxMX`h&wh%*U^q*KmXf2$lC76!I*d_d$l-doK*FoGD!4-j-! zn*q>wT7@Nv7JuqzmF~7DYx;dLr=9|x|IKzPfVs&`I_ep0eEyGu+nHR}8^^~g=|H)f zMqV*hCE~H~6~<2=c@8^36pdu0QC^UJ*S8TIanyIswj-ydLx};8URG0 zdQHy0xBI1U-n?m?0!ow|YB;A9wjDQ7Uw;fia3Zrt$tZY>(>ROx@Xh{zAojM@OLOfc z84cZoQ+{eWZkO09N*nrM=o|X8fH53{EM*Y?9nk--GLT|SNH2nqZpx+zLqu`f+@O}39A70UR{hWmw(-2|>Z6AC_q`5~yPGD~}xz&hN{ zzX00*b6zBZ{t0AGHnxX~o^t&kZ@^-{)vA=u_Wwtnr36bNnxe|U#Af%4i>n;OX0?yO z+{=h1u+M5DyF`&7JrsE(3NllQI}gKEb$9kA|2q5!3_9Ix)jSf_6!Z{PN(Fn1@ zR@Z$@nsfo_0f;fMK4%pN*vJbl)alQk`nS_En({=LGC@7QI$q0FtA&|51fPD9z6i7t z2GB;3l0n9B6;x=j6E^%a-`PmhuHN+F8GHnL5(}{?C8bJ*R4^WFV>mRx#w8!5G3o9O(g}W)Py_mfQw;4N7g#^*{tf;n%V< zOa1|!>$57^w>oxk_@er5y%K>8w;h8BNFTmqP#Zx3&Alox(a} zdE<@(JugnjA z3roY%4pgRGj}4^T{=COOk=01=*;y~(tfI$W3cyx(U+*Hl_dx47Q4{X}$5P6`; z*a5}#^cOKSvV|HIiX3Tik~toYis*WIy!Os=xoD$)MNhC@+t^Jyx21K`cj`sH{$hG=vaEBH$KN zQ5(7Ch~ppFvp>h;XJEH`W zbsuUBTrmsTr_9uuy9(;_Ol#FKU7WNe3DfCvn;dcLUZ-)4xT>H(!Ee~I6e(P!$4Y^+ z#71(18uebrvMB8t4+9ysPh|Lx`OPfYU}XHRh^b2GU!Lu5Uy$>YECWZNSQG^Cm2(6= zZ_doA!^@(xfcQVq+spgOsagEK(2DvMB0?m&+B@{q z1zq2!khDN3vh`K-Sj1qF-~4z0VgS=%w3^higHDRx^_lV<8lJ{%s9lRVW2x-KFKCwufMJ5o`%W^ zjUIynw@V?nY3OXDWbhkr<4cr*g)I1;Q$nH3(Sd1?&Ly6%{jwB<8%XA65wNG}>-s zyP%V>)WZmbSvUfvOtRj*2%Jo+w53+hdhAYBC^@!ns|UL-?mm1=A~@TWJ-wlWf>Sxz zu$Nd{K=RW;uVeEa&*Wj1xVszItTA{19Bo#SP{XLfMhc=J*|66SIsy%+pkUTf61H2_ zjH19t=aPN+yBFs;ivSCZjPzK%WW%a{eK<`fSJ=Ct7d1t&wdmuK2P!TSsJN%*7PeEM z+JdgVaRIEq7?oq-0hTIfM^u1@LjNkFY?Asy8XeTh^!WIAVDA=za{`oBsuCm=6e_aF zf?wd`L_tZ}$a0el2<1n<6$A-c%?Mcqb}V8mz;D*PkA=q7--9N88{YFyLXI4bejCV- zD!uo;SSr9D?pj;Rg>Ge1U=P~VxxPm~o$VEJ-3J=Hc>p~D-Y^6FbfFB!MGmgDvfh0N z5*Gg1vl~>cF95e0if2HccuSCQPAQXtD;2IdXqFp@|60AC&ZzZ6wVv1y(5-xLMytyc zo)y@T=Q}5Up%Mk7^M?Lyz&&!U0XJ24Oy9q(SH&m|U`C`F!hQusKS}*|a1z*tk|;jW z6y=sqm2T2(H~w8y97ch%?XY0avcvCT;Ua#Bp$=YFZj@d+-ffWwO#bfPRN*LtT{cj{ zLE*A6-j7Rn3?+frf(}Pc(KHu3BiBE0kmUnG$_(Zw%q!$90rzoUbv+}VlbuY5jIQP1 zJ>lV~1VPiA-)VM#0Qc`W@8Yjd%sU0JBBXBmU^{{8H=aN>0Oab0(D;|zbUsh$9u@j98XdKOxl_{J)2rzg? zxp4e|ge27v20YwdbzDpACWWESU2ylOWCPhmj z|LcBRA9JcY<+FDxB_&l{Qc`k%H1L${5A)kO9xKT7ruySEL%noHDdrLu_5-d$sY)*H zJWyeeH#dVZ@k^64gGeIBEEMGBo1M3#8XB%ZBLwZ|{btsGeq-Z%b$NPso#Mr>x9w5EF|>q-O4)Dbxpnq^_>c}NRQj~j(j@(_hV;p=jd)=+zbE%6kMjp&pK7vK=%9fM`k|*Eko9dxVb;R2=|3VuC$XV`fJ{T`w1!&u{s;q zb$V^Gy)q;`Iqe>Fa;bTJsnfdcJ`i(H)R$x5K=&)g ze~7?ecTB0$K&zqy@AtmKnqfx$J4hD5!DbUV`hGLI|MP!Q6*Dj}0OP6Lpsm^I5J`(f z*28@~Isd%c=h}r@+-&P3Q)x{RdN$F`zhNtmc@lYij)UQXY{;72Kg5>qL>ZR$Pe{%x zQd3jZy5p~p=gCGMEJ|zLNin=@4Y(D8!soCn+qHC|N1KKP1sfzHS?VCu2Hd87ItW-f z4g%oU0}Kjg>~B}D;*GJd;x6kr-tfK#dHBR-;?U>tEQm6fpGC!8NQC}xxloszL!rd8 z>&ECLB=i$)TcOW(qkSXg;~qf#M4Fr$E{6Hhs#~OOpBp`8O~+E~H$%0S8Mj;4%j-vW z@iAt^9^L<-WaTsy!tb{S{HbMYYil(%HD~GPX&@G)5(f~DQNQ_{(>ix%98LS<%(mwP z@}(8#uR^E27(5hB#y?N9sd&8R^$YW)^29fi3lDR_6H+Bh%$EjZ;>XNSyFA;?J;e(b zV={?MZZeXe%vN|WUA-ZC!il*f4L%MgH8m{C+Qje7_vh|?l~Ir4TeRkk6uz!tT2hIB z?_FZ5<5qxf@(8S`X~=x2O38JnjYmft8#h)|jLA}eo+<<|Rp16C3P>UmH%321Z%<+T z9M!5B&4szqnHNO)(f`!UlYctNIaIfwY=BmCV{u)d$dbjEn{nP$xKYak~7o(4K80ROzX5oY9>dX(Qu{n<<0iM zzqdy0e)vmhK5e)HWKMTCw`cSB<#x|9kqgk)X{o6fY#}d3e4*-0y9LvKQjysp*>HEB zuMj+Ex-%%Gg2dY}{Pb+^Y6}v*wpeu*SpOVMt1Oe4B)P^mG(Z`fEOGAKVl`^8@0yD z-g5-sx31>mSu^Z4T)84U>*hz~_Ico3ThuMNz~7y8+#3bdaB@EfS~$=qWUT>21d(zx z;>K`{0;BKt!YO9N0+CAcadC1L2Ft8tN^>{5&Y>P)<3a=UYvyPBC zaDJs;{DOTc;y!m8DraB-VWs-!p@XGyBv*cU&*xL!;dH%Qq#G5=SIqS;`G?^34(oFT z&IN<2(r>v0k-Zq$tCP#G5D%uSN{{+00#x#~UT`b^&k*n5)va-W8d)N_<1J&|1(EZ*i% z^&)yBr`a;V$@=!O3dAp*<^R`dC@?$yX#A5j?lJ**SYJ_{+2R>+XBcIUFIHq}2qS{RMJHxXL$r?e403CV{*5JSL zEXqH%*J6vYjQ%?B*F6+vcm*>^E1$5>pYHctp~su%%!Ug!_T`IDCL|#`lck_MymYqJyV!vB{F61 zTD9iBdvsv{r+=VyVdfBWfjd3q#<VEaa`nL8hk1`qe5oz@hhWOW^ z2WjTUq)5<*`EP26WSc(KHg&zFS3bN~*Y*(Ket@s!Q(0Du*1lPv z1JE0V%`gq(FTRnQ&oLH9g(7T#5I|7mtKWlH<`}s6&6$CSj(!P^3ov77t%UIKPn`;g z$#i}CZnEUE%bLUM=`}E(efZ(|`cx8O>3<^ru9jT+5Rlh-?0&fdi5ZMJ)9(plV$!e_ z929i6GZyXh6C}m~Qttmxl;?IDDF$yYrS`buaYpiAe(h{c@_)XyEdKxawL4LrkbuB* zO3v1nDIA2%p3Um4W+_x+UdOYop?)zfa3{STK)PrA2ysYx)^mZ-#Do5o>G=j52xr9x z6VcJqmH?;?lJp!9FhTZMq>0l&+589C80qmAkg#Y61_tPOd9}yA;sInQ8B1|BGRo`d z=qPe{1#XRk98fK=Zhd@xff%IK>}tJvZE<>jewP_o$ga&GBm^$#zgw{V0TOeDZC*er zwj>6;xkA1fNcYdKZ;=B`%p~w7Kv0EX;8|-&0##L06Z=g+$lj`IJlp8hYoET$cLz^S z0`Zbs>A}FD;e_BHh(+MC=vfhaz_dOAo~T=@Oak86IP;9>M;lPLw9YOsxgic{+Kbn1Rj6TnWO!FdT$S08)n|mBqt|d2Z@Ca0F`1*wThLRXG7BcYZz-m`_ z{qNc`HRcRT47hOPzCSI6j)L>HcMS-uAU~7Q`114`%#Y&(U~#E1&(C!Ltd$J_IZ&il zfa(Mu_5h@=QNRv>AOIBI=Uc(uivY9HP*eL{Ov%tFq<}1iz=!g@+Jf5R=aHBlZQ7J7<~lr%!(d$oxlXz@51=aH|~L{r)`t z@*_o#0l0Ake0czac>(GLZVM2ka{@9Uz${54KLlDs21tKM0F@5ccoAgO_U_{;B)}sb zWW)FE0B|Jry_f>(+0dkw{o+@1*R)T8UJ<_t-mH`)0!+>F=mj>+`wA_Z?h;2pKm8tW zEQhgL`33Iifa7AT)eejWz(Hhtbvpcf1s_4J623d+^pbiR7OZMq+}OyQv1$99MtZtG z2b$D)Iwu|2n}7+ZXF7so2sjqd^!08P5m|;q*vl<}{xphRp8}q}KpQH*GoBqSw}@Qp zc?;5rk*wh4eglucxXlHkp*3Qmu?sxCk`K^?L6E>y6%Y#pKq0=ouYiz=w1aI0$Wr}V zd=%f31yE0b8zjk2=nHc2L;2^Z)b#XLK!9`&jvTCgMR8riN7(&^m}3>N-(1oR8lcY0 zqHWb)J*Q^)z<|3SU6Z%PbYm(!PB$RUkEy_Q?r*UeBcx5R=J&eT1MH8DLB9>BMFLp0 zT!Z1oz#w;1VFORt_%Gt%Avz>xh(rjFL8|BlECTQzBBZfgFEzkM%91+d6%g0PjCdI@ zTC9q=Ol)2Bx9w`xCCMcp987>nlem;G>jp@B789hmR5>sso);o}_bAur3<=6${gOnA zb)U|f<#4KS0PMAs1EEqWX=&&q5I&1O1mtDRwcq}!0O~e*AoZHdgb-AY zMum?ecDVhd8>P{7+6uopLNmT!#uQ5)1ei|2U16D_K}r2dI%Rg;FctKKNnM9Fsc!IO z62jti{?Bi%hbQgAqzQGzC9|atfma{~BbOKP4YCZi;8#QewkCmR{I||+RAiE53ERO4 zS@Mbt0tI2a8R=fqKj!e)<9p^~c7;+1obcn0~%N^`iE6|5*1!N0< zmQlq*Q%vZEyd`D$TC&soc&TegK~!ppO|JgVm}McCFZvz{c}$zP&r7;{D4(?Y&q5v5 zFIIDK>J{VF;)F<~IKU-|u+-k|Y+>Jz97w^F;+QyZHOap`XV)?UwSIpo5(SSh0ndPl zI^nYWh5fnf4y)(8^$dIh71jrXa&;O8YjI&`dTZAp*>9jz6(J#)ts!Qc`5XAc|a)-L#Y|#NAXvmLe z)bXk^ClDZ+;AOEIjWvHyR}y>(EQee^ddr65RmcS(0hcSs9@NQWTOoq}{p zNp}bqDUu@HC7>YEje;U2An~5-`RzNivw!W*?Ck7c&y2$Z_kG3rp7W{Gd?zO&DGA@d zp9M-OFTpO1*3r9|&vYbZWIo}{+mVIkB1*YZtl#jODJ`mIuV5rDhW4##7ayP~q!~<7i*fMDd53_JJ3=-}aH}06^DsfFk_NeMa z8rtx%cdhBk-1>}u%zUkkJb4ZZum*}IryE0t>R71N{b$|#>qE)6V}^{e6epr@D;K(p z+`7EHL_t9T7j=^N-K{$r8n=L&p~A+)PI6vsllpl>N8er!dt$UQ0-bwe7f}m(Liox} z5>Dn-uZU}D%j4{ip{CMQaFi61oXK_%r-%#!`FbA8X8x!fi_n9fyPxw9%EFC?^)nMz z=jeVk7QRGoQffmT9sF83R=v;({Er~;B;1S`>v;w!@I1S}6uV2?zw0;dt}|mk#pJ@A z$9z7+h5thh#S-Lro>;R5Vtt@=;^3pvC1zw>M_ILC_ox=) z+$FTD;gu61$6l`r3i5GP5520PS{Z8+3qvTS$gzq#?A<$P2tnhj?UH4 z@Ym*!1!wtt3@Nb?%hGQP+NJRimJYRyJha5_j3}O*a*%$tVe$ccLt0jsxTm}8_qPrd zg61Lx^pI))C-lzkepzR+S3N(!ynB!#h8KOlw**{*d=lp4y{B+&rKPYo8W=x<5mA{K+U-^f#dxZJ50N z2uenL2CXJDB}-zHiN=SmO{EWqo`UI{T);*Z?g8iywOf^{AhtfqVSsG&G4fBz0=m`~ZIz*>*_c`rULz{8M$Fj89q4M`UU&so9UodtiX)j#&|D$zd{e5xgAvgUNj|p+@GtU)YEbe5KxOO8 zFTSo0+~(IRbKX#lA6Cj(%%$R?o}W#OBz)BVU&<-jLcXw znbe3?O_Ig&-kD+eB7M4++CBG(mJA5Xe;MY%9oQ}2*P`2zLzrg~ph`H9b$A6hEMC)p zaZks^|8fCm>HTX(#Sh(e3W3h33oQ&@DMwssEC^ZqIUY<=v2su5n~xw>iPQ(LpHpF` z)^-SFCCo$`#arEfOJjQRy($sVzMsEJplEEEMha+?CTI|B)C+p(p<-I#eSTxadn}b1 z1h^+V%PA&~9MzYUfe(dHjv#QT6ek4yP>bix$S zp|KKZ6+HEIrF;jMt|JTsD7rXKrA%IvEwXlk=`aE&#(t17GVN?hZ!w?VN% z);VBG6sE86(f{Z^;bCa5ah=^~I&Zt3@J94qn@1pQxAD{q0kCE5)+XzF_q`=K$Mki@ zzL~{p`7Q1iSxvWHZ$;g-D}j^1+Y3n*J^ea!OTdu;<2?)BrG(YD?J)1b_w`z_esRMH z+9F}+Ik96|C(QAEP?sgM?%REja-xcW1|YY3{_o!7vMbwY_u=wnV~lN&$Q$K133j2e z*8#CH$Y`{)1Tb!U!6ks!>~%?Ou_@ULz30p8>t4I7Tawgg)RdHt)a*QK!&wIqaFHz? zbOvk?qPc7n=mFY^z^9T*zG z9JF@eH+c6M3N-W-l$6;pbG7_xj{7tn-1QU@i)ImX-QP?94+DhQEg!fxE-t@0@4a3d zE0BShGKw}?9u13nlk?Vh3udIew{IwK>~=cVyexg$+ta6F8hgioXYCU02A>lIGr%;l zb#@^KpGn=$U858c+5nfNBnN#i16oYxF;c zhcNWDIPbRj{5EcIeh3Xco!?sW+eUquoKMM?{5a;}3l%HHK_1JW$Dbrchxng79GsB* zx?;&O|0(1Ovd`cFPWkfeGq3`0@W$RQ{yxbz@2i`aT-yFsP*`!UFhlfY?8C^#ksz)< z%pGGuT7crWff$+R1#W2vle6;hIQPVoApW@@64}{yRf5cc7o+HLc>IMgRL2Kpsw6k) z@{$uHe6>%+_m_1ycf5xb@T7=|iG?6==>H^#uCZ3RfB!y+DH2w>G=94<;nHf?q6dh3 z4uvL%l+5TqIo=XlH4kjQcy7-02Qx94fagZQ$Reev_x3$^i97rK;HqO}WGwyfemVf> zH~sE`{iSKP3Ie##eN0>rS@x|7W?MFuA!mfXO&OW0FilaK{L&yI`pSF|#PK(}jk;*?D&F#;`DwFv^%vwIzZC4lgQGoTABc)-}sYTkB z;J1Z~%iJ5%oX0aW*rx%sLr2}oCM>8v&u=@#G!(r&CeD!>an}AIekmTTHY*i$RFg0B z;{ApN>VQC*2B-~VkSK;4gyh=Y?mU%1{+e*A_Vd3xVT>*%8~^~0mT zXAT~Bwn2*IPEJ9=Q4UuvZMXvj!BkWa#!vqZ|4MbP(y527?*g>h{)EWNUen7?TT}f{ zS04!)ZFr)9z4;%FcB6(BVYcuQEShUr0_*!DKWfMC`cfA!&O7TCO`YzK zo_@UP+!pRwUs@{pdhhtphD-Xt5d*j&ZxiiHr^d#3IXMT#T=7<3cN;wL3{>`$+r%VG zop7p94yJeq|iE#N3?CQpi^~C=4Sz=0~2+}a8$o$PU&J$Iu(QRll`F$)@*w;q4f8;WiAJaBi@W*y z(p{C5w+o59fqT6_&VSpTJWjEzy5G-G#_{Su-)aL2ydZF(LXoqEfY0`?;<$O*eyeP& zOg!a0<!wb4qyp@{s^R;mf9FE zdk#)2gWmMN_o`7klaMwrIZDu{^BHAwlyk~<7v}zUswl+JLrbu_JdM#JJeV(8{#;Vq z^qrYuKz7+?Y4k`RA@6fuFDvz|HOkdd-r_BHogJSd@) z&Y2&q4$6&iiko>zx$T!06qo}lwe}YIJmS7PlD?pfN&(ac+9|5Oe0t$|t+kEylLSF+ zDV&R|tX9_MfA(ZtZKJ<8Ta0(2YvzCL+I!yN{_@Kgs~BUg_nTYj{4p;@VCW{Y81DS}v(@ zZ=jVm2<>W1Q(l5hq=HiHsw`|bZ|oz)i`K*V3~hzl)qkvYcdAUSUEMcC-U8?{Sk=D* z?`#^QVcsNa*^zic!+#p4*fRYe}ul~TDmI7TgX-f z7m=z1NDW|&CdS8K0)I*FkX}D__UN==US9*1e=<0)GSkvBGd*F@0P8s@1usHx&|+dA z43nK9RYY{~U5Z|GV&cMPHwaek>XKL2*K4M2N%sE!V@+CeSz}Z~gQ#w>g@wgvZsKAnzdLeazITJf0R9K1Q=k9;Xr-}VOg!j^$Wl;O zLX0je%NkB3ld>5pI^CdYu6#0X8{`RhoH<7pM$;wR7Q}Tu(Y|!CN4S%qgEF5 zypDVTH~*ZjLPVcVA`kri{Q-vs90^f2rnx|^KulpjUX|C{k2w>2?f;Kkt{Q}}r6tA1 zy@@nbR8$(xFhf9kM^at1oT6g)C2jeh6+$e_wVr_Ep!-TZ7(!he3mNGN_{OWps;T2qXZr8rYz(t(V1P-Q4{B`*|Cf zJk2AZlwN5Idd_Y?_;n`Dp0CylC(-SJ-(lc_n~2XT&+Z3BRUBKj>Jg4tiWv9??3K9L zwI6_*#DnylZj0>)2_d2U;Wq%S;bi%SpQI)v4t^94R(ct)A5+OfHC&Pe5;0~evUgd` z;bpOF-C+im2g64z7dhN{iwt^OXyTJ)h1}uy<-X9Y031SLiOb=-QV4KcFi?|&PM}nJ1Q6s)i0R1JME3&Nl$tR$SHf?uUp=3?p60l;$;IM72Wn8&(nyD1O-BIO z4OIdMp?Vn5JYNJo%~gs4%oYwNO{YFfa8ZJg-Sy#TRAzhvmi97@eokdyNIKm@o44zS z*`g4~@+UmhA`TO!Afs!Rwyye*y4Zpbt(9Haq!>d8F7^emn@3Fz@RR~xIvRF`MuiR0 zc@(tjXv+C~mZ9rHR40DUC5$(H9AGVIZ)i%Yyp( zc&?G({RHA3=&8be^k!fx6Er2q$Ct&7{+scLP>Er`B&E8VkNG%Rg;ox09IXj`?K68! zd%NtV-U%QRWv_uuK&m(-+nhjb0Osw7t1_}GpEn?%4DD4(Csg+Im%HAQXL-El(n9eX zrOYu%zMML30imRxFFe!;EKU!vz^dayt9Y^%C|m$Oi5xb1XL2OY#st`gs55n}s+fim zpa%aySF5woIPoe1z!;TjHKMQ*gw9Jo$w^Av7mzi=)Lc()2lMCWV4jRXqT;|07&z(t z6A!v`G>0RE8x;o;OO0q$U#S6lZ?|K8%Cl8vVZhceCp36_y1QXS#8=Tqk4(P<(1!M% zKj;!ZyKmwZi=!X8y7Esj7 zNy!)Rd;xI6)%87*ydMD0bxX;8wR=uvYsBusz}S4MMZ($lwf8d9R(`Dyls{F)e^|tV zo*Zos$p=Z)#KgSM?XM0ewL>8H44$rFD8GtMy~0}2sentg0s{w_RvQfPaGJ{DuCFVv zaF#v>l20#X@S*Tig@bu1J84Hn9Wk#T2H8Lm{;nXkP0>eXNhU&%+`uPqcFa8~NdfsD zaPFD&vT*N4G>J?UkH{bpCejw)fe6bZ0ga9PCJl?ALYo>SeX#SvOLe(1_#!SBMqsT1 z>Aaak_^s&ztT@z9Hg@7E1i`yt-4-(&e(NrrpRpPqGgknUIs@HtN}WPMLc-F6Oc*&` z)_PFC91ghUWt-s*u9yPlZnO%W?@}m8i9Mjig)63=1HV#Ao@@vMTxkSgame}q`2sT7 zPvf>22ljmt*Dg%@Z=h*N8%|}zlPkSb5TBUHdX^TITZumfg?zzjWtOeR;>S1OsI+m^ z@4aMJ01p_n9v=H^YJOeG#+eqs0MkgZi{I~M5g)!bYgnq94Eb6846$)14C$4U&v6P1 z(Z9m`&JM)@u+RYz&Z7|c0f-6YDYGpgt9-bXp_E%_Vd~kJY%DBUHNrvcI)zVv`Xa{@ z738*`0qnN?7D}|Z@7@xqt4TgO%{L350-E9Xr-uyW>AM6>%B>(HSi`>}FmGE1X|uFj zkj+g1RbT5Ag}E&SqQ+F<>l5k__5e_W05OzM(*_mU)n?A%;ANUHjo?(hhlPc;p`rpP z-!vR%8D{_^a#z${BHGu4)*ujCwu3S?y582Ck(g`|NKH#io0++U)Y z^%PwXi0*d3dbGj*2vhkuWK%;kfO>Ml+>BVuux_Ra#z>q#;D)m>*l14Nic&cJO@3t0o06T9os>yVMC5U@ zw+ue9sK`iZpw&W-cJYyK`ECQiH#o?XCcuSK3x}9;y8B~QEiJQJ8?2Ue`+UER=EX4N z^UXPeaI{+!p!hcEc;a~59@*I1R`!%JUz7g%>)qzCGhU$1C#U=CpfGTxwl_}SP5dp% z!N}d?EGPZZ`I4s3J7+%MQSh?to76u!dI@C<|7E=&9;rOPB-T%6F95CwAz{Dv7V;Ei z#Xw#FG*U2n2;ko7_*U`$D2hmwT5T?H_|HE!R;&RL0UwE@)y^;P>!S#tD~Sb54>RR9 zrp;Pgg|8Y{iZc2iJoil2c5!)pu^;Ml57Y5JM}=ardEBbxvDE9Ao?~PFznliCWFBg1 zd7bZXLDT;a<}j-NWJAN9f_kxuq+rmyx^PPg8T~+{b~mcv(o=0Jv&^U^*sJF6TJ)6X zYG41EX4BzX2AQ36q7-HF?0#1r6PeOQv#6X_)7X12{&E7ls6=M`)j;amql*Lb76&?rWT7vm1KmP#eL|0C$m#63)rHgqob$i``rJOhlu18 z+EFN7_5eWCL=ywy`nAdKm^+$&m(tAhcUGF*B=68SI?=vLO4E~zzRpoowHD$WX&2d! z{JRNso*t=hus+=TN5sAD-M2cK)8kxs1Kls-cfP1fwb6WomW;@`X1S&P>~nD$7;$@I zPfBW!Glc@=o258M{_qaWyF7LG6rR8Q*`_!l?jFuq`QO``6%UY;fPes~yn92x2i7yb z43zt1e}%6qL-#YB)=&BY<;PV6_xXlSqNK$I%`)4HCxyoefD&IX6Eu_&#pSrv07D?vpx)?!n$*0Crr^caBx^>H zCB~)KljJTix2MIq?T#!zez+BQko@W3mO03mM@?bgWJv`zs#%kJkG>3DUYgZnAXm+k zcUPxj-`p|I(E>m6nB866H~YMlE8V9;^8K%6&2Rq=UgK_FH}|aaUw?*uE|_0_vm$!( zD|oBNZh&fqh9DILYZqf=rf467C6jdOE9m5N*t-9HiE=mj`OEogyJ=u--DCJ^4sVga zF>lXH@k^ge)y9#H<-UHTTr7gA9#p9bF@H24Men1Z`3+>?o#PoQcBbUoY20l9n1GE* z;&XcL#(?PliN7%bV83qW=u@nw?rw{;yx|NGKl@!VyEr}T^Mggh@)N)#`V%`CU4c60 z4b>0iQK{*kC;LtIygVWWI zDh=VL9Say9j84BCUVTYPcjnC-6MayaVX*ESoa4w#yWzt!O0e%AV9aDijq+GCjGJe` zu&A)0g?qMQF5^mHPtRd!dOG=k#Owfzfxrj6;&z~it!g-GVl9GT0=GMlFP@3on{hmt zsS1>n=@eu7Nvgx1pNudKHb21Jusk>{W{&Nl@)w5)Y2N z$W5)Bd3jZ)vN!S*C7QFH-kA6P@swg^ja0bkWP%E=*(<1LQmhyQ2W)}3N3WRo^TZiTf&=G2Ww@=n!zvW$$Tkg{=TlN_QfJbZcp1KR4bFZrtagcRK%g<{uX}$OcA)&zkgay4d{0W5=2tG&H2ZQ#d&i3Fh?I!{Mo;Gwk zm!BUjmDVpL+3h`3-r0UB9GCr_CZzGSpx)0`oAXBKZxFfPc+O@Vcw zD{nZW_x1H44Inh4R`Lmx$TRrvzan-M06}ZDZ~#I?H-Bv{tI_J@&sLJ)Lz`Nb zae`Wqrp|(b^miUvAkCsCI_@8hTI2IpOtXiR$~7VJe=sFFj$KQ3CjCk1XJF|;I&4(} zn}6OW(#C0arkdN+5fe|r;|DZ6Gn-`F1TRF<&jfURR~k&msa7nPG!wns0LcS?d#}W$ z3nQh7jKgs?|v7B`UUOrbd|XbKwQes>9z+oY0ozGtWunu+obxL zW_Hsd%A{W7x*^Zn3H>%C6hZ%!nUXRANDWwg)hUpABiO{EcXN4p8JK@*@Mm9s)XI}k ztN{JX{=+-Q*lUwxeLqfi21nYgeptRuPb*!E)=0J=GoP#TF%Jw31Zy;i*It?rfyCFn z1&lK{z56manL$ak4*6B!dj?sd=*1;X4~aqQEp_Osq0_!!Yct^V?Q)Zf^uKGrLHa+Q zo^!IjHA$qaCSLy(^MBZU{_n4``hU9i>i_MZcTgrIA}T2cuCoMgw_e?^Hqg#PpWkl=3QWjl zwOm`^0+rwcpqXLnQbiU+dBWTz>AjQ5q=L(__qV&J2S6PM5ORPijjz`EHaO8PU{*tv zbBMd@r=2)pMlXmt^uiATOo{CH#=j>DU>V@BX#x#-@87?Nq)5=qHaLFy0a$9a$-CZ| zkYR-0V`4H^1?j45Nz4T3)bbWmdLyBWfk=C{krCA!z}Kc(euTb`>@lDN_i(ceU0ht; zL5&O_)oZ{2w9h&aBF07cA{YcDATz(Mmz|r7>@=Wkavq0(H8L~bQ1nYr814WYaR3m2)nDhvc$PN0N{(d zKeV_&lG^nj=GK4)cv>?wSD*=+clZ-J!mDEXVy;W=&?F-wPQ;X{bp4Wl7k3K0)5 zwopQ1!0`ZELFvnvRt<1Xz$^(E~wSMNwdpbX z>wClVKoLtQm~yA4^?@+WyjAe4tOlgrZ6GqB%e-yC+H$%DF6862_uaO2n&O-yEC`uzr|G{8|JckY-DfF0{ zC`fmZ9fe+hi{ypR&Wvt;f&H~7eCChI0YuJWCIneQ8%U5Pe0~k9)-Z^J*2h+YTovw$ zz@sj}^!UY&5xrt#5;a%kt?e$@|3Cg;>H?du#b-Tx!%uShyccqYXnGMsO@YByPm`fQZOiqKk$fK(GFO)sm!Q zcG^-<1ka@#lO50dN_a*DeOyDN@S71%{S1zO{(})zz||={(5=gu#SD_?e}LUBe^ULu z_=%3ceZHULoFIFR{YgVzM~2ajKUM~+Y4oS8Vm|Ma(1jt}Y#2Rb zN-E|PuP=48a6?Jc)tm6uTuZ75^HfwsFHw+p-D1Z_m1RXk(ykM84##A!?mQZ&=V60K zRU3~&0R5Eh0!;18eV?ZRi$vb_DOuK>>zAm#9nQ?4s!rroW%Uk#?K!2)&8l>zoJ8K_ z6DYFZA>xkRp)deyt2|!3H5>39g?KnoLLZdEbqpsA;Dk1xq-4cO(qK+#g5*)9u=bzu zW-$Xa*CoWT=OkIGWfv;MxZJpeXIN>fHpX%RVT_X~YJx#;ZxUj1tH+$E1z*n(_$6MN zjc&(gmZ2H?%|^5fpPcpa)A{(dx{z#0gT>NJ_#vn_kx6hDCeC+t(RqI+Le#L?rB>$~ z-B!UdfJyP~fvPmAGRCXiPqkdeoPZZG64Hpd7N#)_+St}IbnT?1qId^zv87X#SQG=E z*FK{*xdPc53G%VUzL+*bL!S&|wL5kht&xH^nnC?xS4{GtgRF>QA)y;cq0>0MU;wDr zmWKFH^2x3kwZ$On5ojWnmvN($h+F>u)` zghD9F5BXuhJ`!Rzgy>+bE+w4X&w-m^UWd0Ef zm4Kw4JoF9b$&9!q^~;=gY^4khbY<>&yGPLbDX6m)RN(%@{{e+qKoeDez$d~`>;X*w z6ZiExt%$fl?JgB5dr@g9JZUi0Y0;~uqNGH?Pn110x-%P$N|gsOk3zIPO7jV(<@_=6 z-()Rhag7^>y+TBLMz)2tWezqnm^2dgGlHt;6d|ivA9H{^S{t@>|1h zM+|h-r7BRyq-d(uar5O#JD}!)IFrEqITO4Mjm8t`7l_dzfzX7Zx%))i%7YvpK z*95{@Vbb7y*Wv;oW!T#y8;fF4dYq zZ-KX=`yDK>Y&S6f!N4umSC`7MyPqK~$$5rNj{7l1sEu|A-_z`0o9&Mb&3Nedz4axr zn$*+SlZ)=u#rUz@$%=;>An%ojTkSv52Hz>WS=%}VU>1>Z%MeSUIEJdJ)1YVY32D^W`acoP%8M6hhL zHT&+iDZadhuS8i!BAzy2+o!O(-3xCk6SnLqW90^Z_3Klej&NPT60;99T(W{*rKWJP z*&`3J+Sl|6uyM433j)AY^9E;{Wes>KW19EK8uMYXB#^$k(jrfdiunRO)ZH85Oov3E zFm4&zq-vMT^HU%|Oxgm)<*=H=Tv9g6rWDrJociRzmB`-p3fd?t;}BVoZ~_DO!!2E0 ztlK>;%b)g|Ov9{MMyUktaQu~xu%bs?Rp?6sxY-pBAi+++lr2xt-odgxn?hBZJ+)oJ_&B_s2~Ccp>uDMJAn{Tb_hJSZp&b@tE0 z>oyu;8$kP+<;mMyufd(`4bRGesAXSoehm6`6-8q-&D&vv3_+=2$t?CIbvZ{h`z|)< zSp8?y#nV$LKf@E&m$_2-`kl`M-`e!#yGS=728(PFIRhnUgq=>NYv_IGO=0bY>MAf{ zZdJ^#_0fzq*hN(Kr?;n3J7uF?fl(u{S53rvSE%Os>@mQs>I&VOVzv@p_t06+ds;pt zDo$VlVebXnw3F#hc#4qvOn6;a4G4G0$~B{vw-jWyx%1?l#Ut#~gn~)Quza6XvZRj4 zLFw4b2a+F_3|)JtBRFrNa~QjC8W#=%)dJZlUDqNUXgG8AnfL1A!@S*Ez_(!$>EZ>3 zOx85wzLAKuj+DbDn6txoaO7Y~L*$2w1oWUn_m|hV2va)?UcOuinB_7-_4p35#5Z80;OQ69K)7Q)l*G<5f=jeOAbcOF_Bo-oM8$EetCI=iM%@ zI#aB*zIC{g zrbJ2n@ORLW!-JuO7tggWgOl@2EtM4kW!QzHcCcn10(Bo5POL-RqhI}aY!=VA3Oh9K z4&wpwzN{Az+)!MFYJc5H(wjC)d~qcfo{t>+&^vw8?}SwvDtBH($YVovNKsm3czFLb ziQml?-Ic%9)zy#97g{`E1nn-NFcbMt+8G+Mj5wzeA?0Nr-hapdi{QYl?zYjpO>+s) zFMW$Y{pso;c@ucJ-aiiLZ&-fmO_Z1mzdBa!eePt6t?K~Ai8p)L;YjOa*cbQma=Y`) zLSSr)=gp_icRgziAskj*Ih!Z#$IxFMQ5RBaxr;ja7Okx>1$V zV#l`n2IDd^r0a3nv1iZ+1g-QXZ`r-xt+e<*gpYHP9z<6bvpfIc&CqL^zx?s0YS2ZZ z(ztE|Qo?>f%sG&sYdiHji=U9SmcOT7O+scIge84~_!I~f>s<%Y@{3$(ZF6&{%>uXw zPO+WA7=y^^rGW#dXsg?UU>Kl3_;9(>K~cliW*a6h(p`> zRGc$dEHc2b6b((&1gt^(dG&WF8TE(Vk4A!H9tRhc7;J`nN0B5-rt^DTd`-ke?W^7He9 zpP8)8xY5-TW>J23aM4u#dt5?(H<;$QASpfl7_=ICP1LYTCG>O`Op!mUKDGHDIl5;e zy(@zWRIg25ap)|Huhl_89fS56vZS_}KlyDALio_gXe2skv`ua7_!5lXsa^XP2Y-eI z#|+-yCm_i%Cn`456r%aw;#0MHc4Z5i9L;o)MM9ecZC~h1O0W(O6ce-STvN$XqWJ#k z>*>dggl9kH<^&z5*a^2fB!9OuWi@_=NJ)(|KpEk|V75z9NQF4Pl^Y1v;q8rnR`46?&i3{>I~LIoRdbj zT2b&#`luA9p=ao1gtZzk+k+p$<_G2(A};ebQ-Oe^A3e&U-C!q_1lw%nIlvM99EHJa zxx!r$niS#){|^9Ak`1IE3_h{>m!(G3Afl-%5;)sA{naHWSal)G6!?p^kwHTpkuJCZ;<0~ z_-L6y2P-Q@Sqo6A*ngwH&dZ$LlkTB1nItEhWq?o%{60DDCbTMo=kTEhI20+b5IGA} z@rHgmju`9eB9XY#T@6Zz98ki(GIPn8*iUKj703~aU*vVc2xP}B8R*XJHL7PeI zuS$a&6-!Te`GbR}?idssCHzypm$G3ZH?5aJc?d}caqK$kwa=EF;0UxeO|#@&Hvq2t z;SE$LY<0-vJzI4Kpn|DxxH3#=5WenXlefAh*Ev;3;je%5v%p`YxPWbH7EeaqN$w)r z1A&W+i*>Tr7%S-dxmp;-mDH3KpO7awYe>h1I|@#{1rC`g&(nY7*RN&WpQC-dLbcA} zA*WLDd-Q0H+~;}cjT~zrY-`Zk0Qx)n=C7HWXTBJ8eH`cWVAG#1(;#~fJJoKCMei-O zVBNwJhT;){=XLSb_n4_$%_jS3=(%EcRZ;fMC?b{T$?b5Q9_@V77r2Yh9VT)%S^wC` z?};$jlM52**scJGNwLBt9}JhyI>HVqDN!^5V061s?iqD~r1xuH$8OTlq&T6^R4?g! z^T27UY*DgwW__(+Bs&eXT(I4#!Vxrdo;V8Nh*wcXRhAVaaB>>@@H7`X^Wtde%k5ji z3nb&d7X9eDE(dq9$JSRbx;3kts6HYRo{>QVL%g3f?Ev1?F@KF3sc_rrE_BmhT6|nQ z>cVbjYgd1J%a_BYg^%^pPh;+ z{7;}{yGB3z^||Cmu`nzmHDQYy1-l&TMenx* zT}gDWln3w)z+;`~t&zqqXUP?hSv0cd;fIV$=If$M_)5*;{E}Wjm{lY5nt3=!Jg&{O^*8k{{hBt5R+-2Mc$2GLbmV>7!k7&MQb#jbR|YHuKcCyBOQt@ zaiNW#@z?%ib`*CkT5a_Fn*BA@9}&3}W2`s~PL^opPL|B7V|bONnp*AfGzc6JWFVvtf)>hbiY3zNy`z5;G6!b<| z2Du5a1^tQV(}fg;Mf?qjpcY|&^xDb1KjS7t*CiS)Kn&Yg0F-ZGd3Wu&$1bR&>Il5H z)rs%Pbnx^(}sZ$m@dm8_iI`cVZiJQQ4_iqO?3-wB}K5j1`P2s|#gf zXBnzt57SRLQ;XduxMgSW3V@mQ7zlA-uOA}7tM#Jq&e+@=E;)$33hmhdUA%M9@Ca!a zvi%8O9gZj<&QaA~LD)L)xt;#}40F_^SwP@PY)JtbF885@lFEsv$9YZ}akSSO0i$E6 zkUDGP^F1&uaDoz$$rS&Sa-qVEWpET@e%`0XX*kds(pQw>q}MD|ej3Kv-=YAr%)~YN zVZ^fU7H|9(o}Nl8*N2ZX{1q(#YYLzFbUgdG6j<~~{1n*@n)Tc~1{>zEW#YR_8AZS& z_LJPz$if+Kj(-Cfi)k32D;BC63rKZ5NMgWZH>i;_;dl0oIQbOLPJ9fBIC9mz2}`Ga z*bbpGr}iva5WS7Wu(J% zWdJbiC$Y9)VJ5<`qMwS#ASWY?yC7hWX(}T`HJ{SDDOu?z&1Wx4uPZP+@S#1>FUNxH z=*8yyrx#c&cOy!eiAKo3o%KI67V|%3M@xI(j@m^$eT)B_(dP!bOW!!C-gQ|zgwQ79 zVPjikGoB(B-m+so|Fy6*tN7*Q5euH;@WpO-KoeS>jM3kag(CNo6Y{GojgGO{e<1Su z3lPCP@UBZs7GdP_u-*xOB?U%Wpx;*S0q_cgF8yl+4&M+mPh$xdmtKj-ePG~Q z!{7Gap1`1JFHomfim2c^f~Gf*^r87prFTk{p_lj;Mfdt6*Dx_@XAeMJxUvN#1(F^q z06k51TAHFgzJp0}R6-}52GP%1(o?7vmCXK~QzfBK8B9PXv0c2FXKU+usknRGOrb*e zTzuS~53poTyjz@7mYeyzkm+9I7w`hMft}Gy`%*AN9V|m7LyVaH_=HGyk4p^Qve};`O26Sqy=7;$V)eK205Y}Tu zS&#iU{;qVx&R)Rc<%0Cg*yi$Jsyu2XUHZ8~?fLXKAM$CjkTRJ?^t4bAu`j=qh6QmG zjiX3XrIfFb;2A@T><`yJNE8Yo%olRGG^f#7C#LOD!1Sa1H3F$C`aOYx4lhO*pdm7H zf%ffWowEXdf%%YNZ=XFum7tCGVe8MzmbJ9o!<|4qLcXS4xFY|#aAM9iTwXeSeEQ$9 z0!8ich#=fAE;>zF>nYFr&rVfn0*w$<8r(BQM&wbqLLU+CE8Oayy#H*Fg2s&YQ88Rf z_U1ZVG^bkcT@#)rsN0C5(72kmSUwM~p5pL{M*U2nFZL1cma&gzt769paS6EbeJE=fy-odc ziIBBtF76r?Ch4^od}cAk5b{ozZQV9wQPko@S$g0UITJ9D8bX|nJ4vcw_cd3T!s3a| zOyDGGY+{75Nj&c3H0}rK1W2<2@<6X3twLzT_)FcRzY{xLNJ$jUvRlfS7A3AA zJ;wVqdI=+8qdWCi7)TV_ZEQFO^H2h~iWguofhT>wUk?)ej00A>0@Pa_sn2;unai&B zr`2P$VDKxIcs&=2pHFD>CXsXS$y$}?q4H^l#(&)ZoTGs{A~xvZu5C-BbZG&cL6>;U zjcFyNe$o3-DOG$|`eV68{he)xkl>Gq*R^;~C=pM2hCA-M3zvbQc0%G+sLx*F69|yV z2>H+&>YcM1a1Hq#Jx{1nwg(b6AK<+DS8&2N91&zhSe)`r8o>u*`&^~xM~oPZTz~xx zJeEQ;Hv8{0tRL_HzB2v4e60Wd@&3R5FE|sBZBme6!VGY2JvqhBKt41;S^nE)8K5w+T=PdgX2E>s<|+km z8lo3kTeDd`acP1N2}nxa`{DCXFpD_C_XOQtuNx^dZe%*cfv`G7M1j%qJQq0xsE0OG{vTr-Vd%7*g@&<%Pr*Kg6i)dIvyL z*!J(2P!j!HS*;TQFr6{`S_AP_5R800HYGVJR&E#;`Yo}`@4Tu5by!!4lp(G z7}qjyBO%?-#yBr;ioCsnOPvY()FiE^B_HZu4*5ofheOcXxS0F%MabRf;CKZ?biXoO zNEQ!hLL0ZitN}^QXd$x|x=aFpXrg&K@GWftp&wwNAtF++SM>-{R#H+sgF|o&MJq`t zJTkI44*+jiA14;IWefMe;#O4WGAz6>faC%An0nk&az3wa=&EUI-f>^U{1O=v5o4jl zrss2Z=rD1Dk!t{VUDbo6Gw|1(cx5p+2uLK_*AbA(30Pl+Bu`&ovFwp?1m4Ql$$bB& zbp*1G^9YxtZ5iuvLmk?Iwuo_W7M-;?Ot;=>3@ zR<10@`9ce@{xUKtgCL8UPyRYyoD|1oqnmZ4GG0^eUW8js5r4wKxLD8i=tyu}04DWV zmy)tfaH@T3TrJz86xR8j+m;@ZcIn}?=rRCvfU7p%0Q&YpB!KpHrzg%ate~`RYs?KD zA48T}Q2fX!(j6w@DcS_^hK*r;Aniki3_$dHni2!?7T$%NcB!n@%t8IYwK@E-jQ7O( zXDwl90e8W+A4kR8x00SP{NL07xvk?CGijk94ks+8)b!{IHST9tCJu1#-U7=Y~jiTinN+J21j5qh+Ll6}3BCM0#Rg?EL-Oy@4wKn`J$`*H3YE!cbU(GmuI2M zj%5pDKd!TjPT6*a&hgPSdlCDU6l~Mm=I2)i=VFCL+2r1fSYVFIT0PRRM+>?8RGm7!5mv>1LX*Ga7 zK->(570C7ukT#Knk|o;WJnV}D){_X;nW z&X6wI0$TMK#5t>CCLf$)9#~FmFGFYhnF#gn6dCU^=#YvNPsEs0UzQa-T^Lsf77t9P zHt=%$R)8}kI`T6LHIKc68${i_Pqb!vT?t_Q*&mn}mp(sT*2fZA=DI*^ljLN=)#e>W z6Zd)}_Ke;bjy&qZqUrh>lLir#cXOo^R{k|o3%VZzIz;q0R@EA4Q4<~VxR|19P9^}i z=8)WQNMln@&<_SSJrny(5EkB^b%oakF)$Bi@X|$g`cFNpuPHwGDiKx5&vgtH>)i*TV0M#smEV4W|6VAG-cECx^M)qSiSYa3-n1)KxW zo!BdS#-LbL}1t zD52K$=GHoc)~E-vR>vPi_O8$QC^IOX{tjI;ZlrTX|MjfAD`&}A70Nh~3(KjPSa&44 zvlReY%zIO?Wyd?;v;E%OkGUjx0atkwEnsg(shdP&CWzEf$}Nb!I`bC6UO=e&8Nvru zt4Z4B3iTi!vM(>WtC!-2Vwf{xQfs_6Ax5bffliBlgG~;HCv(W{YpHG<++!LQO_NA) zy3^q^2)z0Mh!-3A3aFY|Ql8n%<*JVJ(9kd6{2qZU1gTkSWU&X`mFla~Z&JwCX68p> z$?B}>MFGs@*ui%Nl5b0}Dx}sd^&yhEVWsS)r_24usqjfY0rl#uH*xX}gsZBT8oVFF z>(%Z6KHfc&atd)r6FlkmriX?Cq1fN*lMuZBUE!+$Beu~!M`airfFElQ0wc9^%gzrTd; zx`=MHHZi!C*8#Fx#Ccv`|HIVL8!d!I%6(hTEa<6`nV(Yp^JAu(lmV_BK`lQ+N-Sqx zZ{3t85aof8t6u??$iO(A(RJ0esFWk7hO6PQ%|!MjQ~xw zXjbO0*;h7k?Zh5`-RNpQtZ(>3M(6!Eb}g~{bm$aEGmp!B3jh!$yp?1ZH@HCB$5yVn z=0`vqm3hzoscY=_lyPRjaVs#*V%Vc*2&!TgO11nQh`lDNEft&tuUn6*hNM21Dht3ZenFQTiy9l=kOcaB{iD*-W5Y;$KE< zo@dM?w5KJCJJ#ICB#7p;c_ctOi2qadj*3yTrfF-*)=}ZL<-$^aRN4ceh-Z={SW<%- zMZ!zBZdu-(i0)hCO;L#Akj>^MxXcK|&EgeOi(RfAU|6t{vix6-on=(iYrDn)K}v}s z1nCB)K|ys1^m$DIUY+@;lF9a&G-AIJ^u*^J08ZiIa$|YHTU55#BzU~stC3U zz5CHO#7JEbZi(7PD!A>b@VEh5@9Gtr`{vpN{48>Py^-8gMpU6h?Q>O{6ziebm93Pa zo1_YPGS|Z5^v8rld$fH<8e zr1HlxkpFp{tfu;Hx{H@yQ9-q%dRpvPo;+GN7dw6L2`<|H_zN(4$J&GqA(FT zZlQnxCVQnIu`&p_ZIs*x?(%qzzfbb3@T8h9lT^?AkF( ziy%_PNkCKzF3k*Y(BEush=%kbK6GQa&)0=X;`NBjX=VBz>SHl75}?U~sUcYHLV+x) zZruloR#Xa$2HmO`6oucBL3>nRhWt*;^e{}irCyjm$9Ua{omP0(&$RE%u<%$D z6(uD^fE}+|%z9-YcZ|}<+~G+z=JB!|hFbPGtjO5O(ZToSd6!qp6X+V_u^L7t@Q7N} zGfC1`7_3%1*OR?akfru8ZF-|7VOdUbv^ z;Wp?Cdbi$@bO@(kO-jN`e1Mk{{iOmymG|zthe3RdrZTmC;umk~Y!TP%dB5!!nytH8 zKIBp7Bb8k%lmjR+s*kOt;1`CXZVAdo5q2ZS?)Xh1PewD`(okWEGjQ2wqnas|xONH5?HhbMC~`SV zWgf|y#ty($*=1Au*_Rj7fA~sx?XlVzFj0~^8AH=K`GkJ+t}*ev#Z6{4f082@Fi65k z^4e(%mH4rnGqJYo_K9v~nyojn2`b#m*rSZ?htOBO^` z8h?g6%|2&4OoOAVB)0`Tft$)iL^rAm4MGyEqxzMl%y9j~ogk4b47m&5RB!@{k5Qi_ zY;!Lir6jOg`Uy2P*^o-B*TQk!O|*Hi=W~Wj`&aYVsMHc#$w-m&BU)}ZnIo77En$om8-y*P zR@4?6-fAfY4KqiBXhmrYY$uXnE2YA%iv761=+=;+%}i_{EKAZYX7)7%;10}zMt3|m z^rk*gkx?brrEr8|rIIraF=kcLBBfH91JPm{ZopI5hI zQ2TvE3SF)Muh|G5Sw9$W)r_L=p>ph!1vSCB0;i`ycTuKyMBIQdGWep!H^GVAB}hPD zWGrC>KC-GldK@P|OSwqutUM7jGs{%GQmgcvcUOZs73oqfvp+uV#&n&~Moo48}!tB%0?A2z6 z6m@$0@4T(7Bl#j}3W{t~Z2@mAU<(NB-VPZ1LqkK+{Vwk?qdLwJl@^v*Zr&}ZqH?{~ z@gU65D3yUJeR73hecdTWw516ya5iaJP{$@Nii5v#PdTbjPwpn0nt-EDskvW=8KIq& zp2!?I%?)fCJAU3zEtXy;zt-Y%Pd&@${}_KrqbN%F3n9pEEIWJkn_XDzpY8g)o)yZt zv;>cLA!k2HAd!v$IoVv4xYU%omnU>VsD6SPM(!I&p>N$4Z(;H29+*EUxdZ z(fCtK74dUTi{M&&L`i8z5iM-z%k$a{cXLr@LX7?V9)Qkf92s8gRp_E55 zD`N6QhdGEfp*w@OqXJ&5MPgEZ6EpvC?O`s(yA=Z}P8Mwz5vD+2>j$mtwkQ&=+CwlNUicP-{N{W`yRCIyqB?)f9W|HH_f_X1Y8PBuCK`06w zic(k0MeJn-y{veW4^(;GFf3RUsbzD8Dsc%2lYV;RGV+|~E08(?50Ug z?BqvF9Tsq{$u0zMlk5@;_7?3QfXhA0khfwNh_KMI!-vI6L!fh5PY&3@YOXvYQ zFF|t!L+2cUey<6laLwl^?kD^lPC8vXO8Q!_{4xKXvR-rlp^q*U;OvxM8Br*J{I8VH zp*<3b4B98dQ7Cn(G?g_mnSl-+5Yq*nmp?0`Q$~|5JkOeZzykv=suqyk4}yb(&oZ*) zg?b-zZIv4v(wPV)r%{5`K|!Gd3kG=o=?o#7Am<5YL657Px{2>k9aYutN1oF5=lTn2_9)Bqnq5JC?)kT6Hhw0Bk*sg-X^ zr%QUNZNw4&S9#tXx(B!?>1Lczat0C8 z^LACWyUcvHPc*8iFKA8d{_YUv9~8hEBuqwSrMo$=6fXt@1V94B0~|BfZ?$C59xrZa z0)%iFBYn@#=Hk|$B7zRnInC(6G{YUgE@dU9Y6r25n*CR@LcJzxhOYd(WAY16G^SRX z3x?>)SZMoP>ZcPJUu=)lK#oFW08d=5qe|VlYMD;EqQ4pCf!2!Ixv?c3w*FYf(5*5f#67qYTB zh=#_a83K*Ew1>8{#mKVEzYkiD2}z3sr=wLL*_|GINY98tN;r>`#@}ocRjjSI)w+1G zgoUf#_@CgkW4Huq+(d~NQDoU@Zy)l|CcUen9P6UCy4_6K{TX7k=5TqZig${%@8Ysg z`FwZxKiD~KZS6+cQmEKgR7PTgPHP(5qMg$!ojp(YL|)I=~D0%Z$mm zOe$s2z|-?YqYp}8vd~RF_`_Y^;v>77qr3E6;MG#82Av;}a|+1a*-YlU+AS*YWf$5F5_Q)h;+^Qx5$K zOVOh0MfrDsbZmSP)k1$VFR&pn9f*Yk0a9pg`cGgw+}W#fJze?{mu@rhFjJIJg(K#3 zm*WS#8&1yqLfOV6S5{E-@f*K%uX{YhU~jQfuE1H@|NK#AcB99+p@Aq^rF(N}Da?TG zO9_qGWnP*+z)e*ZPV)%A&-HMUqFdb^M&7|GvjSwQmlnTP^`!H4s_b!$C98j_?)@0- zI4hKoIuieTRp0k@k5rTn%PXpjDK=>4H+#u+OJeSvsv={;Z?w60O_up? zb+TRADoZ~5dZR`9obCUJO!HFi*juz2{sr!U@Muu5J1zsWt~*5d_|y=@0oWR>gJYti z4u(#iGQ6SB;AuK3N$iJsGot8R>Rni!KkibLdd0Nv9ZslfL)Nl=2lf{#)@Yuz^TxrX zpWyNAE^B1W0*|D^)^+oLQq$*>u<(AUGSm0euJ_$rG?V z{#@;6f%vDw!;wW>8SmFjbBY@5hFEk=Cu)Rm{}^6A`r-9ubhk%tmZXt2y`?X5cKD71 z`AHj9Og5Q4u_(doiQ6Vh0i(d09_w-2oEY{pMjzX(lE-v)U{8E&T>l$3D-P9$$0ON> z8qti~FSp6LbOoCbueY8~3r}wyiA>X6tQxO33NH; zD&NC*DGer2nRwZ3_)pCb;s3wp=c|hU4-|UK>3Gv}Xm|Ju%x-G#=eB5ICw#qW-Gn72 bPcJY6zKdT+GBb=}z>l)Lx?HJ@Y0$p_z-}$b literal 23683 zcmdSBcT`i|x-T4iMFhk`Rp}t0(jkD-drjzw0unmX2~}T3nt*hH5G3@3BArkz6ln zHB^j1pi>t>pcCEaPXhna$?|>?`0IqXk-8G749B(vyg3bftos-Qs))a||LhF#{=y3l zb8irc(dYQjiD?JU01(LPrl!hcNWhcTDSXVNY3TaVykh-W;8u8v=;Y^;ZzGsrf7QOd zclqs`n=t|Tx?rD(ry1u}ZmCUnT+$8yAX?)!Zc%gViyJTF<}9wLH5h9a4fdRPn7jQB zA?^*Emu$JU8L~u`4IHr~Q;WScm-T%|3X$~D3ka%At75*ahbgq~2pAU#A8;82df6Et z6$`v6i2Q%`Iy@2p4kc&#YZaU`Ewh4`8dBu<7IWjDJT1wT@<6AArtVv0Z0XeduTL9D zsjm>JRrb3(3z;6yN!knIe})%fU5b3dt<*S0(W6|;7c7T$+h4syyA~*kncIn*!7=h9 zNsq-m18Gh4E{CX{=H1xXO-R4|`NF;BmuW*TuA8XqGrd@V_Qi%nR z6ksU=3Yw9zCfe&2hM}s`Q-$L(#Rb*T$Q7GEY*l(~(NBiAE}A{OWci6|T)pq;df#EH z(D*FY1>?}3X6(_Bg3N5uGVTc)-2)mZ{7!u!x#+m8&4HSDhq2?#2_YP zKrpZ@?5B6HEQ65fbyne{@Ry^D;eCO;O`lyB(fxr@v8k>#wp>#WV~faLmzs8c?@C$- zYsbd!&-;ywUPpgS44@Pnm`6=~yf|Bp%^3`=#kRDGJu!uL+NF!qE-*MWKMd5mj_1g3 zyzb2u&uCZNb_Aj<5*14)!=~BvCr-h;ut_%|L@h%uhYyXuntWSxvgqEPO=L>) zKmknX1~Q*wRK6us8S!ZnY{ExNw~9t)X|{|Q%Iy4LG{hJUWoQn0C^G$3ry0UJL+qru3Q{d)%Qnlvviz&n7ug+QKdxF4k>|AQF_nT4 zCTLu{32RDbeP|)r5`TZKrL6?zU22Gs)aT;6x5GwyQeLw&29YVxA3|<)--qFhguyc> z%Tdm2+6l2`=p5?6IMWAJi7EY>M+6f`1$f{C@AVHN#ea#CYTZZmdP?{nfuE^Nr4GPI zXKMF0lkWva!etZGHyh9uwlXGKgR80LgO=97O8C&vVo@qJIo%z)(S>myDVKO)(8ol? zHubZUqUo$TN|tuPLbn)|K`^k3VqCj_s7j+PSCfqoPJPb}vRza6IznkzoQ`KSHnfpwjF0GHZvc0AnYhg*&QAwB4UgO1#@|_Mv235ut(#0)_;Im{7txbj zsfCJIloZuXHi;Uvup9Cx6JQH8?R$^uavel&SVtdL6|GOBGzT|)w9wb(*3)CE+!uYJ zS#7q;(8nQy7$q22=}(k?*Gfi>$C~-%>$e87>yJ#VDdM&jTI4ldndMXjIHM~+dfWB3lvG*r0Be17V z3uO_?sIjI+Nfs0=->u%Zj<0CqSM1Um#K;mNkyRPirrG&%JrH)f2eJv+lsbwWa*)HO$@Bv z>4+}-EAV?&2G3av+qjsAM|f}g3+_r>P~KNC!UF!W$$ka#I)DWW^DScZNU+cp@ehmx z!-@DyU3-Hq4Cti;8~cwpRppCPc$Z2VVl#_mXRGJ6tF}v1)UhWo@U zWLW+}_L_$h@g?oG#TF&1cBI3UG6xQ3@MZ}El&>IbkeKYF>1BJJ{sy(0pCFD#&KbEc z-jW>2?jIPJ6BX>m47X8)uTF)d?TK3)tWGn^EivPcM|0Ka0&M8?rq!Zsy4(;x_y&gW zeM9%0L&H$0h>1RXOh$`^e3f18b?OLD-9@-Nv08Tv`ehbv+5Qo$=cw2UbsKK$JxW#D zEce7r%K{Vq*0^s{vr#{Ot-5R>2m&o@xQIO$6GYZ#?z=A{L6i$L7`Af~F5^rt)vDw> z1t!&0%hfqoY&SEd?w1(Ti`=6X>L*5fr0%94>6~BVK3p|RZrhIDbuGUOzO`3eR8YMm z*%s@*4&~4$CL^n86>K~z%`zBX0=gmR!7L)gWnGP^X+kVns~lJxTtQc_hhs=`YhCp! zTbX|N--|5#fiX%^v^E{VwLGIT9xS$2$yYY0s_9~1H`95~nr1U^>~8rsY?v}}z;B)6 zGmvzr92F?(oK8G#n>5wh;fqz(bie7OUuk5Gmc2{_>+(#GI*+4DE~XSM6!VIhYBnlk zI-+@Vq*!aI{b#I#YaWSW)oYx=d!;b%%KoIyjCfSsVgL-59qsX2ffOqt_ui zTrPO4W?zMHS-CDAmL4bO4kq5r8dem=`DX?5DhU&TRxyv7t}H6~nY=BS96PpaH2vnL zC$6PN6q;oZ)uqcSL|1zxEf+bEho6_3Jfzd_pd;&iBPREslt;A(ZyNVme<+6f`pdQ} z{S|0Dfm5K`LhpD)wh^~&`$%guSs%1y(-gx77y6?irHqX^6=-5RM?+ZbidRhHovfp5ts1gbTr!x*cN=Q@I2=CC7*gwD`~u@QZd>9kgEEI| z--lv&*IjG6a>k+>vSpZX=-A2+-rR!DsJA?W{Rj*(os5v{!kZbIW;9)t%Z%xk^H(0y zZ%N+il)5WwBQc>|Z_x$TKDFe0Z*a`YyqV;NH%&1ZUg{Mavej-m-n_k+Zsg0?`DJH~ z6T#0s5*F^e9I2*3%zY^+TZLuggZldzUa{{0%B9O2S+h^e zl+;Gre^=(W7B)|7GUa%%UKQlsu-vw^%`I14nUUOU>~5(m5lFQ?o>zC`N1R}eFSI#4 z*k2{7cww+52ea1Hrq&{l<@Ts{e^*J&GNH%ni8DbwY-_L}>m zi2LTxosCMx^+(<8R;Sh0Ym4yp+}$QIePchc?H|{~oY7!?=pa>avO8SHjqo}s#=IC? zSs|Q$Hd-biDL19t`$(ibaQFrCgP^~jwCoLu%}rE4>q^$g2s(|@F&@Zo>Oe62BCD2-m8DnV zxN)iVQecy_h?odMCGl4BZT%>1c;v?ll*Qx?{eiK`FxMsEp-i9&XE*47`%*rfMrYlrIzLk^_y$^9Ca$CS(>19?h% z68_R4GLK|pfUS8AL6FcVlwLR#C8WJspmJFFM4sL@+0SDEV-k%#JoRb+G#dF}7G_pv zBLYq#vz4DQ(zV=gx{-o$Xkj_%Y(M~WluMH6E8n4W-=6=*z?$YJ zqVDcGjQqy?*=C7J{^D4lVYtz*E8ZJlq)_lFrX84u25`Npf{P*ey zJE$~L=$3e7tlk(ROy*{yjQXAhL7{0h>>+OKku4X(^7Xse>LQ$f&+x4Zf&iB!3wQJM z5-wGTT3{HQ{0X-ixce3FXUkQB`q{3A+>SZ8fqTion)T2&H)o(n{l|5=V0b#nurDh1 zlh@hntWIBrq{yV(k^n{haQFZ5RaU)%AQzixK01Er_LkO4Mo3ZnZXJnofI$7jcCL9z zjk1X$2vg5@TKh0Pif2oGRdlSo-$8<}Xurcj`*|ru&45tf5gROlbd~i4s6T?kj*Fd2 z%ziuQR5~}A@ZMKV8~>bEVR+>wz)#BCmvFzoR~QcUHl^aU-8fM83xVmQi-cVDk#d`v z$;qaGjoEzdw6Z77fh)tMUUZ!+ldyG1W>vV?C%Xkn;O6`q2Numo*I{tYho!{Akby)_=*JScP}g+yt=Zqtb*_K zlUt?#kQbfp(?yy!;5x^2Mf9F*$zPuYSE2+MJeD0nLD8<<;3TUj^a_OGAcB5sI2@wuPZcCfd@mlRdywY5w%q6fWvwj?Dv zV9s%_mQim-!^HmMo4E^x`La0Qu8nAZ_B1vjY2mV4u%=3xm;F5S%VykY0b#u$mV`*! zd;qF6I(EE54|+#Mw@>UkzZRy=I}+|p!7@SnPiFZYc@pWUXZ;GO?CBE9jlndpsMpg0 za|8L>g4m!P_bw^-nU>WI;FdL8D-0Dve3j&`^>6&jwHT9L0ersF&oiaMO@-1Iw81%d%q#ujN_uJhFwt-qk!4jK!b?o?zG9b`-2 z8h)|WAJ;m)nfx_3fVC@N6-V1&XB0k9Q`LBq0CBU#XrGP2b(9UUPG@hiKPV8t{!5LR1{)Z zA6leRqZRd%B{MU#&V8yoyEsZI--sFX@&qugjGVoU>j{6(`(OQdYC3!Xj>sGkG`!1s zl=?b~uLA#TlwXPN00Mu*MF1D6P)?7d`?>YM+2T@~P7^oYYz_uIG32wBZFKDdE zph=r00=|L_2H!jwpxMO?zy>~Byfdmnu0Wyor{68UF%dUlU(M>ow&$$%f2oL*QTf2E zGymdovPo9t0HQR*Opa1iEmXwGoZ4IEq5gbTz=`r8f{m5rV-S_LeqkQNB9dBgWg?T- z9Mi3JdT8-otfZ8bH50I_m*geA_zkjVFTV46+WFWWxPm|_VdiRoggn%^>d~9Iq z>a#Jcdf3JQdip+kKKmRU z9(dgXz5H_Le`!dvnWKyI^Yg!dzwr0>4+;trXK@3*epn4m-HPu_>YD%YFyb|723*7CTFO% zD)Vc2TcdhJL;3`@=&1&vhWYvXk5KK>n)O?54X8VIy;o(~L(NtRK{@@J%O82UB;mX&=SLaseHl&Wk4+i4*7x_A& z;XL5Od5_lLi=CaFO}?i=Hxq&0epKl{WAkNL=74M(YW^^u^N3huQ#`-W8fr|@J)^FQ zk}h5^(zv2rv7&7 zp%49|dgYzY&xGzQllOVXV5R)vV#W24$q`nW&`$nyYN162Y3Q#loE8pMlYH3-N(FGs z$Di$(+nAny(zW?9I!GzGv(PE9i82hMYI>(YpO%6DX7{k@Iqsaj;0Tll{l`gWopo#Hd2V^wUUt@uh*6G+ zz|Ya|PV(38Ps#1#mW;#NM5%kDwz&J+EEE~syg9&L8b#Gp~xz(QK% zOia0gqT~NmCj8z3gyQ3m`FME^?2J^brqn6Kh&5ge!3jz(Z{ZaW7y0n}49okgzw+DF zHVPPyv?V~FKX2Y-?ZV-337*Ah~hUL~w8ZEx4EmH%BO>lF#_ zI_G>3+1Fp=TUXaHW7Tnl>bMOq>`zmGPozCg+E?u0J)swS5FXQtamUuF$-69QMY1&LA)|^4_&&Z7(x^_H zZ0&$5B5PAF2{&A$YmWXNNLkR`P7WqQ_}uedv|6w!=1kju?TN6hAFG1tZ=KZ?wJ;GM z{C?$OON%ou*=gI^dTJ&^$t~9=riTP6&A%BD+d2q$|ajy7~s;z>Sx~_+YmDlirc4NVah#=lnA~nLrSVDh5 z*NPv_+1DIgm=bv*a(Hc_g31`Bg*1|QMweE#EbQzsU6$z7b{a8E{JwC7%E*m|v&`!H z9l;~!5+UAxq?;n^X4A3JO4<8y3A5bHPa6G7=VtSuRnAF{EYGU!8I)M##k0~oz>$l49@N=yw1DsL52B(e*Jh^uz-swH}8T^ zudcZ5X0bLr(6h^uMLx3Im*`|2U0p;4Yj!E~GvvC|Pu}nGU>PG~OfmS8wdrO{=Tjh@ z9xzrid@i?)F(P(A0Z+MbE&Q?R92-;#!q@pgmWJHiD+!JqM>x04I~SDD4+YV52#(%CTn z_gJ^zT5?R;nr7jY`B!NHGlI0l1~&_E0t}^1z|L3P!;49kI3x-%0^oEGKvY02-~kvs zqjM63C?&P4(NubuYNZ3I>5wdYM)i;UITaATY#kaX(@w8uo9DTFepB_m?BoJxktkoy zpmV_%jogJ?E2O&4K5M7*&==U=F&Hp5+Xz+p&eYnaL~{SypfxGy+x~?W=jk%@ov*rD z1qs=#TI4&n%}W@|JZd7g#z!R4KeBe=rv2e0BZ6MY=p6_4Pvvyh1C$P-OGt z?ovt7gjso}%5#`CR^HvcD2Gav(FPV+3;DK6ug=MFtGqkw5a=@>7OpL4BdhqgdSN;&7>D*=3NlGSD)DZ_|bdo~Y^` zRU+kazF2|t%HRXNdpyap-yY())6^w=89VbF`-5BFniD58FA2-;Sj-v>ZGw-2jn3X! z27F0tz01qflt8=N8_*q5xRp(GMpkZsaEfF8V{h^_ypX5Rt_yDaAcbk$bj(u{}$f z1DrR-C^rEEogl>uro-S&Iz;iV4`Iv+{H2MBnsNe$)6)ZBCTq02I)^nS_3weI$8(T8 zZq(T2x{Q=zc|kv1w^&)fu;nJ}*y#;F1hPq;V(VuRDaO#u)>|8}CJ2mfXdt?d@$p zKR-6XrD=9f&a|KlpwCx@MJ1z)9Kjqblh9hL&(Q_|(;%NOzIFn1Um8FF*DmPtGM!PA zwb5oUNm~23Hn+VkNf7=AC0e>lG!$If_w4=oZGC$0&!1KL(2!@FKZyRVR#6cJySsZf zPU9KD=4#)he8gE8I8K1x7VeCGU%$D;Z$07dv!3K}4Yp6PIh>_Gnw?%&xW>mGeCTFw zq`XtT%b5cL-3I|210YPm4Z7^b5hghI1Btn){eG|RuNg)D;w-DbekB9M>2<${Yu3kY;;khW_Zy-G&r-jy zbLg`0oC1AbUik-!n6S~A*qhJ16Oud}+U6f07atEl)&RHxBz*XMohSIr-Z{nnySQJb z)4L_f3S0h1`|B-#<5+W3cT+j*8*21mN6z?GTH(@!BqcYS&6GLy_n)NJ1JvcCKO2tX zv*iw_KxcCSv@DZdyNEcX3bo!#?~FfM9xsP@QEgfUXa#@e-ZexF`9rwRWrwYRQ1P8x z*++WH`%5!nw|KhO!U7q`^5ti5>;bThW(MHOo50BCHUd06%I$YIUUP;foZ>PL$nz>> z=3crMZy;c^j1S`6*;0#}dC>hTfm3iOAN^@PB6aNE&c>H7UmV4~00IRav2z{TQ5S|z zGNHf}q} zOPX;4flL5DlQ29ye0UhzwfX43;2Dv}%;9es4=@LRS09D{iemg5TX+Jn1;xW94<9A< zNhU9_4{rrQ@vtW;YHOq3e{<^YjFg3*Yc=iXNS_x?9>DM)0SqtvQ>fwpoM5a2;Pq`@ z=P||4TQ9eh`!6`gK*@jL7|SuE`_`_Y&rko!85molC;)A3Pqz+NfHAXf?UFgeHj`i{ z6aGap2m#=QQ@{Y6`#J+Ak#KlS$mU+gdLSY-W^N!+*u z`h0(r1JJg>PbOwII7S=QE%Z*SC3UIP`O4=$0eyZc%q2--z3dVc#{m>$m`&f4ab@j4 zi?G(MXf}XTa<%+L2fB%T-lm2c^Z|2t0Nj36G)PD(aD8rWWadcgamPh@k#`)fp?_+4 zZBhxrof?J-cddag`1!W5fMg}mvtncE&S?JKO(NFD?H?Mx#O!@ncLKf4v2b?fR##V- zlaq^nAKb>l#x{xdR*w+D@l9nN9E40214=??&AtghJVsO5SC;_70;glk@eRB(R#fp_uFTmmWKDEMSN{)g)yV&LBj?B z<+w5=WLlQ2!^9_3(L1VfYN`odWseh)98j1qHIs>HQ;X}x{r(X~yHK+0b`sRo1gILS z+*K!U+vcVyyH=wBJQ%bzkS~?klP0Pd{O6O^Sx_~wC44y`8(n{eTKKLl=+E9wCgd=$ zgEdp!IHx&y{-Eu+YJ77l%UrRVM9X1w;o%jpC~cmZNSVf#c9toyh`>sPPZv)jy@zP$ zM1BSl+4)d4&5A#tU$;P5UtgZQ+LvZ~N+Q;1==TfkeSNv0vNH|+<}sx!h?n!-A{D`f zP0@)?0Wk5TCRHT5{VUH}#>Ef`2dE*uF^5FKor%sQAH)YuEp^1Q9*fZ$dFKTNy!N(N zjV^$GmjL&+F*d2d7u?bI?Bhim^a+XfXn=<^Re=$eF)&+=zgZ|G7;k4Zgw>i&hRW*A z2D@XwP2TTCU*}5|g~vXyjAc9(Ri3INMyKD!zMx%pi>K_WEN z{UhBA`%tN%9o!YZz=0Un{86P6E_9?7|F*!D2EO zFm6+kbhRf+5+|T#NaluRH`6*er;>zbK6Nm6{Dki;V|->g8VWli4vhOQh#G8BiO$U_ zeSLk5=Oo;vvIv| z4YMIHD+awHOfKA0(K;%IFo}?{9sxGc-uQpR2>6!L8;lK3denKn8ESnA*E6?1< z-ydf5R|ytS+v#`bfuDP5DwN)VI8!UP@e%1Jaf0ZoUS|aDK_BKufb)M-Dhz|J=)cWw z{_NRH8jLITjop_Jc0za@rsOPm0W8QJAZ+e~!kRC)@u?rQtq!#W_~I1}B6(C-lu z&I?twvKR+;v1fV`c(H6hc*$}vwOX6kX{X#7TDL5gY9m}Ie=a6Ba5&w%xM8aV{L{J4 z?o>O`cGIDKu)=}v!0J+o+6~dMCFhfHcjlBJnG|Q7R;SL8x9?0Y6R^HG3sWXT&vI$JJ~nHAtAJt1L?g>k}#*6!UMGC8J4((hH$yc8SqE*hek_+b-h4AjIa zMY^<%QsPrg9ZHAx!OYlt6Fa+4MO9)ehu27T`f@24ZppUX`btPom-qLen?&>iT4v=u ze$asGNTLOt$4izA`L9{dRa^STk+d&~7(gD9ml7tlBpk&{uHTgBPe{wHg))g+QI?zN z37JJuvaR<~)xv$)D=fCUvrp^KAYe6Eod*>Gr{Pk#9FXLD0!R^+G>yR%{nY_?(_$t% z7)ZZL<{n!;o{SHSOHxCBQzNGfX)9z4W)a2DJ-4$piiHwKc+xa_b3(@3Pi98z&tr&J z;aA{^Gz89C6Zs;wuuzueJ1ak->XIFWu@tOn?Pa3dOROYYd{nJttg3WAIa@;N<`|*0 zS;mXJpvS%t z3=U51y-FAQ3Pu8)!40|n)lm%|^p6bCOW^04xFo+`Y79FH-BPd6eU&hqciiUg+2&H? zM$d~nJxu4nX{2%NOYpc))_;*x1KmGYL4d0Rhu-Ih|J7*+oIrq(=@k%A-`LpL+$_%$ zTU%Qz`9frA4G#ufXLImbYA2ghI}a1!+NMd~$H0mcj+UcmZkNkvI` z|M}f`EJNAFwqgYC4-!+;Vtmno)ZU5mYo9;sJ+4r4Ar17HY0}$`JM95_0E* zpzPpW>ACnr%8jr;H+D>Ra-^4jP(7OO&h!%;RRRF99yx8t)oPcQ>m!dR)G7YiLaVFN za!ASH@}VU`vhD|*lw%3|e=>*_S{&hjB?nKk{+c2bsiGT|ZpqH)v(dPhfdAn(7vBxkYpCOI_j1Ca6sCs&Osni%J z#Xmo9csjHKI(`0TaqAvAY$u=dXj7`Y!K-n6so{R$kH>of`+bVKt(#nmyIr2pXBXlX zX%nL0-HnY09_;^slHXf@P3@R|^3^+{rP!qQ&UJ?Qu9^yBY2`D?!Ny+<6ZrL(T{RUtw?w zaLdP^-3Vx^t22ElUo?xnO4@MB;3#j}GCy3@eQZ=b_4+VW-tA~G30D`1vU--p`(Dw< z<(yIB7JxZ_+_`e)idt^MzjXT+Mdx(tiS%w?Xp~^61#VC6AY^QDW#$k@u8V;bX=_PK zdRfq)(b@!lQc-00aq{5|w9a?sJCR&LW~vMDCif9r+o5N*tynN^j&_0{}lvEp4x ziU&oG4)hrf5V&#RYi33?odYqk6FYtQvAq27-k%o3;5d`#`a2r{8I|ZEiTxAgyLou* zu&^HdDQqQNVE5GjzR{oFrgrp4RG)Xab8ed89}_&|C{sZI_JUMTNJ(Q!(CWW@4uAi; z^`o3OC$qNKi;KBWeiVy}jpIB}=)79^=QqqAS~3Uvo}CN*VsLDGO!GZA{hL?3|0l1w z65&H%-lw=~X$9eW`h`7>M%|Ur2 zm8W?@4b9D^dn51 zAE1nL&v&W+0yr(uuzVJ0g9oO@W@bjR#;2$Kta?21fx-gpRm1+MmGzRvwsvg(RTIO6 zwdA!MoTw9^;VCtz&`ejWfkBBj?D z;1CXtzn?oM`vc;feX1TolPO<^L=-4ZJf;QvRpM^e!s&0dby%TV*}l{TUF(ppqVHLN z`yeHbckTz9w0JTg#%`@Cf#I z$0<_meKeg?_!(Zy3Tf5n4aCJ>6ITKMymBzevtR-rM_R5G8uzN-mF=2HQNF&jj+~&D zt3mkmZ5w!Py`%Wj>y+4Kt=rWST};+yTEl>o^_+6_dmv{L0?2o;aKP(+QHFT#3Sn<% z(4U{f%C-v8-mI}{Q~1~VNU8WB>qKyBrKbd5(EEs>wUy#)k?d=L%9inYaoea*ou|7) zp%-;=ZEzB8k30zINm@eG0@=rY%Y;HmX*)9lCnrkewFl;Ld~))hXFsclRdXOT{5X9; zJIh&i0)&gNdKWvM5d9|^SWny!^PfrzrLcApbgs5un1^ffIU`w??vl9~(j6%V-?BT& zMS;dSEVbl0#`GF{0?&>Bhjl5UhM%ygRYzvC9h{7JQS-JgU0@5!mzke3NwN}a1R^z2 zFOdyE%%&;U9#G&#YfgZqU0}CZWvtmT3OJ!GvOBYxv}OAVnRoBeQS)7kM#xfJXbOZ) z++GI#d!EV$VPyJFWHYNK+lj1S-r^P&+~I`G_IFb~pA{Cpw`1p-1bf8Imk1U;dvTyA zM}+)MBwq-N1Il0;jiMfT1em9lee1gh_!bTZta?A0I>R;DTKI%UlsVGQ!Yg zG3}bWuv|_aTdjuq4_pmf!3g)B3XRk>^H_Jm4O|foaoA^QD9*4m_9PUEpRFLQPSk1t z9eN3v0X9h}a3i!|_!H5%k;qh^{)H+@To8Lh!gXRfF0^awHN9{4M%CR+@ChD>;==pE z*=fqWoSaV$SXsg_YH<0JMT~5ep_eNVwNI^t*5z0l*#S_SsTxD%}KgXe{=tNG12R( zhKxs(sM9=pmJ+l87>_r*KL-Tm#Q*b-75{QhH@aYORi?2CNM*JCOdz>=X7h->Cfm3b z$dwH5*;XXX|E-7vj-5cLmo5l|vs$lU_}I^P_}gyF`d7>i(dm|uM!>}T!FF5n>qCBU zgWqb#T+Syf77l3OMyEh8sjo)Q_vC6EyA?pz1pvWXRKPp_!S-K8_Wr+2%b4jly#C*S zQEKOd2>R9_K;b%unc;-jrZWd#JRBLz0G`Zu`rAiy4<0f6vb_9}Y*1!8Ga zxth85Adp!I01f!~_+0j4oB(7kmKQ%T9{*>J@E>7k^PBRgNB@T*nve;#(9NVd^jAiX zFiM?G@=s1hz>L@@{!`TyCJ$cE8Vn01rSVYzY}i=urD(Yyu1N9BKwdz&qmy>yqUQk& z!TxA-qyCUO;}ofQuqT?UG6p1C?lxAd@7o@&t%-1AfVkSRS`Ow|UtLYnQ4Ib4P1NhD z{l$35TJ>MtS+fj+B<%zE`drKO_YFBUnfnyw@CFF;_Cf!{Op=1ae-6Rq|KG-Fen%Ak zD?=kGDH(WhcN;$L<@GGceDhu}lfR)c6DGXZ=H~aldcW-Q*SUED7?NmI7)mw}VQi_WJ5;41-Vep3) z3LF5Mww&Kn>xqgz_B+f)S_=Whl>9d#P&Iv}x3@C{VLWk+dpqMpv+W{{ga3$C3J!aM z=J5pd)1q$Vn%#O*CFVZ^(Fg?@u#p81kGEPyLes9h=+8)wy=(=VWd?N9`+(fqGq&t( zufJg!!jRb-^A7^TH8wV8{#DBG34EnWx(d@zF0svha+pQf z!;JNt0)j?)+D`#On#a?wRtwZ$MMchSO|px?*X4feOn?W!@a3fO1LX+;oZ9)tMMoG+ zogp!P^!4l4K)!FWznzxXSk>BEE?3jsyjq_+qXl5~iAuZNk4z&o=7gviZ|yrJsJl}F zQ=$qgr$8mI#bS=1V#VD7)EdxBf&ZVq=C)X2y-0mhGsnJ{;_hPZ2#b`*^gUI)rW;YS ztK?)U#Jk0R{YjTySz6dz5J;~*qeBgd+{EGUbTRY_bXO$Io}$}KgdqcOOI{q04xU3! zeutHs==cfZ-}kaFYnoBC$&J}0Vr-{f%JBoY+WwL=R-W{JZ(~k=;vIeCh7T_pCj}$;_Yx}zF}ic%@cQ*wL!U=2pM@Pe)!^m(9K8r-h#MaI5x!j4(b&*C zVO?x8FUPn8#Jib6=`I~S=ioGlko79k;lW;-s7(tH?PiSykj-?xXRg($muE_>U451# z`tR<0+5CN_X;Z$oOJKzacl!WBf4f+I$N$L2AJG&K&c2gueudr;J4`*#CivD^7F`v zq~uYvC{>bhpU~F69drJsdBZXNc7*vM7BY z0fjfUVfsmeQFhrsuQMFdwDRSvDuDInA$!r|%lGsP8qT{HES;R& z=Vdx0u|kAu-{J;OEsOd_93XZA`VD9gj-U28t{et zT3I&z7;Vpei0JNP(Sx$v#IC|!+SR^JqXJ$UxX6K(>Akr(raB&Dr7N$Zm|=uW;k9~h zcL>!bK=Fg$NKt1bqG}*=AANj8wEW#Ypk=SdVdRq9#IzsbrhRg9$!Kt`?D~@z&$`4Z zU&VBJMqJCE7#|1q_g;{e$Y|C$~DV34ZVBPAjXOlA?Uch z^s3)`JL_rZ9VMq_PkxG&h>h(Po$(Z0WHvW1>|?%b=&5}03moJHCwePH`<(3!#F{1r zYmNo;7JK^x+bqQ_t~gEz#_>S^Npj!04-0H#=mP!~M*6gGXXu|1l&9$g(z2mtJj9J+ zS$MgQyg$bTiZa@Z7V2^7MZdDGm_6uq*$63DIp~$hDsxY2SE%!^F%st6VH<)XVZN8f zD-54hR=SZa5>0asF|rR(d+|!;71X%MJpw*4Y&e!x3do<=`>l>oHTqLw&R!d{?MAF1 z2g?;e{ddNU*z$}QYBaUrW!`Tx&d_YxBhn%Ao$!zDa(Iw&7Lefq3&+*Tcw^eU?%_WH z&o>T#n0xET*WJLa-&<&LkI%p8O{Jc8O|LnG&%=5R3>m}?Nvah$R5o>#u<&1J9WwB> zDnh3C(SorKzM1#7W!9bf^glAjq->X7LPydvREk9OUQ z8%2;zpY;P4=(EGKiGN;8f`m~^dRSo}`PI0VfOD}L zWSA=Md)VxafpkJQ`&0QuyBFZjop&+Xv(@dP3wEx0^jh;AlzbWSH_oX#rmpky>tGcg zUV-V)Xop5+V|dG@4EQvEOgNeS1HMW)y^J8|UsFnTZXp2LKKufT4xgDW=Xn55KjZOU zP9VK-Y>{uqhgq;xpj}Tei<|^kAf7C}_*&MEOTqZmr^uR^*v-mJo3WJGG>by2c5S7g zkBR7Hx2*7To9Jd}MO>OMa|1X#V{OdII7)C4v>2RHw|uobDIxerUxsD7ajZ6O;STB> z7;Y$O+QT%M53T?+(dAX&C~}_ls_C0E$((c5F^U5F7}Nv@FYwMf%_m0lCfzV|dx~^Z zm9VqYCmzhh7nqB)fd}T+n&ybS0Wl~C4#+8zHZ#!`50)Z8^`!@Sp#5wJqM6}L8bvP< zZJ2li3GYvInuiu?A`1r?L!2XvicR2~lbXjeJkLpIpAI#k-}*lXeXwJ<<7&2tk(2@n z{@D2&&j~AD*#2E5eF3+673SHiUU!z)+K^E5u1i~@xjA4aW$k>XSU39h zCG-RK7;t8>wGzvJ0VSi&1Nsm%>gb$akpNUz>uNh1uTUI1R{VPoMsKU};!HvSHumh?4^x@cYM? z*PXjyt<#@A`M!${-TpGQcSIHX*Ec?K)*bF0sk?3-RI87dBm(yRw|u7T(Z#)ETjLXN zWbAdNW0xc2wxq@RV~Nh?uTjT4$8q733%0r8$IoW{{X>-ju0DX~wc4w=|4mVPuQP1F za~jinxYFv^#fF~iMuloE8I!(NSs#pLAEaMO;a81a)MDaSjVkN7tZP1UR2Q~aXH@;t zEGroWbNaY_TD%P~(UE3d;tp=bbzi@=Q}UaW3RQF4*m#pPZTM`S8U#*LoP4aG(F`6-O)@2o3<%oKnT-{W9iA}Vs; z2`#oZu6=zF7hTd7$V0#aLxYjB=-;%c62}h`3 zexeF3a}_&O(&x~>XKF(I0M~Qjeem8w6-&NP28Z6#*P~RE6Oj7UUeDfH^ugvrfRl_c zk>X1n)A9bU|870Mo8UI>x3yl)&#v9$L|70xP^bN9@XdfPMMtJ@r{j|N3h{47U5Wg7fZk>T7J%~>UcMuU zdA24DgX(6esyu8V5 zZ4^GL41C+yu*r4#NBNB6VMh~8vXJtDkbLia#(u1SpVna7S|i6|v& z!Sup$x#DSXnaTlJGhgmT5vJjc*72{5*fv&z80qqMK##Q4>1F6Z2QoCp&WXJvw>iGB zkH3qqG5kI9-0he~5!$tl2S1c}(8gLmy(&5J4^qS}58w27vr`3%c8Rx&ooPci{DEK8 za$4xYd-|s3fFyHvL4v}kR)6V@N4raJE@ARj+4CnF86bu7Kd+X8g?0*j?(xms&bK?6 z@ou>@1j7DY*h4il&>-uBQCYcmf=L7c{_6wdgA>-V7YAC_AG%mV#1wgk^s9+iQEyn( zEVl-+W#9I8B9m?(k&M z(JuGs1|u}wM-{{-n?imSTgg}BHK0A`a*DXKy|X$;?_s4l(~Y*u8984OZQT-n4t0kF zhFS4zb@oayJ#Y41ow~neJQXg}^ooZHxp!wqU@&qOXD#gEq1sHsc(x{g*Z$s^_lEC! zlBaC9>e6zePno>`-BsVHApUeUWNpE?&r$EgDSa>##KyevwU+JIRZnVYM=j`cu{1E} zJSo4z9vD5%i(t$zdhA;LUez{tx#meZh1fNZ@hr2ay}3HFAz;ML_&`gJ#Xv&BiBk|= z@HNp17`Zd;w$IU*a1?L8W5?b(L4R5QGUNoG6^9-|!W3sorb)Y%3Aitox~#ul{2$Gn zX*iqd{>OEhV=$_U>Y=S^)lzF)#Lkq8iZvvm_N}#)s=Z+_ZFNCIi%>Mw8ci%ygodJv zB9_=1R4p^M1hrIbLFC-&^t?FdI_F&fm;X0;@g%vPC%NwDzVGMv`+UCsYtoCiE#_>q zlQ*2NINO%X^r$5{^^&vd(}N!H+8UYPBw5UaZm3yT>Ff9X(u7zQ?AD&RNb?JFX*g#s zeT&-kL+X&^LWlEGSoAwuY%65{n@&ki4<|aB(~Py4S~1+H-D``3yVpc-F50e%zU(t{ z{Ub*Dgd{8MtBj0JN>}jy3|s(aXv+_MqNlVd`cIb za|WIK^@_7!9(d_8dusJL&RIDM6=by#k0J|r)xr>xuDF?e7quj~lEQVq#c{o;oDOpg z{-Y1wn}8G67#hTOJ(BZo=-sUIPQ4~nubDpszFeamyFS$O+9Y@wF;m_0WY*#By~(mz=(`zK5u8l_xnee~luBmV z5t7X?{b(pE#xWP^aFe$zbg$%3&r33%sWfU=K8odRuc(aT>(++Y$mIUg;Dqe#HYRyt z{Xve8KW&@{qsM0JB!B_yQ#58wU-T7M$ibh;zE$ESf?#xaeKfNO*^7lVMuZ9QsLq1F z^R%ArIdxW?s(ks%WzesDa#&J%8cZV;ygM>CMKN!m&gDs^uP=qy!33*m3e{Fa9P?ZM zdpGjfI@VXp59zVyLMi zKFS>wN{}N#>4*o#LYG5hq`Xc=p4KsPKIxNSVrWoj^l@3wJxpV0lh6KwOMxaSvDWd4 zK(~hCJUIp$yL>aNuGqUjig-i+Jf7q|#J8v&&#>u)kJM4rYW!>AZqksp$WP<);u^so zaw)ci+T3HsHGRq2tFg0k78b@$n+fSbF%O-TfZy&Dq~4VyjZQ80-H^K5TkLO8y`hHR z_eV`jX65?u&WCGf15ZI5+b01@vY^{@k|!xg?ESts<|BWIJ<(;yWE?IMS zjb0>ygfW1O_&J3&gY>b@rLlpNfZLbuv%4;+X{!1o&RTo9^>+?=pOzCKw$~g755;60 zmV6Pn?tB456(7{vvX_B`oDq(~I0k$jzRX15F8>*l{odNqQ+i=n?k66+FYxh!-&B-I z-bmUx;wdedA8cNde;bkN7HU0H9Fe6uNQ);Ck-I|=F1A8_E-(aEP8f2SUy6K^UH8Fe z(Oroc1=UfGA32V*SMF3Nn?_k*7+MC_32a|k6{xmFVFr>ismt?Nt4~c{g$j=jW8~3g zdKmEy&wX!``drN@N=da3hZ$vuCA+`AV>iDBApY4i_1t<&LKQz2Cdfks&T@NO%8@8` z$my;G%&*4|iq{jhB8g?&%RdFL=AX1&Q?ru5NajOz%WDZrNV;n>`Tf&`(tK63u%|;Bc;gWg2G@$g0&oZrV*45`>3EpQLAM5FUi#rO3KYuGUrPk zD(s}bYFRG~tyG_AD_Igz5njehD!9NT(P0TUm{6o;)u`TbC|$isRKt_%dS~dQ(|j4a z%`?XjU90q93RP>bKJ8Ab~;MB4- zsD6#Tj1TR8eZ{xT`jY|>N%rS`*f6@iJS}0WV+I%}9n!d&T;yA@g;b+dcd!+4JN9X> zrvKiWRC2vF9^0)-f<@ajubFCK=~k!9FLmKVO$v12hIZ^@^%B(3$As5&b6FMXpu8i~ z0||2c_<~_eY8_QT6@7aQmh70#ep&jfCh_()TF+h7Yccd<^^(g6YaTpJ@2J*w3BuuU z0*G${a(r25<5{9num@6(S)A%u+ddUlJo%yiy&lXt1Z7AhlM@Ce4~<;{Gf;U;^imCj zKzC;ys<)1uJXBbM7mc|_lMw&X?3nDBpkNB=C-ag*n6+G&M2msZ6g~4|8e|j5OxO%+ z>??Z)%Ds(@7DfBmKH2pz8>6ew(Y%BPC3M+nhnIHXdBJs?#axMP z+Ycg&S@(7#i4Mv9#DGU9EoX@aFuT$)fL*5g$vYADJ7}<5p|O^#S%aSn#eZ(B&^}T5 zC^kGvXRt}(#zKIGjY;NON2z~bb=8erHxZM$Ti71I1bgpIJDd#MHrzM&wQr*%$HV z&#>C-;eJ%B*^4Fv*X@%lE@+miC~E~WpR0uZ;1`rc>eLOg>r!Ce-?1GP?}KT0$Pl#S zBhceg;kpYdNd)kmMIAZFRG*DZMT$86&LLo{{2eaz7~~bEZD86#4F@#ISgSJtHBAjF z{T=bc@BX0owKhL%pQYrwyt)8?<`FAg>582sY!%z=rs6}2Y1nEU!qgtAd_SqsNQSjO zr19Ag9;yK^2)(~#$+v#gPOzRZ3)^~ZXB3_uVc+2|5#0Y27UoASFtX^v*^8)k!$1}d z<|GkCre7N$PcQj7a-RqaLx%yeKoz#+fpUm0Ap`8SBf-c;MJuSOPDP_v{ z(T3kdL)NQDVFhm?G2&5ad0%s4&6^OnOqGiuOyM}5%zblbG zz;dRjMr63jU~gXC1jRM8*`bTbG~2bcfZm^&Po~~QIIdnN9zkn$pFz#nbaw9?F1!`~ z@}>__cD7=5P3OZyoa7Bh^ML2Rz3l`u*UmKkdH(hg5x7o<4JGs`ji8SVx+AWO5B(a? z9LutE3rAFYJL+ME{~V^+AQ_^@UD;5&Jhe8cv1(EGX^sQw_LD2Sdcy^M<1^br9**8Ob%h>Dll!*|&B<>}p;<_Bg1Y&_`4i{cHr`Wnz) zEBM@J0O1tgG&()Ra6Xmi5i6E7ghF3#sKU40))&Rx;YkK1LoG8AqJ3C2v*CbF`IWi&y9^0!-M^ei3=Jv`z0gx|AI%~>8!8T4f|Q;s zA;`k(v*K2Rm=Ly~t20?_s6CBg0YY>&?^=sZC zf>+n8b#DD?Mi`1rk;LLKLvDEnkVVZEBoXmnv`9(T$QaMizH|RVn3~?0E=K}_Cqa< z6Kp^JRFs!n+vy@VP1V0W+Cso|hcJf&Nl3_`e0D_a>@*&OAJf)^dyu@XWjD&}=PBkE zTK=$HW0E;xko)5WHrz7BDAGFA~=DTyP1qvj%2umJCeB1DkZ&u{*+qlCo z2)03Gsv!Vz5RL0)tj=@-SiUiQA*1?2mIX|oNAV%}WWf!C9pwP0p5e;?*l}au$aV&? zIzSFcde~QLrDNR6U1Bet$G$tO#yE1HHk#3u70n3n0PtT2H>)({l%gnN#}}f zK-jHYS`rvh$?`x%*#E|5pLjZt4RC`#ep8Z$*y;iLH8OG&s7IpZY5xs3NRe8&0UWr) z-}O7j*4FTCIHfY{Uzyq00HM?Ed;mPT+aSATRkiTnGdnV7G&F&9hXr}MT;nc`PQ`)V z==yFl7n1xA%sw$12Q0$aRUgoU<;F&V-<+FQvKX`4{n!9@-EgwObkDmRaGig94umPt z3H9>w;+rsKy%lPHsI~*NGsR+S_Lw23L6r+;!UwURX;wq``VI(o&g$8c2l!LN5=~3fRoCf_DLYZpZOg}I-n0ve&D$b}H;p?3GIoaJ!1D85 zYV%c}U+1X8Kj@$8m>N*m=XSq$`*Q9S**5U9*-;~VcsX2zFS#Ls{bsEJHW)81lSL~O(5d-X-}Uefq=kUF!> z(8XJ`g`2yqL4ovJhzTw;rVU!XAGfa!ip#?xK_Jyv$;(!G+tQwefAJ#!%=ZA~_0GU`BlK7BfyHO@^<3BG2Z-*e>yv~iEsCdHo4x~cY0au(d@ zZJFQVKK>fiB(@Z6?HhV9%^CVKIEbo@`@qlho6G`$V*v-x4TZQ~(rmaNeLqE@kQbm6 z%RgAjrjZ)SKw+ELhv*m>jE{^szLUF7A9ypa-yd@N9DtICaQc5SwjK<9$PrH98xnis z$-fD9%H~nq<_{b90BzaDTLvR5O6)`7fXtV4S!!-&bm| zsvgbiLV+-M5X$xEYy-|DCIWs$69NH2BH>LLwq=LLG@4y%sOMF9+*dNhC9^o3BZ-g0 znwAz9&qhBC{Q`{OdeeHl#OuJI8(&;r78%*k^S1zyLp0Y*3ns3#gA5|&He&$tHzy}2 zKLi}=-AKr{=VsO=Fw%I=nf#w$kz7uJNAD|d+zRKwrGt4+Msr8gz!4rZ6RS%VM(%h1 E0m%d!iU0rr diff --git a/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png b/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png index 1a0ec5397d87e4b1f8af36ddd7fa49b20a528a64..8ec000d2a74d4d1478511f67b84df3bbc6e82833 100644 GIT binary patch literal 23272 zcmb@uXIRqh8$Vo`xl&WhJu)jTx256$Q#0!>HM87GW;t@<^KQcBrQQj}U%)B`5s&Ary;zSja>(GgndCdX2YvX_7 z1V8gD{(zG+E>a;UPS`^4-PV5`;z-VBO}}6~8HdsFJ_`bzmeqfMF3K}jt}03PzWsz8 z-=)Z@d)3J%spm8#|E~XJ_YLllI3sM;MW#iXn(VHrY^kvL&$SHP@NfQRYGw5#IFj)s zFfdpS2%KJ>Zmy@UO$@#C@GxPQjy-2^`%G0;70Pe%AFjS!Jwo%s`}=E!X^z_|%t!3f zx4+PaaQ3<1I1nY!8EFW9^ouKghc#k=eBdXMs!6!-#8*~<23X-#Xo;z=&s&r zx;Dw`Qsn4v8l_c0;e&A83lf{5)K@e=IcD!`*wTbRpxK>i;?oST9*qYT6+W-YKj=ZR zXhlk~b8$1lvNzXjmGXlL|XSme1LB~jfr&TUgt4Uk@2dt3!xHo^7E z>3X}@c4bz@NNM`Hr+^5bF;w;;H0qFh@$FyL-b3G(*oSAVls$6~e%M(@g$>u&3>9RV z>$;>zIz!bc0KEy6x85ai5nSWVK~+`G;_Yw%aPm!PwM4sIQNE-3lpwWOb9DnDza}MV z=qdj)9XV7`Zf>8p2#@!gL)fiFuEsAG%CW5QuZUZLB^5MB;3ZhqPXAYdsvr6mWBkIb z5r0vZ9jKpi3bAVN(3!cAv#OCFlCV7U*^*eJ^Sk%&sIM9S`dkcVg?`A@Lv=de_}TQ- zfp=Adc$+ISR*lj&PF_ZcND zBDc2zum7rleBm-ZXz9u3Viwmg=( zs@^s=9)8awYTW|Tcq zc5RJv5GnfEPPv&;>r5loVkq><(bKMtlk$`2w;@Y1kK0fFtlk$5xU)x9!mVd9Ns`Q!OEy945+Lw88JO z*kDbCgFJ4%AL;x=jfZgr-Le1ZN_HBykz5+GCiqyEyqM1`iPK+aVf=BrC&d05u`(?aon_OtZfYjua91k3DKhjSN8 z7uwk7M>*Ku3>jCHZE!Z%fFzv*Iz#}f3`mbtxpbl77cDL(B?{H)^uodN zv5g=V5M;maTcwQctR=Rn$+t&2A`%_+N;4Bso$fCkeA|A1iRv(FBP-jF_uxBig8}JR zeifbN;n*2y<9Ha8c;8CA!3H-r_jmkczdMK0$|B@-)1_lIz_mh1FO`MKa8nB*xCUgiLU}Fc8d3f3Y8z_h4a&fl z7XaujIB#kyI+=?(8?3J-53#Rk+nR))oV>0$Gn(f;Jtv&%lv}QEDE@A&X)&z5pikhYt7Gz9r@s%DPYD4Z9&vgWoqIv%gkD?eqX#%eT%tgf z{s=y?&jVD zMv$qd*_PrTTTh~$zjwUw&9ezAC6J9Ww9V$wB0{J>RJO0v)?OfosSBj+g zL!bgN4>3JgnKs`b|5Tz%`TCsr1w+C~Q9}pLhiT>ZH0re4^)h}UH`N_y757jhpjtcc zY<$!CJS9&y?T=az$!3?&>kveUt}hsueLYW-s36gCYB-MQ!;Za1bx`|WDj0Ny7Yh{? zXWP4yO5h3`jzc(}?7nkwE-BF8`V0y9L7Hv9sLi)H&i?}v@c{l2a_gybqvB+)aIGO~ z=&7BYArGSLR<1E{?aYIO3s3DNeBXBFNrdzV#MhkThAW8?Lq$_ppC0>_7(2M(IV-35 z@CGRWXpv`WqM8m+f^B?$4TKvy`Ll`Dz6ItAyPJ^85{Hd8J zgsf5ntF<>9w1sHHQ+`t7Vf^Wv|6J`ays2#hajb^uuiwJfoC;H@H=5voh+1=`(k}x% zL;zOJv+dpx1GSQYa&Y}Q4Y>>SkXl2Yl|PaQJ286!%MPBe7ye#yhz>N5rv)g?rk|&n zRcaL9zqIn68>$1&JqeYyKXjgbTYBe+Ja_KrkA!ZCSBK_lw}-EY(TXKj(oYek1?Y%Q zbwM`bGxb$=T>UUrCsC2J!oUgCyNUJ^rA@ z7y6=R{Z|3^=py>AzMWtAcc(Nw#9{4VWY{p}HTgxsdaoX&5r0D+XdfC&MJoM8=EmUC603 zGIsBLNHQR>fkBm=J)QE;c=qA2AeEY21_Nlh`6ql_X9QC{b>Q86T-a{x&%g zDn3hQ$MRJ6+>bA8fF{3gBA&e$wD=N!h>0pwi1tz>aPWX{RKmoYbkw|#e6zh&jEz1$ z_R)_n`EDruF6CnM6{FlEwsmue~cjf81@>`I?#9gwf+$M(;qq-F1O`#Q*v@8Nul{mM!FYq2P1*|z6ac4 z82ghRi%1n@_)1JraSW&_8GVX=8$9sr43&%GL@I#YM}n_vl9F)^XiRG414<8{9L$ z8bbj0>5YRUA4)9{C}EU?#S%T!Xs(A4@iT|tX25$6z`rYt)J30fy!}O^pLy4eJC2OR zEnm4Uu8KsPhz>~x^wJ(bW;DwN4c!pkRXrxv*ix!ZqkRZM~>zdrh~nQFxTtY zW|UDyAUkKxmJdD^P^*^~u7VSIy;OXl@+f@6V2`@dHC3sCC)n+}E7Bjlo2hFbm+2Y-^T}UZIr^Lze6MTIv`l*@LnvaulFn$aVbMk@^$s zC-%qHiQzBRSLcJv%+)Qxp&cw=$j)RYksnV)K154dJ;vW-kBo^(2Z^;#3T*t2Uawd# z(V-yD78Sq*yL%w-Kx}lwb1uN+(xZO8V%I$+NyIT}hS*kru&5t$E$ro4ivdPGKXB6U zoVPb{S7vAk$_R!XxO}#%TmABpCPNeJ!HBnZPoHzqA#DB=RrYi*{>ixG$LZIb*D0IA zM;vr9N2SULifJPV@5JA3L|SY*%yZS2_*|xB=Tu`k3g^mm4VhU9gQ`-_vhAB=uCyl( zI=7Ii^g|KHR0rq!OTC9B;MbCW`-XP1Yt#?lFPcVjwcq@D*5X(>cDYw|${N#oTvoX; z=va?V-B3D{DbvEfY6koML(4xC9D9h9K@+Dh6}g5ONlx+-;X~lsb~T*$*k9c*s?M+; zoaxyi8z^qzN71=&?y_ zZVq{MSzM*%uh~kZ@^PLn=F3KCzna}XoGL9Aw8dHLnx|RIOEa@fa@adfji=dr`$HmB zve=2Qmd}D?Rj4}l+1^~0m{Y)xnq=6Lp;p7|GjrERmcaZI)&x3^f_g1(!1%zONU))=bZ-xCHjzAobU&L+2?HhuuUi`@!c zwg@%FV3WR2ZADBB{dX$w#nBJ<$RTdIp>*04YrZ)VcjnHG6jl5@dK$*fIs6#2`sE3Y zrQg-jDxIKTDWyxOFiH=L&wvf4g!cP#v>(GESH!pHohpc>1_uv%s{V9WX206xtpvMX ze83hpw~_A}7WxFb$Lx9q;m<(aQEYg%li3Oc`YVWra01BR#u#~h&muXeJ4@ zlfIpv%lezjO)N9tt8Z^)Px&-SXH49D0Nl3`o(5N!&qcqt-90GkfQ61)HPD0GPwF@D zPeZniJD#ASathN8?fNH3A_m)PEAHS?+w@tNJh7kSSSj zqFno-zba_!{Xg=cuPIW^-le&A<+TYqPijw9VA zZD;az@-tgC>Zd?i_}<+&asQ??F1gj#QifHXAL}?LV~u28iOcCJ>;e|&cg=q5_ALd>t5&EL3RZmk5 zy=ec?(p3{}JDYRq;Ko9`lg`$Rg3fN0z1~vfVSB0=2(3SMk zSp>;bYaS7<=e|tih+CU8`^S@0yy?r{(scjQ^k2`B?}lq1rXMkcrGLi9Z%m2J+~^<0 zc_ZD4|Mt=6x5ekO>QVmRy>H~(Q5%Zi6$8dk zB?6t275mC-#?#-0Z(Y$^JQC-UsQO`mRj75By3lN9&ft%z|3kAXl*!#6-G6(9Mv|qb z1P8YS6>i8y`9Ir>p+&Yd>!5bJWSL5_|rgXOM5)yi*4m#-Bn5nRw z)?W9&X7+0{^S2$3P{YgnGetjB1a-)JY{|!SJ7x3B_t%EvF3`F)3(Iv6Z;u|OSWY%H zt4%jW9ZSPe$67l=necQz1R-$b~muEYRmd0lE zV$eY*>!{S?LfOh!Q;4ar;tG1o0Nz`VI<~hbz%V~rHw4GhmS^`-M3e7RWp-#;mD(}S z@Oe1B@n<-pWil+Qb-1-?Wl$szb?!hl;D>H_q<7rn$I(gY<2I0Z{g1j0>XF=Sfoj39p&I!w@nxtHHp?oFQ^AnD~g}(HeMKws@u_Z+`1X4{OkGeKNUIK74|&U{V-^&3J$A1-RWj zBg{b7PQ9=~0_E`LNyl%SR4X5W8G2POO8EUkclvpuYM(SKo3UZ*Oy5AC@9`Uu>nk^F zt+Ie&wpKGScPc_?)LDepM)_eh`0k;>EyH zBYB2)C%ILxsQr(W_|p`#yZ+$IkWQ=~x;4lDRDFxW^!qC1oMX&-&`?!2Ie%<>nri@m zWd!MnX1pkoXfdeCTjvrhDMaek|`Z4;O+qCA~-+>OkCeJLx zY`~>sTgE=#zP80s^HS&EX9cC<_$BJ?xbgG%1}f@uQy&B1(VGSb{aI?e?@rGx9H#`E z)%ovw`-F4fM-9>L2BysK-^`uteCI)$7-@R%K+Q0~S5719-S8E%lgj7hK3 ztsnhn`NZa4A#nypVCx@w0uQK^U~4Oht@)`8+(d1}ND1OW&0i)>=CvoJ@n6Rm*#aRx zW)&q=&tA*l8bKipO)j`I1HIRLkWJ@Pf=S1l%FGcXY2%lEUu_!{(b4^#1E~3a@Lpdr z;&q=kRupqQqNg}IdBqrSIPQ2;{DaxtnlA0PD8Nzr00L`#aelPXyh^r8DZ4R|=HX)) zhPCNaeqb&Z69D6Xs**J(Np{X+N${Ly+n*7CiXSxZxvg_Pb)>Q4`Q~@&!+zoefNN6Y zeA%UXknx2LSp7J(Z_fWiMZ;$v9(SPwQ65PNR6)?)I;inwyi4}8>=YxSuO^`GaPou% z$kqkMSjv2H!Np@`%IZP7GDav|eG;~te=kUGvY~d$zy7n%m#1-%ahInKC_ExYU|Kfy z6ny=LXIeqyK%0$@XR}7o@2K%e{Fer3m-1ssGvlBOuLbbt!Gk8^ci+}`PN+l97L$%yhqaqTwCTD(xCx4UJaAsV)Ue;`7UTl7+O$IE02@O~}}& zxQi!O5n>ac7cjneenSEqfU2R9pB}g9;e(oBh5p^k5BO6FWr;0pfd_=D!B&S_JSO0L z<22}K7d26?dxm`sdX!ae>fbIQf;#s4US|8%{xycjwCvRQyHhjV!jrmEOT2EO@bzVJ zu~wVUNhF59p>ph=|E5@H>+H>~QDND2DOPyC15x;(LT}Ot1g2n$ZV`@3rjl^Dj5)U+ zp+xyC0ezRl$4lOt8gc!11Kr1uG~{O1fsKib-Jds`BO`>;x}GfCs|O<5A=OQ_NmZ_B zxti;da&Pe*-d1X@TiS3RLRU4{OLDdAjyW;}A665FmE%Eor`^9U=7{xU^z5gmiaL7< z6u7e`n=@$l!T}m_FPt>_e{GuprTea~<7bi-EEmQmieNel-QRo*tT8v?>&RP#uU=}F zcc2;@l0LiHj|f+Tb3eE+nhyu`FGP6SDT^$f9;ash3- z2}72tyNh3}cBbnuXUsf2YIxY;Ye3xUVEu@a$m;!y@Vfs0kxWaVBVSN>5wqWXqH0dBKEr%WH(+=Y=eM-jLoZ^pyqG zU%@`GbysflJ`{K{CpU*;;I7581T1xEc`HpGGg@2iTxVJ3J*PfAz;AC~2-@+8LmdeI zrtM}=jz^_fHnQEm3d(WqG^#6KGx0S&D=ww^hz&4lWSl7TxaCRjAdWvaSTf5Eo|iSh z(dWl2B_0wUfA9`w;eBXq{JnVl;qJ%s2Z!0rbip)dP5>C?-$Yta{9THwk(xK;kQP(F z*d|y}Ty5@Fu`%?0?Nf*L#IPopSM&EjCk;q3)n^J^y<>UE-6+Dw=m@HZ zDo+N$PD>o5%j9_WbS>(I=F);jStc~jG|i=bX~ts%OcV2npat~hsrs`+sxC7T?-qYG zt9kKft-@INy?SPv7O($oQVDcPR_raQBAx6zU@aqY2wb(_S<3X8^uJV5 zXCG98_NMtowT-i|UCCv&2vu*81MyD%?PYs%Q|NncvcN``3c|p*U&u$(4?W^$KU}|> zHhbsj{a-^AOS>KQ-YX>@caBkkP(Q@4e0*J%6L4OU^;0(d@`NDp?`ZW&uwqGVuB9bj z0vqIA%qvwoJB6vCy(EgK@6ddFWRdp*&9b&p%TECU4*1Rn@|rH-cc0MwRDFYRO*Y$= zNxp(drH231hP!*TDrhmK|oYl~*U^gAns?ppj(LeM74Ybxe+cGY^^ zK`DAZZpr2`gorNXv8$1#MJBTbAKytoJP5;YTNk)B-HmbRRFt>t@d{@ z$6kuZzDM^h$6F8T>T7?>>4fM&v%s%SL=dl-5IiAsA(DK5zuzX5wss6Xim$NM@(U0P zUwc~)dwb5n(|(HbGK#v)=Tn4nbn_@*S;m%&trF)CN%yuBzQ@#i&HRouc>ODeCBUce zdc8+(cO3)uz_BMoCc=wj<2=G7rh>3eX z3PMa2{PQb^)JoIx;;F`OzE-!y$yOV%H!zt+mGJf!Yc8Mrx+s9* zB^En2M26$b!%Ih?^d4~L{&!{!X!Y1xPoboCnUFg1ChKMM4%OhmDYOu{&jW|8d!$H7!y7yQ~{@xXx*s#keH{6l2-TLZgP8!uNi ziMi&P>$TCJZPWCIiY{eY*t-@T%<1s;E0+i2?SxvtD|ZJU>lm$D7!*zCdL^DiZ%kk6 zG2RP^%{aQ)9+k6vmbgdn6d9rAYH}&oSAvd>*a-;`M}25$I!qS91quxQR)Jxe>;9&# zLq>brA%YqX$Ohl<(336HrhR>R+ZRUygBG$yQ2cYv=gOmx{b^aKzTakr1s$zm=0d41Qn`+p0eQspHjlc(vws; zB#$8F^mS~tk7krk#yuXONk=}>+czWG9D#>6LOZV8WjJ`H3`#y%j!oOqrFDc~%tCBB ztlk?Kuqe9?z-`1poEg@!VyoDh+DSi7NJMYx@uyA@yQ>E04PbL+*Lu3+acEhqw*ey= zhWDV(weqwBee&>q2nFx z9wI{;NXBt1JB4pboMK=ORj5WDFUj4mJH0VAzDq1xsOuG7Ea^M!9#{yqBiUDX;cgM=?dI)RE18JFc`Zx3)d^PiiragqVms7xhKghkBOe%t z{B_2Zxxyl!fZ>#_T^GAE-S=C$oR7DEZ*%!d?3@E}%)I~{RYYhH6yE6FS@ny}IKIZd zqa7jAK6i&M9|1(B>3ypxN#Bsmak_yAUDY(Dawf5l~+4KuGQ8P9E zUl+$)K0XQBzd@yQun*{`FS;JNO1GS+gb73T7Anlz`u=^jJ7bqQo5g>kH9n@ny}6gbDfU4x#CU%l|1O zXKaO02w(Zw7$_H90hgGiu8YRXCrdFdpcfe0Uu7OJp2aGMs*R0)7->8V1-7u#zBUy1 z8vw>WrKDmO=`WKV#zEcjvPO26#Ye1Zt)W?_aoKEuHPqFB+rQKTYz~OF21+|*GGI8s`dB!5)!JbZAtkD zXXxh-gQ7t5LKMbUCi3vUlL9JwJ)E?E3I`tAHDqwTI~FAw8|<=BBAUwNwNo>SeMG42 zu7=<^8i|EjDPYC zK;t#|WWgh5L*Um`wQeB(5?`3G4C=lypwJ1UYd0TUSh2y%q@Bn^p;sxM!9}|}1b)nS zzVhgt#cMGj33@&nU77#`z;5uBZ}wQQG9HoOvLo0ujX$mi7*?47Ii(${x-VLC-}Q8u zr|ets3jE)C^JEz>Pog$SNFP&Jq3r%yDwc36_I^H-VR4?aQ(|^Yd(xR3(bGkb+EX+L zNvc35Xl7b1O<3Y;7{wd06m2kp7juPO$QeWF+Ishj0c<`?e!Kl#8jaJFOxGLRfYX%q zwMsS;c4YYWA7P$c>Nj2+yF^OIzzH95ySr46ybZ)Wkc0W?3Pl&eSpx5WsI+omFks5L zL)_1d4$6*6Y~TFy?!sR{_bzpC&jCTcIU;*Nclw1nz1Z&zg)-EZkThP3JFY$orbMy3 z99t^B*weM29zUN!FGT0ayfMNBm#g15I#4;5#tp4&12I`qghIE0Tj24#|E>paX#dyk z@JCWHlum`nf1>P>q%*^SKP{d zvxoSVMnA$~f533-H4=ZTvKxQp9>_EMffk^6=Av=3w=n!+s2f!O2q-J1)W@&R#&rp) zLbl@%SgsUucvyaV4LpAy>44S{@Fm9l>8FsQgJK4w2fjvz8Ac-o+iw~AO zjD4KSwly5wt~{pvDu>v%^b5YY{FX6#lCFiT_uUtxNYc!HP38j$#>NYs>2C59g`tvy zi;81{!K5=V8<*dOftCl*gb7+nd{f45r)W*tq;;`JY24rtJDJdybRmAQClT~DF*LNH zdpm|OTu{}joKH{_p#!+|PBLIPXIc25$6KwdeeI!cWgB_f}gUH??+*u#C7kRpOOJqM@9#xNx-d^4;a*)l4C-$KTW z9!!nRKefJptlM29v&~CkGepMxI%pB5qqym~cb97%aRp~lEGuyZMe7;jiJ-iKaK)%y z4(hMmE+Hy6cRX5?qO6aRpt#8wVbPnFDJ{sv2;kdOJ5ul5D&>~)`&!FV6u-Gfj{vhh z1`kl0NUy!*3anAmzTNR{E~<%&p&95cRA@wu?&_!bvVsQi$d8l?L&=Im(<1fUN^*IC zGzW@Hg5|+u9t!#Ch0poQp13gsDHFx9Q0_&MH_&NizQriXgZ4*x$0vY?UX#`VFW-)Q z_A1cq7?FBWt;yLd7F*5zpjvyaxj5Uxck#9AM(d@ThWDhD-4RNfSXdu$E?pqGs>&Ln&G;aqmRUv|x z$^PVxfoW6ZVz5?ER3!08eJ%T=2r?^%`v6uI>aHp%n)A%5*6Tb{9*sV|$Xn3oT)DPg z6!`fl=9#^S(@As0W+rYo2KK7LSj)K*F%%px85*~z9}X*fcArGJUMUB&d3Ni)yqU0< za14V)k#Lfze|6+c+MoDQmKQ0;GzQyF&<;8Ov$XqUp(}zTl2&4pY=`g9=*6g4CxyDn zPYQQ6Z-42uJ=<*`b68-023-}xF7izd^A}bf}XgNcaMqmyvrL%UWYxALOKqV#Vteu%6 z+)iIF-T)a^Rd6oGzm8@{auPBeFNcET9sRP6+P=o>bp#F8#y1J4F0*4j4WSv~B@nmE z-5gLkT)}$8R#j58q?a`u5!j2uS+Kyb#O`1Z_7y z6C^$?wZJ@01-1NQFRZp6?qy7l+J2tT4RPR=_#=|@urbcOp9Ix00DDXB7=+ux%Hqs5 zM>Vs!8TB}+$q578uwt}iAct~1?8z0%_(mLV9smhb5G&_4hZ`ap)^I-nlOa9C*#5E1 z$s{(qgjVu$6Q2z8$?kIFv*?M}Ga!cxtcaDsXP9pV=+<@V0} zTDN4cs!qYwtgN-amSwgt;^N}G8@=$TeoI_eY=;w9oPni``P*#%y45L&w`V*U|Hlruj)4qMXE;Qix5ZiR7vcFeH zTYK_ji8B`AEtZjy!A-s}Zi8}#!O%lzP6wqfEH0`q3^n?@dJxd9@&aj%dUtJXG7<|~ zy~oP4%N$#qq|H)Ou)MqS_+0W2KLM2aix-7M>fX6N=>0A-1`R#1eemEdUSl`%<;!pQ zt4I@XB)Rhi%H-Lz&vsU|jv+IOjxFQanulD77!wg<5AHwKNBRyjPHqc@G?iEsH8p4wB8K8}VRU!iew&UkymxciZnu2J&Da>s);u=cr)4YN4!!d2 z`&5$;hJoTT%hc#&zC#}U!z-rId$8HTJNAa_=&EVfUgo0LVQ{Z1Hl(q!(L4Mk5=a{# z2=EL(k_;MmGVOQ)(Dv3k(LZXtY7c2+h5Z98Fh)AcGd3cRn|GN9ydpSkxzN;qr%$ta zGdp;uF;!y^?@`g(V#uTQysUwR2auOvHp?E?0BCM;jAR4~?fzilZP0EnvGV{{Q%CK> zA*ZIdZY#BHw%6TE!ppv%2VJqTu~F(Jcj!}SgvjGF+{d83S(YM!GNFL8Q&No6lRN=v zUBJ8&cQ!w-giL))NfaV;?B$d#Z8GKk`zf`vu}os1&D#DM-JRYWPgBFsFn-+~FLw~Mgj$ww_fuw&1Q&q@yV~#cC zdcw?N^9K4rR2&pDzqp-8{wonLV5U2mq~d#k1ksC`a}=r(PV+Q`50ypssgD7GJK;zB zL~hdr{8jSf`E9@32|os_>u17xW?wh>F?DN%yTJFdv~(LI2TGfu{Y_ME@;V)?o~}Fx zbJL~YaTA!EY6?>W14@`nBQCvAe2KhbVFrAWa@C}oDKcZTrIRL_(+k}{v^!M&@Gg>X zT{Axqc`3J2-kap;PSmkFweDdf(lwdYqIsm=dMb-u{~!n@Vr({7Dk=_)ksOLA;2X)|D^|M%Hl)ugr|=!YfVF1d>;dZ zuPylw%-;YAxjAbrL&t6JkU(^j3~&654zn!>v*jT(y}*K(_B>(HdPjQ&T;Sm8K*^vl zt9<;z+(MB*`HVxxCzO5=JB&HF6b%p%!wyffqJk{iu zU;=auSpxT!&5fwG>oUTv&a^h$@w|#5lN;s{FcNXo^w&FSL(x08PDMBUL2nE3e98SA zy0g^hFXQ2w2n_xhNObH1s}IR8g>x zSNrbKpX1rBHoj()WJ`4eXc}QPp}4IT=2$JR1-*HMU9 zc5vbu;(_0XWSM}IrD9%MtCHu|@K1Hpz_3QKt;=i@0q?|?7nt*F$KKQ5GI6yxv%t@U zD9Ml5^rN2ntCWbOdq8{^K%K=%NHkRIgbsM~DuW?DaYw*2JH$)eQ?%uFGJ zAM<49gk!_FrRTuce(t*F^``Is3T8m+upVWT1D{oY5vj8d&{-)iC`EPoZntRDR9lUxiZSI#_5Suj3U2ci{j+(chpL_7}qORWl zMS*<1TgJJ(>z*%bwc!Yz=riwjRHH-Bt*H-Y%qR4u>C(PqMZz)nh1YA=W7 zcJI6SkRqm_yVKs~W5!ZYN@n0;+4dh1>41>0X1U(ZU2lC6))xJG#}QV!HT~MFLK00~ zrs_`F)E%*47$?Y=ofjqe`G!jpq&$CXx!Y& z6#a%|)BY%#+T~JNVv{dIT8Fs6G{TPGdBnH=^)h5;2o>z)INX>d5j-^*$06aMy)wnC zj5(|x!ilhphdR1OJHNv7C+lxM4>)0Lm!@Fz7a=<{Jr5!byQ%Xy;B>gdzGPi~Ktxog z-FI%k3ChX&_;FFvn3y2(;Of;iuPWDn0Q;Zn_1w<67qiT_C7%@KDEFrf8aD%&g2_L% z!Z};a3%=6kpDN^o_;b_LhbN?86GSl6A=jR<<9kcOC3EDZ2tCNj1^9jrFMeezm;H8D zP<3Zs5wt|5j)9wXI4(n4M1wE72a|sI(%F6XtHe)6wR%LX?x%H&*?$0>`epUzt%S~K z-0{Zokxv;uMjuvccs0<^LfW&qL#q&~Y@}vlY_beNM~{4#Iq<4%Pa% zJI4`u7-u90l62l>a+Y=F&vW!@iA03OK{9|(;wNH=IGrRBGiy;>9)^Exl28D00VCe;<98%g&kW?vE95#`l)7SpmUcfS1hzs04(hL;{U7RtITT! znVlD*HcB&HP3ujoSxO=Q?8S?DLlzfFSMm|{DlxmU{7N^ZR-#cZIi+?g^k3S4@|Wlj z=BG5g5H7E3I#rb6R0ofoGfNlM?KQA2>6#heBN4jgI+NS>(f&Cqj{=W*i{*Q257VdC= zr`5k-3+vLGKF6%~kBp26a>gCL`)^L?=!6Y<;hIf&#{0|&{nGenB z#A5MGCx4h8=-dhjsH>|J{U1DZGYAN%#ngJ23jJ?92DRb=B+A48MtuAKGOGOl4btO| z66VlPOw&7yIf{MN|AF3tGr=T-e4K6M7&x*ux7sOP#i`wPae^6{d+u*9!d85CMy$XS zYZEn!OmKzd`}ZTaP}@%S>GJ0FmrRqG&sYT?SAQ>W>NW*ZAM3qfSlHOO|Ni|uXaKl7 z&h#@_$MnWM%Ig*Sg&;uhhSz z8_u*!Ud(VqNt_2xPLR#1giFE3l7t5^e$)9RWUG7}rrB`P)j`uZT_nURr^QceqP z(j$l&2Q@E#l((8>hVve*tgJ!Dj9vUkE5~J&A&kB(+q~J%RaRR&?A26$DK;kr%5q(UIYEg&d8q?wG$ z)O2b;Ei@3pA%0CLerE~D426}v5BIhlD;!%}m^pz)mB^CNr3}}Wm6ewjOq}h=%ptV0 z@ap0|dQnJ&j(6_F4^=;4DuuU*X^9m50~6_>HD%@3N?;VOelz!52-3MwiB<0vvh2tq_aS|9Ca-{f8`9NKVfA_TIn!os+|p z5Eo}pn_BJHC*>}W#*^L1t(nl8Y zG`iOGWZT`esC)R_spKd4Buhm*jn7mxJ;C5{(Z#{ZA}2A5C3hl?x&rrzWDUXfE|ZYBW4BmW z!GOOr3=qo6WMcX!VZF6Me*spu=wB}z8tQmWTy6OD=>xdit|jhBLX~y)&EKXVRG7xc z#W})sD2U%(UEf43cMQ?&enCHwP+VF61BTO;^}1}X&6s|fqIa)+3XTdY%v6R|aq1Dz zeMzK-dfD8Z=^x;_Lr7YA|JQhxS@2CGnEmna&oCYMksR6fGxM2)0vll&H55PI_aysc6-hXVJx)IK@r=Ba8lq48=F z{Cklq+FZ3~ZFlm6)U45!wJk)~xRs_fUrxubuJM}t48@3FOtraZV(H{@~!UkG~cf#8a zwRo!};H`C|H-RAZoNU%^pGkfW`%HMtYH75FtG}bGMspZ%;O)@Bz{Y~QxOioK!xPr_ z@A&pa96VY3MpOd7*mC+QKdZTHZMFfmHH=XT3UxsO3Kt2pbATDw4ht7R!g4yK!5yC_K%H6WLfz;@wzD4`*zy0zYlM}f}uAy6359ck9lLB z1cLRiyRx`5y@ci>&0NZJS^dob;a|C@8){kW4|nYDU0c4PyZ-1tVa$LyhQL?#$A<$& zq;`{|Te)?z?kY6ruv~r$vF!rqkHadB$bQ$C>UZLl^0Qi1cjs<)XWMsBZS)Enmsd&y z&M);_(y8vi6x(Nf`~v6>>_XkbLbeod)Le)aKQ zZdo>Bkz}1Y&y&P4_y@)e5jy7nIe^eohsi1G73k{N2mHbYs*iTQ5Y}rQ-)9hV{+v9~ zAS6soS0wuRb6zN2dPv-IX|4obdk=!4U7|h$0ah5hCs^(iPW^E&{8zsJ2xVKY)zHYs zq?t&UE&OdFQ{F-;zieReP&UVHriP}(X#w(NAtoio4&HJwYOZ4~T&Z@Lfb+PHu=(LX zNq9(%VbaE4#5{EEdisBX%m0V5+2Z&AMBU>lhOtRW?!hwNaemwyarnOMt|TWXSBC3t z+(CdQ+=~?0b*C#?s1MP42x?rzc_hc>|8dQ#8@vLmE=~uOqN9xD)6m#Bhuc7d>LWz0 z2T;VlTu$&v{uGm_e}$+necaZc2+ue ztO2fzsRrc=qKCb`J!fGIu252 zgo{8PkX=;56%9v%V*%VT7O*Y&6PS$jf)ssG#IVqn%#w8bkom(Y91)@dWX3uq+}1z|J;?yRuIFg2i$G{#Qb8!Ods5X$dD7_;Ac#{8aPi^#}{8K)NM+ z_7Ek?PSQ21--yBwg@qcawz>$nDR6B4A-3*-1!hQfEXsF^QLxxjPekmJ2$9{<#26In z0}{p#lh$lglEqi@(Tn0wImeuQIVMU1##ekY&N$|{hh*(^#pVVUi%qn+a%IE>Mz!&! zOLK@8Kbn&d*PtmqM`j{oQx_qC^qmrH~iopq1dLl6V=G5H+1i6IhGHQxUNs=pf0&^p556Tqinnj~ zoDSwpY~MZ{c!u&S3H9D>a)=SAxVZpg!2mn!inIV{jf@z28(d)@V{v*i6(+|M{KeXL zsfiOVMr3knO3v7@6aV}7?-6662C5q%mm3)Pt=3p_00!-zR=(Iz+9~CP9QOE$)1>w{ z#^SO5<8NXm(N+01Vpd%+-R$`f-AUg14D}E)&P5!WIz*0xQ4PwZ>LhN_gr#xW8U97P5(;3!eJOER$2jN?ZVBS#rqz8>2s#zCBKAAeRZ) zniazdni<^abHU?ggbqH_h<_$_X?0+ebL0%td+6v_9Xe&JYzToh?AYRs`aG=kt6&lvHYV->+rv%a7dmk{9!qU!c?hs_aPa312a z+T-+biCn=+m0#*oua76sPcb^z%OIaFEVGgr3k>&ZbR6-!yLI;ys*zj;X#cmweFCq2m zD^c>>$3EMDh`8w0rh}>Gq%lh40_D|i)6$q}50gG83EWG&t zr)+_S78Vu`&3c=qWviT$EoHNZR#(lnM>SsEJyBL39`=Sr`h_l>u-4b7hAsnsi+NeN zx*m`vSEMn#&HLHh+#X_PULTm{trs{9LIZsAI0*tQB8?$rI6dL=o<_9L0qTTYY?<%% z&P?kjp0-}z-H^wRv!kN+Lr|H;1&YKUJ#pd$DB5iKw{NgSL^sXCC} zkf3Y@*Qd*P+Z#0>4#vhd-*9q9pIUES% z-XXYUtvS&(?OMhxu2BqyafJSbp5nYGuOU|1N5=TJ##woJ`D(~~{5F@}-Q!S!A{o)w zhFXFQ%~_Ksu9P2E}+E6J0o>8GRuPo;G&f}bvtTHstYRCn~s>g{5q@$r=g(+~~dBCXJg1W1uwC{WV@l+)giq2FF>{1>4u@{gA4)}xH+$IZ?tKsbLmdg4d* z;Z10Le}yEIqlgTg1kcZk3lP1EwfJ5V6apQaa=!}>CtOE+P27~x@+KBo39w39@6W1D znp;@gKUXmGc2aF4_9HbYyOWwEc<`r>>we43Shv4SKQl&o@R&RINDR)V6qjvmW&VhTt{gs+DSb$5_LF=crhj97wS=g9z^sH8>E9E7BiC$~ zoTWVE_L24sIP(giU&eViC>1Pa&6~=+d-u+xB9Lcghr``dn>Z)mq}m_OT+=FlcAsb8 zrR82)E@Ia%r>WV!-gbAy2KP`!rU1e{x}=Jcg_NnG4s|EugbWz)h=Gh3aEfqG?=(eY zAvvCWubN1<*w1RRhSHj&HgV8_GBkWAExJNF&#LrJR{RL9VyHS;i+={`(Ae!FypCfs z6{G&QVR2#wDh&$Fqtn`_`-5$DZ`7W>8ctQx=5*(&o`w1&bWl#cnw zsHJT>E|4oSVwQO<5-4;~bB?XPXs->6o>2DX%T+44tA4;C(=yQGqY^7ydGKM&$`*PW zf@FQizW5;+a3sdYci4(LSm_Vie~e~wb@2eD)UJsa(dXiRBcDl=XbakvnAJtpp@(h(&<`v%ILCX=b8+r74j;!+DI2OejI!e>} zhH|nKe0o6p=xA4~Tg$B(AwE}Obd=lgNy0W<({EU;y*=`^Rj0uQeynYRlJnNFYw38i z1_D|lMNnXrMYvsy+{YEOETXXfqbc{inVI_sP4>Q?JVDN%ij#X}spx0ZMc?7y6kMof z3!WZp6Z=!|ab==q$ukc~t2J%l(ACBG$>sdMXkJTW<;7oJv{YYTiCAWe8_m_bF zRjNS(*r`*e1ZAtmw(`>#u6FbCxizvA;RCjOKg1iGUtu@sA0m}v82j|;jp|2&JY0vM z--_{{8%nLI6@P}aZU4b$(!Y9B|HjKGsNUNkPg4l=tb-?SEnQ|u#Jd&OLl9Te)$Lz5 zzjm#-BE>Mc2SU9gh;I2W$Qw0S+uK*-Gw?y47%HZe4NE>~huI!yY93OT05itHcb*5d z&St*uU1nxJuUT)Pd~<`OcWzgfA^{ErV%J82D}%0e0;(N`K>9;AlJX3Nb#A(s&Bv^> z^fo=9P<2-xz41;lX%~%z5lsp1rv;NoAR0ectwlGam#{;`^5mMnYL<@q( zexaJDy=a6goBL&Twn4cs87WlbOAmru|PkGnOaY|49s zipa3P!vGs|JAhx<+vCe5_^4~(+-L?NCZUT1_XdEC_08@O$J_wemQ@ofUg9KeB;yqo zx(PN-37F*;vj@dGASTuW`yoReBaq1=nTo4DxBQ({m=7u{Pf90oeKAC`&Mb6j-|CG^we=QC)xndn1wu8FoUt2ywY4-N^y)MA^tQY2?rIpfdT5 zjh9HX^$MYh74jQ>{RQ2>p&9>#te4GJU^J z`t6oe(}C*snM#U$ogOWG7zrq(sk~Swi^YJyG(B8G93MV6UF^lawZ6LO!{w zXD(RK_@y(8CyoNUX7pmT`Y#@aQ$Hs=`=^3ZaJwZov{v-qCrbiyXKa=!1%0#8>*&o9;_*=qfPF-X&nH*3wc&EtM zF;Wqij{=(=mXq|IFC%%a-v7s!f;)4}Emb1}NjqfzBOdl& zlTT^G&erdH8)R+`v(6Y9ts1jyeV2dvR_`~_e}ZA!&4hulQJ>%A0|14YU%fiEeR(Ty zgeAM5NzH^?4KRN`&q&&@!5n!hJNZgY;)M$rP~UI8$scy>riomHl|SD_jw`bA35u(C mVQW_AdXF_CjlqU2-&o0b?ByJgLhn5w76hbs2t_)f2STrp6p@|~ zsubw~A+*o~XLz3Towd$;&iVDO_d7qh$;_IW`?|}u_rCT_@Jmf)S{fD_5C}x8s-mb3 z0#RNEfhcZVJa=}6uD=TSN8zHa{0vmm$3_4S&cmK+JOzQuBQ77mq5_UDIjR`CfIv4~ z&;BT;-g0_^Ks?*3icfVt&DJJOW7zS2#LY%?c|lj7brY8;8~xtP5>41ip6LSKPF3V+ zxkz}-42>YK0x}@XHX3Us?^^{+O0iPKEyDWRkJH zN?J98X?PGDcYB5rEPh}y46GP`iWr@=DLx@mhe;&}nyvtWWq_B|z0ZR{@_f!*AW(qJ z|D$afTvSg@5V{E#Py1s=PV44%_4h>cpDs+K9*u--DcDR3HB5R5pPzO`ABEksY7tYe zSL6PGaHPA3;@vloaBtS9I_;HC^-BW+`+lO=PmUG_X`UcOTtQHeM@o9?THPd9~H2 z-?iDf=F0x==6dy%Q1|JE{n9Q@=^*K9$c(bTaV$}Cg6z!T`+ajA1Kj{OP1K5=Fa0>9 z{A{BUR_}kLd23^mUdqSnAU(p>UJe?Yep+@Bu`jOVHC?;TR5(LSA8_O8uG6l6wsHB6 zr~k#KQPmAYq?=4bhSmdC zk9J}l#rDz!c9#Q)MMUmupoc#er7r~7@|9J(w`l~Korfw6lrCYP(k;YSk zrhGC98N#h!Y=vAMgbXdQmx)Y3`WRqc6w}7j5ceQ8e~U7Nv(80?lOK5S%1i(!-7v(A zmql!1XPx^umUvZv`%@KSi@buhnd;t+A?mfV@K}QlFD0A|w;pzh+}YnHk>@9%W$WjB zzTaLv~|9dV;% zF%+1&pJYzhq_D9D-LPziUy^%CMZDbVae}_$nJKVe%ey~i&e-Y! zZG}`*fsLuA=>v%+f$7$lhZ#+#SOfh{s7f2gZXCa1Xy877I!}5m-``GQy)g&fU=IqJ zIYP}ajR(5PnKlWW2fw6h9%3xwTi6n~v;U2EA3P1egs9;q(zSLw#8U7Uwp+DJNSF%m z#sodVLR{x*rcBOugFMTx!t`Y$iQBZ{WW^D!)+B_sX@(J4tDX`&V@6i=ag}FbI|>fh zYqeZHTXK~TtK{suoe!j#%p&Euqdj`N-UW>vdfCg=J49|NZkpi(C;3xEW<~J~Es5S# z=j`mt9U47{zt1-1%?y(0!`P{p`6d7E@19mG%MoB$WwAcKY(ktaD>}b zuA8VU@`ARqu5j0NOIrZ99=B2yliL>hn;-K@;=;JyYODb4v}lM8ddSMd_x+Y#-w+x5 z$|@thad$b&<+Smr<)Dy5qVT!?9{JCA4P9{cwn5e5d|`7aeq`#XMh|LKSBv^tet2NY zZCq&Hu1abE;Kiu)ol=wysT8q@y2o0KI(<{fYg_4kGRuuw zaf>L&LJ?}IQqK*aTRd*VyKaup=+?ti zT0$+0_3#_NOrQ$}c$qOH{3BaE(lY$C%RTY`(yv(IPled9d?(MW-Xtj@^HI{c5_=^V z6O{C8M1GA4?=zNBt$?6;!tOU(uXsej(O zW_8cXN&@KocTS zN5Us^^aGuz`-k-a^81laT&x;<8&9kECu+>en@Q-j<%)O1BrkX&?BvLwy!d(>zVpo*+D|C*Wj0rczH_JBh0}Z~ z<2~Me*_9S2#>(Q}k$!2(EEpB*7-x+ow$r0<9XKaxZ1fjBK}Z$>N=R^y=r{Ax_4F(jrhW$xTJR<#uwP!PxtR4ujR0z|9>U6C}aylmG-B@iMFZK%q1cer!%?lRm~_Q|dJ z0x#*4!RJ_++<06z=WoJ6)!Uq6VYw%qsB^B7@LR{h5@^zWzNxT7t)~LTokh?g=KgPO zkJj4N{NCR;RZ1v@Y|)xn_n9Bhcj^0!OHae<7MHhJ+s$*ADkL+WS1U};`-!_IK?u%LbQt+}lS`5U~w z#ww4l4(8)l3}lG{SPnEf;`YcWXQZ5Vf9U37nFOH+)^-w;uoiZP)NGas&E2Hd5FHd zxQRNn7`iBbOk4~hikRwLS^6Dz55~&}x`FUf*qby6_foA>ah2A^SL1<+rwQG&9$Yhr zGWbgG70c@RCEy!nOxxj`vy7amy>+w;*Yu1M71Yn7X}X@jG2E^tk83KSo6vzn>qlJr z$N~+6jUKku6oJ@{eGe(+u9r@DM?+s4&AFG3%Dk2Ryr2~DBr#V{uoE?cMYyfazG^!M zN=ZU?rT3bWS`4RP=d|m}bE@TG%yrcDsCo;N`xw?YrAj<71`H=AZ;xmM{p1PK5-^L! z<+u9`t$~}C=4I<_g^S!H|A~aqge|KC;MWFBppTLhu9NqMqjCuoeK`RHgZhiS02 z)LpWr>mwtSf*Z6_)ZW}%_PWFH!dqy zxWSdtG5u64JaZz=-`8UYW-Qq0lNaB?`X*h8$D!Hl$kn&OKMy)-A4gI7mO*$5xpBZM z z_Q*}MQJB`xJ>9iuuXtDKijT_284BDn68y!7pVtIdJBgC`+1@>8I}=rfG2I1WGt(69 z00gj;wn>@XC$+b7Jy2gb9h9c`$6?cZ;}}5i*Nf_^ z4^EP?z1nMiBCgV|&^=pj`c1?bOzTCcujO#WdQ%gLR~wp;0%ec3Z-H;x)!(`%=Fs2N zYLhn=h$1kRkgGxvzec@nGbd@ch8lztF!oo}x-LGsw@8YZ-Q&pqC_YXHQV=++&P5)X6pI=MY-y2W}*ni883A;_wS7RaBeSM07xmZ zcW4@Ri2Y6JfS3o1W>j`1;bL{k!%X<6s7{OYfu0K#9_4-y?m7Pwe$`p@~CG(rMU*$P{Y(pxN>`NoEA^qqt5CeVQDNOL6pAS<6V;UW3Tp&i^1!=T zRG|iM7P8c`7Q^Lgzd~t$%Rw1Tpk6LeyE4qmEz5smh%qT#x$?CRmBo^aIvHz5g^w6P zIUS+0URhAmff1Cl%pa;?tpE*MHTrv?Vss8|lDKZBli9edZZ(HvfIuK;FPwT8@)P~% zGQB5ygMJ1mj|ZBU1akT|UTnh9ASwm++r_)L$bgjQ-7h!Coadu-^D@8Kw4Gqp5@Xle z4{hB$L0@btq(RgP?2qy8r(N^)U^rGcE~}c^n!0v8$LqP!8*jm$((UtX17apbxnsf> zc>!!jHSLstv8j{>@lC*B3AZruY=aWIp=Q@wr!6>rBajmnc)DF2KND2AwSKMP`1!32 zw2_J4*AF-bOR(3wdt^oBk~4{!%1OQa^&c?_GyYplDpSD@Ro&jh$%<=$TJ<5(uMGmi z@(;I^5tTzp`rpcP9S?CmVUN53s7{+a3sYt4E5ncwGzWBj8d52i02CwK?2mvdpu$n! z20W*J-Y%hqrd&|6Ovev)&A-Hmw{MSS(lfs4ucm1@4 z_5~A{%6ivK{!@~4>QNuV!ouw7n`O3#nonVS1?y1gMl;76qLk(&#Y1ZE^H~k*!g+JS zSkvv4F!|VGlf2$HXLXY%VNRTdVq71M6MgtOF|a>+f~gKoHW-ZYPA(v$Z1Jd^iq zWA2V8F=<_&E`efNuH+t1w^Y>xglPdL_b`x?Y^T+$;l8%7SaYIcN7fzGZZoB-9bg8U%l=G=@!6)A>%R!mO2 zqF~@LCPDJ|)uZ6F1j;S)ysJ|Oo1>jE*vqvHffhdxmQy^djY^0><(o6@Q#G1J*;LV# z{)UN~6t-)Sg=cnZiz+Sv2htmBw^~Weu z*11=#JwDFliBCZgMkIQY7xkYa5>T#>kYZfc$co$B>(_iOzWlxWz-&e74Z5Q6D#GMh zyqqO(ZNLWzH-Z?^E;s#SVJ+Ye6f5k+IOw<5UH(I>zrE=wW_;A;hR+!xKUm|2e4MF2 z1dISeI-UM@xg&vSHVru`uG=x^%t+_gYpt8eCC{IJR6C6U3TMY#i4>Z(hA>tyd{1H(|4#ZZcI~K*#4Us0iCvj=xP|{o1b; zG|$YrCN^R+x0_spQ!##LpY3joA*0&4Wn>#fx$GRO_9fwYyd!FJ)0qux{ zM~#*YKY5u^xlSo1OxVfs95Zt1>5{sA@bhGm9Lgt+5#BFD3t5Ox)+Y1D4&Ij|_IwzS zv=Y@Dv9o?TM{b%k%&Ov6jda>;B^}6n9C2RV)|N6=Mv@^1iiYN;wNF*k9kySl6n-3i zOo8z{o;A(u)SJldSND!LVRR5FSxv3u-@MYflxVM58EOV$i-~S>3~>$aO6uSarNoU4$u0*yvm|44E*Cf%L>40Rm)U>ZRej;$}PzD=m3`%=B; z+MMP%G^<3&EgE^+0d1pZtah;98G0j}o*$Q$2#F<;l36QjJizhAPhA+G?cANd7ua~< zsu8`A=BlwBz$BUcl;F+4(8jvA9nwGeDw^X;E{&v)@P%Uu9;dR}jLz}%^Vf3JanNqi62Hv=Kdse zq_7I4#qaQYML}|NmO9mNw1<+11+{}AV!~EGl0p!YV^d>NqdUtKi{Ikna}0`;YhMRk z9#0m}?_{RW`Oe&O8!j2sJbcY17lXkJ_~TG@LJv&764 z=cXRCz0{wOqn02?-ocHS`#FInU~*`St<770_38of`a36U>PexaOO5~Ez>$>1;$ z6KIJYqiu_I zZ!}Z80)xYSj?d!H`a~B*kHxNj;rb|${z!FDhulpHR-sO5)5;!XrZ#3%=_Ry;{z?ot zknKo($i4=8(rb-d&`8Xdw2+<0n?2Y4U@Eg~Q}{)%pqDp1I4Nixhmw%zizg}C>0noH z+hCzRN2H-QP9bXDQQ>8~ndR{co*$z6qp$Y+Y_`@z-CEwrL`}_$JpRu{HPDbKLh#QI$CphaKt76S$&(tiwh!)Q@U40215bmU9wBbq| zcrOQ6P{l&lWS2#erpw>~8Rxk~w>XN67PyeE{}mz=6JXe$&-RG!oB=A;0EwCL*9A9v~H!ItLO4vHb^aDlv!0Gion%b1@1q2`hYG7_T>rA{`+K82w=;)mZaLX+1(Wm@gJv*slczkw=hP%&a>v;1~&-HE8 zD0Z-H{2cEP_2TTVxp3drYPSq)=a-fh?4T#8#23fiBq!e8$trUgc$4+YY{3BWPB7Qg z-e?-fukm$K=44CpI0m9eF+8~fWxQiBOn>t7Hlkyxe-W8~Ns``i%&V*o(r*mD7Qva| zlW{=rWlbmQ|0GX2!bC2G^3j!EZk+@X)otk+Va^-e&}52KhJ!gt=p2*GWTqk3{AOHD z-A|*~K9v2Sr6FYBMcyuNRFU)vml$Fv3d0I7dtyx~^EWMmKaA)+WqZNl$`TB}{;7ba zGu8dq!a|1j1IQO|T}i+9%cX*J9m@py&%mY>x?}u2~nN%v+X)*`qP< z7oFMSIDQaDsUOM8?7Gzpt-fa!i|_WHNsz~MYz`o}<3%Xs!}5NZC57QK(B~{J^I)Sg zim0t{hmx(^^2JUvA&rL#tDr|u=ha){tc8!GZUbg%z|%7;$Y@?2lzS1-@dZl%23(#2 zAMl2~B|FZm%kg=NNF(q9{=W_Q&LDLvE?R`4Kc?YYq8NZrLq8^){Co_l1G;!bf;X4w z0Z_zg>g(%wALgj}?EWdx2)D7ZfhVP;@U1EgxMvrE60e_4gL0DUS8%$4fx&=gLPEmX z#mS7JS*qc0tgMvq?d|PoxsT)V6g}sGSMRv2p8Fl?kcY-t%{a;0mFigaifq<6fdW)d z7ygxJw-r^(*W0jjk7R$Uzdk-tTyv@3kB{a^h>!oZ?2&epfWj6X9C%@VgtJS(hChI7 zIo2J1QwU;fu$y?Y1e>)0;nXShL_S<7;z;2f+e@Mr)nB$s1n=#&jL2j-BVi^FC@IS% z+Z*P9gpA>q^UvubgwrGwhB)FAk|Mk52JYr4^7+& zU7*<)o2a3DczZkG1{Z`UnYuyuAbuRGm$k(mhhZ;{Mugn}UC8Tt^IB3zD#1ErNbNbp zPX2QZe*|Qz!pv8P7qHB8%#?J8b(hheuSxOkg`tI@T)ji>7szLluoduCPr1#nQQBpC zgU2%(Vw4~Y`D6vIc##7?=f;Oa$IMHQA4u`qxNl!s){jiPg}*V(SMZ?eP`x`7ZS?cS zfGx$NPjE}a*J`I;EtWF5Iy|M!_b4n}LcH1liV5>dnV7`t+pEJr z_a`0CVu0n-!<7Hoi~sdlrEk82rCBC43It4$%o$>hJ=+hZO#Tro8K?2vMGE3i*o)EC zu$1xX06DZ-ZBqO4;lVYbBDugY;>~!h^E;|Tj{|>Z)t}1DbY+jgTxP3F4s7XKa;@o- z-t^5wX79fR&pO;wJ$@ElBTQb;YZH=vrs*CD~IaBP;4|9C%_)z>?Fo2^QFt6NrQP>T; zf!1U*uk=facZ8wXM|-xBe?R6YBEnE~15;uy*N#syrhN23v{Fn4C;qZ6toP_B`vQ7b zx(j&;_)0`YIS|betI@?-&uFFA+p+m@cg4Jf5(N611b)8cclPB-(!cK({QpmPy}l$m z4w?KVOl76+FhvhP?HgJc?FyO>WGUW-EEwJMPVjhk|IG9Ta+O~H4e!aqp#;Mbouo!( zU7e9&J=>3@009L`!|zGROD*Ra3`6~E_t!m2LK`X zOpGqc2VVk@qG|sOnsFYuFJdYgd=RFQlxAe^<;_M-26 z4;$_1@Nc5~)wNHbsN&+D6rhwNoFY5~LRvQ$=s_lo$p&0Vk(^%~=J((~b>`A!eSYOL zVn)m)q&h^3-g!gu+gv~xE=EDk*^)8NJaKa)oO8%B%T79sjZ$$5nw4V4dGLw|AkuVR z=?dm!*@GRpYL!ZPOv5VU@9CI@A}=K>_5K#(AoL|2$5%WQb`Cv=iyJ2y_&8C4zVj`z zpE~;?L;UteOPf1yV~_<&ATKU_s1}u?k!h&zJ5#C_Q5!mcRTnNpQ&Up|1IN!d&0ieI z@?s)ID40LJe!caN#+*RNZmRYK4J}`t95P6uA%|2PoWuZ^h~&BLt0jxHtIAV}@hUju z(|f%%XDTE?38{6tqnHYlr?kiLMbp2TBO#I(rh2MyRIitj|^&wI!6IFH$t7 zVm6f$MP=S19PShJ~@~a;fSOvWu z3(qLp5%atcy5ayZOSUWQM#>dB(#wg3m>oQ(tmy)O1$uB5~D&l|P75DvSsZzThsONT=d4zYE zE5k8Mmw=#6q78?Esi|Gq`G6=a5=c}W5QVP>PhZgSgFIQE-Ta~ht-^;LL~yXqLrgu5 zMXt5PQCzfjwoL;c6ubIR04wuS@SWnh78PI+CCCDajL-Y)Q6F%OcK{f=LAzwcH7`76 z>re%1S-y#j1n>sYi?l`{%yi!HHs#Eh3J0@H-sLU)guFD$B8s$0ifrx}`rod`Agu+D z3GWl{=NykAImqo?fU2#!PrD>azXfy26kflTVFH-J77e0H>iT{2Z9lfNfZ+=A^XL1y zxj_rC$HxsnySuwXHa%L}C1c`wdAOl}D?hA#u#s604+W^Xu*6F~?#X z1{(J!&sjVd_#_@}V>uS)^dn_jyg)2GXjl6889AB!4spHzaP{d}<%wDk;%d&Y1V_6W zx!VmOCE@KQrG|dM%YL*Cyu$>6w*H+K5TK^OGZHJ$zAJm@lB*9S9#?UX+GmmRvoI`d r0DuR9e%$*%+N0C6${ggq;(EflePYHe+VkBXI0mUIX)2aHvk3ejDV@d2 From 6ab9f954d99e1fd29d766b3b61cee2c762c56e42 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 9 May 2019 16:29:52 -0700 Subject: [PATCH 132/149] Removed ADMXBacked info for 19H1 policies --- .../policy-configuration-service-provider.md | 24 ++-- .../client-management/mdm/policy-csp-power.md | 132 ++++-------------- 2 files changed, 36 insertions(+), 120 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a565731cbb..f1fdf56518 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4117,24 +4117,12 @@ The following diagram shows the Policy configuration service provider in tree fo - [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) - [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) - [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) - [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) - [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) - [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) -- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery) -- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin) -- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery) -- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin) -- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery) -- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin) - [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) - [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) -- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery) -- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin) -- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery) -- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) - [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) - [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) - [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) @@ -4759,12 +4747,24 @@ The following diagram shows the Policy configuration service provider in tree fo - [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) - [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) - [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) - [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) - [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) - [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) +- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery) +- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin) +- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery) +- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin) +- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery) +- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin) - [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) - [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery) +- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin) +- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery) +- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) - [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) - [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) - [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index c1696a003a..3b9db5c095 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -388,14 +388,7 @@ If you disable or do not configure this policy setting, users control this setti -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Energy Saver Battery Threshold (on battery)* - GP name: *EsBattThresholdDC* @@ -403,7 +396,7 @@ ADMX Info: - GP path: *System/Power Management/Energy Saver Settings* - GP ADMX file name: *power.admx* - + Supported values: 0-100. The default is 70. @@ -461,14 +454,7 @@ If you disable or do not configure this policy setting, users control this setti -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Energy Saver Battery Threshold (plugged in)* - GP name: *EsBattThresholdAC* @@ -476,7 +462,7 @@ ADMX Info: - GP path: *System/Power Management/Energy Saver Settings* - GP ADMX file name: *power.admx* - + Supported values: 0-100. The default is 70. @@ -786,14 +772,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the lid switch action (on battery)* - GP name: *DCSystemLidAction_2* @@ -801,7 +780,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported lid close switch actions (on battery): @@ -865,14 +844,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the lid switch action (plugged in)* - GP name: *ACSystemLidAction_2* @@ -880,7 +852,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported lid close switch actions (plugged in): @@ -944,14 +916,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the Power button action (on battery)* - GP name: *DCPowerButtonAction_2* @@ -959,7 +924,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported Power button actions (on battery): @@ -1023,14 +988,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the Power button action (plugged in)* - GP name: *ACPowerButtonAction_2* @@ -1038,7 +996,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported Power button actions (plugged in): @@ -1102,14 +1060,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the Sleep button action (on battery)* - GP name: *DCSleepButtonAction_2* @@ -1117,7 +1068,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported Sleep button actions (on battery): @@ -1181,14 +1132,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the Sleep button action (plugged in)* - GP name: *ACSleepButtonAction_2* @@ -1196,7 +1140,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported Sleep button actions (plugged in): @@ -1388,21 +1332,14 @@ If you set this policy setting to 1 or do not configure this policy setting, use -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Turn off hybrid sleep (on battery)* - GP name: *DCStandbyWithHiberfileEnable_2* - GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* - + The following are the supported values for Hybrid sleep (on battery): @@ -1464,21 +1401,14 @@ If you set this policy setting to 1 or do not configure this policy setting, use -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Turn off hybrid sleep (plugged in)* - GP name: *ACStandbyWithHiberfileEnable_2* - GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* - + The following are the supported values for Hybrid sleep (plugged in): @@ -1542,14 +1472,7 @@ If the user has configured a slide show to run on the lock screen when the machi -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Specify the unattended sleep timeout (on battery)* - GP name: *UnattendedSleepTimeOutDC* @@ -1557,7 +1480,7 @@ ADMX Info: - GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* - + Default value for unattended sleep timeout (on battery): 300 @@ -1618,14 +1541,7 @@ If the user has configured a slide show to run on the lock screen when the machi -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Specify the unattended sleep timeout (plugged in)* - GP name: *UnattendedSleepTimeOutAC* @@ -1633,7 +1549,7 @@ ADMX Info: - GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* - + Default value for unattended sleep timeout (plugged in): 300 From a7086db799558a3b86cff93e138e713d42f0c09c Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 9 May 2019 17:00:55 -0700 Subject: [PATCH 133/149] Removed extra space --- .../mdm/policy-configuration-service-provider.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f1fdf56518..3be2804a24 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2420,7 +2420,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Power/EnergySaverBatteryThresholdPluggedIn -
+
Power/HibernateTimeoutOnBattery
@@ -2456,7 +2456,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Power/SelectSleepButtonActionPluggedIn -
+
Power/StandbyTimeoutOnBattery
From 6653d97f9ae5f5ca2e94c156457315c02e68d0d9 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 07:29:41 -0700 Subject: [PATCH 134/149] new image --- .../wip-azure-advanced-settings-optional.png | Bin 43333 -> 44501 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index 785925efdf7d8f2daf549c90c5ff84fb6f2750c9..e0072bbc2fada185f186710d991255065da8f02d 100644 GIT binary patch literal 44501 zcmd43Rali>*gq)U-QC?G9n#(14HDAbNJ+PJN{G@S-QA^>bR!7T4YPQ^`Tlb<$8*hr zmz&MziS?{?-@jTrN>y0~1(6W(&6_tUaA1_92LD00smqAJ zshT7{1V2FAh$)G^c~hH!^k@bHenxPX)pL9E2GjlZAHJ^dj8M$J~=An5d>$NQvZKkqEhZT-~8X|~_4Ru>VEH76%WQCtmMN)5Yudw<{S z@z#aO)$e$bgG%M~%~baS*(6GyI7b}t0h$i64GUn!6%Z>IL>guuE4K9bXB`t3Ij*B%E3=AW~=a_J4q$_P+ z)pLj3@lGSjGzte%E{RuBv9UsdkIgR5B-VddTHFT3_9EW?u$?RYu2W4ow6?u7lJe7m zcm>zR#U-29Nm*8wJ^lspBsGqRcP(#sDqpnAakcgK)_eQbdK%06dfrN1tkK|yL+$Us zgJ&1FP*zbC! z(LNpAL?(Fo=hyeR&?9zxLC<4$R8HQC+S9HV(ieMTzl5u!g`k^Nufd)VE}OkD_t!UG zP_?zSeGw>q^+ZE2(C!#PQZa*P6V0x>qc-^g*9q4#f?g+&XG3I5^Y}wS3Hd?KcWk^& zEAA<@N}QUzS3A{>gw!%1&6uU``IJYHD9CIz;&0fI%gV50{yMCUU#MV>!66z{|&nZ$UW3+x?`1Zc4m@$@A=YeSEmu z=Jj{E@#*O)&X5gbV{m9_h_92z8}Z(h*fIeBHtrf30pYAQX%0af&whMrYKl*pXytf& zC?TEO0~Q8G?*96A>?%LnVX1BtnvlogJ@E_HpM~nF=K|B7kKhi`4W1@ESU+JrKchpl zwp_*5AZ?0dfqNZ@!HcU1fE(3q6QKrnIS694KhK2w4RME=S^}IU-3IREG`-R(B z!*E`Ht=$I+n?8|FB~K*a9z2Qt^WCxI^D3h@TpXP6qjb|x<6MriSRu9U<3q`dt1Gf~ zECK=dmv;km+H^^)6Rzy$ZWC)BZOI5Cj(Yru*k?%P~IIS_ZjPE z@wf#`DT@5U)R@(3?boX^|9wQzAs5sj{9Z7eX;_uvhY+~jPSkV#Ry zCS_!~DPK;nDhCJ0-d`nJ{+;a4J?5NtOZ?_!I^S(3O_>->#hH?llC;0$Y_m)IPBP^d zigOfAst0$D)ZS`->}UDr8>5P$mq)M_mb5KI*v&NjvN42_%BRZ=8FN=FU^Z5gYt^`1zcQ zwXrlf8Cg281L2$|hGR6=xeeKNMjWj5wr;j&>a%+Ssfx94a5!gnvbSMIom+fN;JNMY zt*YKGph=sOY(XDZ{v2t{Q^8|+_hc#}Ga#>6If{VeWqU&&0LVZ@u-`!UB@rbrm6y zwUt+~8KlGa{1IGP@P`)6+TGQUO?fEFparBq@cuPmoUb&{>GZ#QIPD60e!P?Z{QJ8z ziyQTiw7}Z!>85?TOpSG`Ivg_4Yo{m>RnZO-NOb z+a0nW^H@?`F+o!RTnA`sMlIG%18Zqm+FK%-GYVdYhA#meb~K)T%5Fi@^lZ=i6xs zG>jIoBwfJj?0R_?)R4+`2+H%>BUnKxTg)QicilN@J6)?WgJMdM@;{g^{PYRFe{B^5 zPw}zsv~x^La*bKTvksKW$H$8)IVVtZz+87gJ>Q?2qV&F;k;y#$^<4*#QS;M$I*Wny zu6yA1@e;RDxjN0sJ`56WEQ#P}(lvEolmPf(u>N~sNQ-4jCy&PNQ2$4=m`;` zbh#ATziS;t+Z($Isq`FnKj~S^^hZ@kz`9%7(BLl}gfy2kdwG7ED^uC0-Er{t=A-Gl z+sp2YM6*Ctl&8snH<610$29kJ7LN7(x6z|H$!^O5icQz!Ig)hBUv@u+FLu1T$zz8^ z5WH%rI$D+bY5o;MkB&=q;Yckp-!#j6pOy+G;Dlft&qnC-Ej{T&AvmN!G5j~PVhf6_ z$lewvF6QUr_6AC4yUT-_hGE4s{d#L9M+@YK-EnzPl6JkT3$>ss#$GJB7s68fL(9ON?QebqOR@jzfHyY*%F1r zc4nx(k0UfG-|?A|BHr~JgK_We2@}7B;7V=Y$;@iM+!FQ9%>xN zPIJ@!rpZt)*1b^?#9D|m>TI#*HYFVEc(ygL;_Hn@40*$M<8X7b%F%{=v7aAgZRP6K zbw0|JL#b)S*mb*wWc}F}-($7a;}9Wb?7k<{nN73GP){HGt66UtLhL7mzrUN<28+cV zaSc<{dRaCViRb%7mT#$ zHL%l+jAB#GGx(@aJIpL~5iPkKNYWe1mbF))JzEUL^J$$qW#nS0(VfH`TJyD=OVDCx z^7?M9?V3{JA~+)AiGASXjp!2|_&fe{j(9Eju$#oC%mTvj9?TILA4dZ_@|3it0x_uL zaf&u!Tx#o0X$u0K3f&|~e3a~(HTZ+_NRM4dp)oFpMRugp9=H;c&u_UX4%a&T>RIL3 zlfWF~R`|@#HMH7`>4N97C6Y+6x3`@jx|c}v@y&+U;x>7oH!kNAw+ovKFJxe}UxZ?5 z&f7Rq%8AvOGTKdqUv-hDBx4j@O1V$>R}zpkkq?n=Nc-Xy7KkE<|pN zjVd+7>5Ay%eKEl+R}*T6)T=j3AF_lJ7T37N_y+>D!EJw19pQ$@i*Lf^<AUv7w31%A(Y&S9U?qCRO+R}oWVx?y7K~#MCilLlYxsiU=3f#}=m^A#&qQ-~F ztnXZngPuHckUk&(EKk`{WvO0SyG6xh))Zp%5{W^4B8LkKvnXQphhQS;+G`y@w8VCe zqO+{yIe@h#{5xBMgpfnt;hOJ-g0)U(8?vWsnq2DlDTg}4Jd>e6!tRhRzyis>%5Hq% zpIpt)79?5cAT$3PIVgV)18B_QHv>D@mNoBr8f)P(-gt?n(`5Q$9fBJL)d?wzz!?Sj;jdlb#@+!OdLE5iV+LwwH7M6N)CnZi7Naj*yItPyS$y ziJV9j2Aw`#^-v5!Bv_gkz+cv!JuaBV0{K9P`4y5jSy0LmE(a<_c^#l{y1Zz=e6c8) zcRVUzF}xBDWp`DC&ceofmCVHI&Ub4eti?Fx*cn1$QOp&nzlYCkHtK%o?q|**O|a@y zPKCCxgh=cT*^rXka24?TQQssHJXKGIJ#!zVS?lphare@6Ml%D1KOn_Q{*axgyn$W{U4+aYt)=Hl}U&_Po-aWH6 zQcyTB?9@1K_8uQLr_0ta44&2Q!3&qiktUBMPRMW{r|KOwj7=n1)fDa^xkAZijUBR- zQcZYfAl1g^m}AMOH{%MfR!|90c;f zkJyr4Rx#JFIT&U(?%|WpESr3+!SB$sHz@VQH5KH1<4w^|rdg><0$bx6Hc&#!%~Y8c zKI*%bqYJM$|ASW<6j^s6R3eH9RylGS^QTsf+PibY9UbsP3^uh#w@3be(qC zabtsZESVQWo}gjPGC8_jDgL@*jX*XtR9G^mZ{$U#1W>1Zq>0kAYGk*Bl=0*$)+6ma{y+gPG{eGaP%KV+l!V zJ_?ChzKcJJTRaDG6BCgHKeri%8`7p1I?FuD4GzD5!BSgcqP^c!9yGv>Yn5x9^BeCZ@c%9H$x=m z#BFRlrBb4cJ_V)66LMb;_VnbsL75r8PK=|5f&b{#5D~RRkcdlzvg4*Ll)i5&Oh!7o zq&Xa}&Qk47Bdrf$!Zlpp6*-Ue=qd{PoVuH?Zia(9wFV~b$~b5~Vhw|_1bq~39;`_e zJCnHvqi^_+^AAE@jyn@MD@rs)uw9IPI1p5|Ygg)z6XMc-vtFMFL~0s)_b;H?c19Uu z;jrcF`!U%k1kH~ymdv+o#UCqSG3if!h5ZhRgG`Ppw>^`_fm30#C5-Hxfu5Hp34vh; zobG1LFF`38`wfr!FdYR|8@&*o?Wk&Sne*i-Ktd%`&8Lt=AY?Xk8e>>o3+$NwBkCag zE{=W4X4W&6C!Af`0?(qvrQx6@ydav0wr7};7#i+04ks{(3x{Sw+*WSTbn+1f3EkA8 z7o|6V;*MKMMaYTc5B5|y!w5u+Fc1{VbVHauFpr5WP0T4_4qA$Z;}oBERxUe-i;CCI zi(zo9l3EEIelL9+enztFg4)8C@7 z#~b4~ayS3pQlnFFE}1JlKR-Pv@j`q;@j~@VC7yNLNwFt@;Vt%ucLS=1A*E-5t=_If zEdflCLe{7L3+3jw$BMg~A;hyb*UQMGZdMk5iBL`ugsIIFSTG&_)g$m> zxa2dldv&LwDkR-$_#HAWghkX~4iF9Y;zsoOd3@ti0bm}@t;N%{ft}yO-zJxMKs`p&*~nP3deB+Sal@j03YA^G z2e#MWe~8Y6DpP}{F|u1}=IH2^w034=_Y~-(#aSw_7^kI8(_rS8LtjEi;}9I@yTW2s z5E0|g)D8a5_qY|q_U}FBqfhT@*inUQA*AgJaZ_;nmq!~egMxPuZfSJ`EgU)FL^dgo zU*ZRQP|~;*6-Q;oTo3B^<)J9K8YE{^=u`&XWATzoi}mXHJw2PSXcY_e5n@XC9Su@5 zmbmfWtVL|9rtwpj&R%qKnK2?%%GUfQ&-mPxF9&nA4zTF?xU}m({fzW94S@I^jSpdy zpsL+TBQJX3$P}}Als><2wEIO3?PcV%`mo8p6Tm$ii`_(y6s)a2fS)sP?2bH`Kql(A z!Y34ZnK|jS+Nwnii8rgV)HeOO0%c>5lCk7FzLKjVA`WB!DEBEJE-BO|F4YrYt|E{B z`to9;MF3gJ&5Uk+h7foxyi?trLLaLUsTI9Rzhj>YTZMv37co^Aitw4LGU*bbr0n%i zy(R0m=V0Z9{mhA4B@xe`4*x4fMFh}imEv@%!CdkLyR&DqfJ=-RmFqMbh0maxGNl)n>z~b9-{AaZ{M~aKm_j5*|;3EwPv^fH;D{G)|pxXi>4yQ{mNqld69)Vc0bEf>UvBq4lbT=2<7;zR10 zBhko|MNS^B7EH?6zfj!{)?j6YZgz|WbtvaLle zM;ENg%Pa?Ki;IQ2x&Ulyy9*6DzqbwZV6KA7IHc=uSC%o-jvb!;6KmXqC?Wf|W~I}Z z)L}`S{)~kbh}*dYBE}ithSU9W+Kg#GKEz8PW?O8orB2tn)(>DCqLr&i;6 z%~oZrSq+_|Fqp!6y@syi~Jk^Cr~ zN#f{qVKIxGXpp{^Y@LChe`02HJc4LuT`p7nDUS;=(<_s$RZQ*?Pb~I()lrT0a2bVl zrgRH&x}->HDG_o=L^0{T1S&#N&`3}4Wxny|1OXvbAq%YXTm`+|mp6lj)RkN=)WLiB zkUDDh&?pTb2M!PdOi|dsYAVD(eDc?Z^enZVVjvarX1|uZf^aAZ)ceC7hf<4{+do91 z#>e@MbAdv_`+CV{Nu?(70O~1qsBFC2;akl`TuihXrvPGol`NO@Y=ijzh>c-gOHV8_ z5l4DPYP^}*u>|UNk>5K)2@a$@uLg2^q6=3FCYf>B7()e`j4WIR2~?O@^TtjCh7)~q zYxI!FVw3TFNzavKu#B|jDi|iBu>ZMyuowR@c>mkya_UH$B)d5aR)+}Y9wzNwH z`BG)hTB1l!lb?fOqm$V7$3IJT~hGEGn^Vg*p(Zv|}oq`5(^5*y&N~%SlIF?R461}FvZL`8q>FliE4$w;a{pQEh+L{N|D!gminY1@aewA z?vBbGABVh$xxROI6Dx9D=NrS=Y_m07o2ed*ZW|VzGB;`}a#&nVl50@a?Bl zu#o+?zybP53Td*vA#gj&^I^GWjx!!-U;?y*QsWoHT7-|wB?@@v_S<||-FthW0X&hJ zbbqbnT_2kGQ}bY=#8N}U@tEO<;jJelyp+M;Hi0VN%z$=qMb{!f3igK{eknkIAjQ{Z*Q|GikXU!&l^ zK(I?iVbVM+pmEe8-ktBZId4MN7F1WC0+ELmjq3%9JQ2vAJu?mV3zNh5M3!TpD-|<2 z&x0rXhlc2YG6`T?+nGvt$DahqLm(i<4{pu zo4+wdULG%i>XU>IoGW0r(P)4J-Jxxh43KbI4jVXiSP?f{l>$&Tw7MRL3QV{Y(3uPk zf%CPnQ+@S<3VfK@*3BWlj*qKPDQ~8PZ&rW?8pj-CHIeleXn7xi3D*_)YU<(x>L%FQ{+qKhK?HW_q8lMPUzMh}%fWGnCJy_>th%U0E zX#dju{#Tx`-(*Xd2d*k7wNmFj+^aFr?tRwX-AyX&d->;=0_O{+sHkZ6kXN%GQrW}4 zTARmF#N-GsSr5405lQVJpwAW*6ad9S@?6P3AmCzu>J-)rX>lB@k zfVPl@lG*-n(sqs_iT!5eQP9+;^#)A(Ca3l1INr4kZrfyAn^&8ZYnw#wyKXIIuLYRR zuOem|6WzLyGO=`x0g#_}+<DkFtrN6Qw8JM)3)Oy3a( z?rdp-kG6>L2nc!|zHc*40`E#PMZx)ohh^omojrjk5&QFz=UUU0_m5c(@GHE5EDK*? zGm$kwa}MJHrklL=puLzSnB}M>0+Nsv$Vf=`zkjeqo_mx6G?I1-FI6N-=ykdl_lQpZ z!+rr(`1!Cbe>gTi{$#yNv~Ho*!yZy~N2VY7>1eKON&-#zCvYRe!ot8KN{MQYClfX9 zEWH{c3zFmHcAh_Yk?UMI|=?8%4-sY-m@5?XfKSA$KiOTt3;2VdOPQOi{FCntkZ73h|5r&Cys zT2q zmf5D*O5!Dp(8J+P!BtrUi!`cS-)JLgu?zg@TOTJ+_9n8AewIrFGbMC_>1*&^o8?0A z*QfK{3sp@i{fGpC&uk{o$5$o@Z#S7Opa(fkyMw*fd?NoX%wa<&v*q?{1FL-iD#_vtRX1>-!JOk!0XcU^U1QsEpsJLd=NsG*5HY zfvHL>%FUhnb@F1a9XPpP-!e-5RIqIEIGV?0(MO+5h7~s$B@YBK0T-~oWa0>=$aZ=S z-W}MANYlm_2VOMoD^h>%0M&!x4qQj0(|VqSG{s%mk35slBky*IBncp0-=lu!KS!*mlyY;EGNvl4OV><+nlsrya{T5h^#VWZ1Qju0K6iLDe ztTxB7MbdGEp>Sxla6FDH^hphL&`qgM%e5 z`7JtofLy?&*_on87=et8tT?^Ekc@!|9KiK|BRH}q1934if&f#1HKUTlmz0q~zaCLI zqpRN?yt%n~F59AzS=*6HP)|L-`FH#lAZCxAZp0hrz(8x&W;JXY*6BU<%o&6AmfXC`ywz92d2e-SE>~K6 zo_guTe%yY2yqr6W+PWf6usSe1}urN%rweFwJ@cGa5u6vzE`R}Ib#6rHdIa;WJ ztL1&it*tFwR>Q>_v%U(}CI(NNO0Rgf-`*2j7LB)hK8@#7pEI9l$OQJB8ljhsNj*xZ z!eZhGMKb_M8cCreviNWPl7V~?FoSo7lOzIV$rUa}7cUHMXmrJm$kJUccGh7h-?wow z4qUMfo={U?F;-R8(!tjR2)vx13SyDkukS6^TJSzAegsn|S?*uf7AVZ$K;~&Mgg2w( zPCpM170>t1`Q#)r@b~8Zpaq4z=v&u+Y%e%E^ zgd=mqO^f9`D!~+zNvtRX5jJ06hjK0p1(uiQPc-u<4Sp|`rjiSp2gh$uat8hcspPgT zROngc{C6t^YicV1moGZ}cuf@y+3tPOOV>vgbbJ23Mb|~&xicZ25a_uVdYHcZ6U!w3 zgE7D5ZyBlRz4H&kkC&$bNRz&era#EpkoylC{JWU%{|sPPB$rO}jHs3CnvOr78^qJ% z9(d9RHAzIWQPZig*hjgc9}1+bzF?A61;M*5ize+lt+oj|?w6+`?#i2hpayWeq&r_n zCi7qX76_VcP70oKqt1>mL!IS6;d)%#FYrG1<$6IA-!>eyrLdOr<@l-4eGtm==AZ1e zGkNTP%i-b@pOUWOnX8zZY`gRGSE^ANCQDU*Q&&KThp_N&*}D%Y7i36r=e$;rDf z(osNOE_FQA3!9ggb})u4L*I?PP#@#v-^R%PNuApsjLV+P>Z?7rH=&D+K>4_Hp?EDU^_wIE!d@qal9FLAiPq>p zvuGfpo}LT*?|K7N`y&}6HQW2Tj4EpuvaEt?U7+Q;j?Y#mzWeTvksYJjB=fG>q5Nwc zq}EMV&v|h&A{)!okZbAnXD$?(Ig3|VAf7@Ko!fcBfHoO}aV@q=Pn2>A|r`M&xj(?C5>EbIJqs8;8;o>?sI1#2+9$GugPI(#&g*K_E8|L{PR`5#8@ z6^zaXCA?qqv^^8?CLP5Xhal+fH5zDYZKAcmj1C{9BJQXjM{zIf7vuVV_gnLO{0ih4 zG;Xsb&$4TmA+iYSkh;E##AM!2_7AA2G9e=;Zq%#9Z9*=~wX|uZgy?TVjg$yHFn&cx z4&E{@AVgE+cjLHCKCxm#@zqk~#c@49r7z5KX!SJry@!r$N$)3l0dWVTdT(-CxiOi{ z3XyrYvJ}{f&c|PKE!jU&>kVaH@>Cqx=-cH=HkwKe>%80f|5AQ%B0#E|vV&P#UO-KV zi&9Wlp8U*`?ed!998m;k1@d=S(93giG4(dz2WYrO>&wv~R>qQHCK>r_5zNcW9vS;E zW&e>|%lQ)f>kMce(*xfxm*3LY>yLHmn1dXH#HF`yui@*I42kB}w@UzVtJO=QUG!f^gWLPUFU_FQuF-8@`Sh9NeL+4-M<4}J>K6o zMiw-QWEqlvk7D0T;ABkLX zTx%bhno`--2J2=Hpp}WwECzt0?@wgg5ZhQ8`>;RU;$8frC$o(564?G*989FrC5yHivhA2eDgp3k2k1t z%CSi$laq#r=Z8U)qqMg6-t60lEh87VrU6HREa%;>A< zuhTQx?JrtTm0s8ni<)c92M|*WbZgDi7`2L?ySv|+m@G8m5S7(qy9;P|tT;B&QPYAT zC>g)2`}Sbm^Yb%{e#3A!Z}tBSeQI&~RxgO90nXQ9GnE${{3fzbES@Dr=<}1xhP%Mi z<0GI@TEM2DQh0q*{l#Cl5as0L@YsxFV`8W{x$06IHn+F?XleQQ_yCY;je7kQV{zLS zBUs4Mkn~lsa<4CvF~0uyj=Xe1^mlNJ^aLS{Rp9+1OXzR^sUZKKe8AFfz^Kl01VEm+ zQ0Crf9Ht*m>yE^aZbe_dfEyyl!LcHKsZLH#uJgY;2YoVeuo%QWldHkydz@u$0m%FX ztXHS@vqA7^M1TT7#rpvWKr}3WuBzEVV0S&}WtH!C->}s^O6|h#^-!s)+<^Wc5x zC|5T(bR4GLZ?I({-+oL35Qq zFzY%`&C2QstWPi?)Dw-G@E~KGUSH1Vb53o;ke`^?UAXEf>VNwW$VbCV9ez#wP`^PP zQ_wQ(rN{;31@bpc&MnYV-fKqF(9$Mvy99+ z#;ig?&q6c=*k#m_=k5`#7;SR|tf`OL;#$WRme|%>_=ys+ayqLe%p)Ts?hHIUpSf2H zkf}-#`0d3Z&iNIl4(a$)%{BnZYY^{Llw|yxcu%8bW}92epm=kDSx;*dP9o?ji{&c2 zo0>W~7p+P2H(5?DQ-hhdUd4^~`fmv1hqu=7<$*+6>(iOG~_P`T=Dra%f*Lg+BvBru9gD&SR{0$q^`2T;oIVEL=6 zqHo=RtRukYuXMhCO2nWmP#87f*Eg-^J>bicuiZ|oJBmEtZUb7HRG<$@2#uWH;eBR4 zims~w7Y3N#R5mXfn+lDlE>NPl&w&Qh>3hYfq%l%wHTG)c{ebz|J^7}30@W0p(LIV! zZcQTmYxBCE&7N0jb;Z3bpcq-hZIpYcK~Z z7OA*L*(FIZcQ5kCsBQK;ZR8y(L&anE3+2w=rf*A3l+Q-V{E` z0@SxZKg$&bG~Q(x7fD9FwVy{OCiB00Xvf{& zx<9KwZNHcV25n@6`_X)yVi*NbteiUU_P`VTU1z0mHp!xpjX$RAB4)38eC}AIRVV`ZC*~)iQmxuSbO-8;YMCPTaKcz&|~~pos-int}M?t zy0h@oL8+LhfD2@Gi}dZjB!k)R1Jp7_2rU;}t-fOrV+2c|Oc1lBKWu(NX5})61r_1= zU8_PmYeTr!>+TCqHAhdb#juva+pnCN>ZBI4(7TzamU(%q`#@V!ss*l@+g5*+gEqX% zp#dm441I&*d35WLpL;;2g8i))#s*~vJP+5fXJqbBzVHj6Fn4&M4sXq$f@s<+h3DQx z3PD1UL~2?r*C+$BBk?BnF;&WKsB9{<81f8qXPP9K(8CahKDFipo+m4EgmCiCQGm*< zldZ>fOG-;`EdkA3HXP(%C=%1YL;DEGKlba9-}d3v<80`29Z(p45tq!>=~w4mg8mnM zDxE=7_NwEXTB(#_WeplggtZ zJ5;)2Fw7$Nv|Km`>2eUi%pw-&ZS64*!7!6k9Bp2lGo>G=|1}yB{1>uSN+@oHQtIU1 zP}ctiWSz&%Kt8=C2c2Mys`XOo{193E%8PV_6GQTaaxo)*BO4m3&;mpQp`RqXmc%Kd zckq~XRr4fN^J?pviV(tb^k}(2$<#8N6cM(8>yGG7y%P=nfiEb%mj<65hy9xq72=79 z%>Gr7AO-5$JMSSTyAVwDlf=P&OtEJWUtDDiRK~x=O#2)vlqPC1#Jm#vNx81i`07qq9GA+;@)Li zT|F<=SKQ5-!yVE}JnhgQNU%w~ocv7bq3uhtAJ64Qa9Zn8@G)S7xELhNjC+P%ZDzl^ zY(x+*Qzl#EQSvvygOENIRS_3R)lpYa=f5Gml2V#s*No25F$wTkX?Bs^xmgeDvSFG< znVKZe#0;2ig&y7blR2aXsg#{rtZ{`qt~hAW=J`Q@e9#7^;9hfbcQ&l;{-rt}$tTTT z<4UQ**FJ-=-sp!6SeCn5lIdByPu2iuDGrdiQ^sXHHvr}3D@hbk@9Z~w!;|F>q`9Sw z-i1H{p*=&u!w&3okYt3P*_+B|Bm17DLh+h}=SIEkd^n-{NhIJ-zlk^50QM(9+vGs@ zQXzyZ0c0gb18QcPL=h{rTzgAdb(wyzm^`a-yRNIM`xIpG99>Syw~1_CEJu0TDq`Uj z?r$pZwVIvHW{=UR^RT9oA)A4H0t7!f)Bx!XKw{p_5trJHVJXibE=NVdBICcKLqNBE zzuaJ}9?bU)_RLT(!X2-7kPTYiyvKiL`iSK(XU zrwE^q?Dg9eE_dfvrQI5Y!e+yYyC6X~o{+tI8>}z;3%acVw4$t-utE+zWF^UaT+Q#= zO1Q|Mw3Li&1QzR>r(U5QC74$S`Q-vAL_GaOs6;#!0T0&)Lr84x|3D9;?4ysw_Wsuc zhY;bM<+|AHVnMyRWRqWl5Bh;DcDii19e+Q}&GC{OSOjRIkL)xE=W9Ouxd5^ZUnpW( z)&a2z)FodKxWB*t8}lbDJbW{rfmWFSJy0ziOoErP{J^3-VC(?23s19=y5DEE6}ktKoA81otc=shh3wS%0xC8eu- zg!##lVeVO~UE&%gX?4dnuqe~>z`icP1T>=BWt6o{0C01RtF=d4_&@LWhAo3PRcz1 zAj6XEy2^5JvKlNnqg?)_vBXon!Qo(IVNue~oR;svw2*>pwEQ>*M^wA(=kh}KICCb1 z9;^4oR&G={t!%DZA0b+zM<>dj@a6CK_^tAY`CY>TkYO?~E(1Xo1HfLB(|P0F4=ZUP ztfY>M0doON*B4fgLYn=a$bwSkQsM@&h51wZ(CBfYoHeYOQ2TaPv5=wS&qDBD5gcR4QFHFbi_|Ac_x;wmf*&1#L#$ z76NwspwC>NuCEV2nS|fo0@D@HFDsh;$=u(=U}xrt<=3q>V(JgzQVR8tkLP61X- zW6;M-aD5eL6l4FFPZ1P0&&tLS0lTiM^&9_0(dE&D;Q0PfJa%gqUwJ~hl0C0hAu%}?O&wq$1qd#tN7sJqupOaz9~pR9s- zrCnY&^RbF8oX`DW8t4l@Tik5!KD_x)i{G*uFlu!_-0X`K^!T%LMs0~t)c!YQL4AdH&srzw5`okE6@8 zm&y%XONWY{&Cex#J;PU++MZApKR!HQ<&n6Z_&0n36%G#w++bhs|L}QBVD>dREX@L_ zzTHh^sNh^7h~M?B3Rztn6?9uqStRgGLoGOL62xwHGa}j6C+O?>sP5WyI%S|vjJwVq zRXMlmZd|X!NUHkX0sVy$8?}bIH1uG$@6FNYzb<5x?fsj;$f*l_@~v)qW$)fFr}QVl z&H)=b$wd>kapH{?9Un)^Rjf@2g!a#oMDv1n>bW8(2}DnL%s#jSQL4*;(Bs&AbZ$N8 zi06Lg_AN)$$XZgSoP9NkK(@n~lEM2U=Lp#4Wo~$rixZM+o{8r_5=%Pm0Yfnp^#(;9 zFC^qu@ey~i89sOF6(y=6{==1zz6r1L!V(aWfeljw@EOo1ThMc7H^=HxM&YIov`qgn z!Tj*oEjAQ;`J7Kkc1qa6>^p7IBJD9^K;Jf1O=RvFXt?vmv*jaHJ9{F~aJPi366Ezh z*gm9cwtoruTSJyVVQ>?Q^%pkB;ihLq|CEGmjpIh*CR`AUWKy^7X#E%Vej2t-EQt?K zRjZL;OKpZ4q0@Kp*+Fww(bH}AB#YS?HrAh1zsfmocV^BDw=K{GmqE- zAn|{*w|tdlG7-R21B(#~3Mwv?o6E-Uc(nwoH}qwi*L9vmmfYDvRoGH;zdbS%&*0vg z!oGlIw@f`>XfJpDy@IT#c@M<2$s3fJ_chA0FVAxF`NV^)m z#`XOI%4Euhb#y0Jd;H9Dw)3)OG(z|>CFD&nAzhQ|fHSCUkqo@DNO$)Jpqb0>oEZ=h zB)lgWa*Q{Y9l^`fkLXa4tf@5hBvZ)JS~+RhL%9*_GBVMkDCV>O3@;QwGvNAmU||R| zWuxX+KPoutTRqIu^jHIstw;9v?FJ9WXV*7&od1_h%HKvDsCMfh;Gdu!@qe#&$v z|86Z$dvjfeROmz&*aNz%MV*?R(kMed?=(CSBve~Hgxu!q$eQ7;7hK=_*bp-}lLyh+3=NdmHovjj{jZ79}rznvFOnkNcIE^i>Aj4FK2~)n5CF^40FY`#A7qcK8wm{fOog@QrEB3_v#}vB7j* zek?<>$RDjQ!HZl^DlUH!z6vcZeUX}E%Nu@swZH)V1b8@?@_+3R!Ra|!%-Pu)NUA_I z%KP;~%I)`Q>YEo*IxEKe7CWy1?2!{mL8tBf?^Wd43P0}f4(`2ElTJ^g9i0?k>Vv|5 z$SIHEJY;`xqiXv7!y$Ubs{lCPCm8=-JOhvrMJc!ns5WzVt^Z;1cbHFnV?Ti@7Amk)son3j8@+44P#FYr*WwZqahPBz#HT9(YrNELFILSze0L-j(}U>!{n+?m0_jUcWrR~(2ubRY5#)>F4Ya4`G~=nDS(_= zH25M3AdP@;p!g63Eyv*^kP86;acuGFJ@~!^1F(s>riOhx=e5*F$;k`=n4pF|(4U>J zrTzM97x(`U>hk|yLt=b15gFMF$SQ-N!VsS_-2WZd-zJX%tX|X~Y)c>P`RfYyB?GOI znwlDaNG}CQ#O+{XE`Wd_9?1{rEwPBdw{}x#5&a7l=;*Jps6XGU0XFTFh(v8S?(qF( zT@Mf@^6Fc8@2JH^-Fjt0;h^XC;{=>9@NT`dc_q9r3vLKqgSRY>uxJ;@GL_ zcU-9ZHqRi?rLjp!SPsE|v$ltHo&``%HQ-e8dp-8i4?s|R>#*p24)ioS<>R%EwlI>; z&Q2gdt9Kiqlg~yMm*>z@=aM?CwqCuWGt~C}7`D#g`F_4;BLEx;nt$27jd$93-8|T4 zL0n7(Sj=mNEHbwqavbUlo-SG5Aw3F_L@spCppRW;G&SPPX@s2SiH6i0BM zlh56+CC=607BIUKqc^4?p8$xX`1|+thhRY`lV@d$1_j0uzO|mriOQ!TWzi^&#TEg= z^s4{>&=pYKfJ_OqTM*l~ISle6XQMzByKM|)I3muL$8>=hxBEsnMC-&R$S7Wez!KO!z6|!W ztOEyLLR=gl>1pSuk=LqJCK#tG-P(`72bO?|0KM67cNE7m!Zctsl>ylku!0>f3~cF; z&&+ytzE^+zPFf=SGy$oIQ26%@{rYRbQAk_=FXFy3EX(!VQxKKzF6okx?nb&pK#&GO zkrwGzx)G$ilt#K61O!2)M5IGNT1uGp`kym1pU-?aU-rJPy_I;M=U(?(zgjIoVp`!? z;vYXO(F}YoBoA$x=N2+p? zGv7l(LwQMzBipsnmJ9JmK9QzynfgHp4CI6GN(02vX<^wPm5Z5Z00@Mg#o^j00vB8d zjaQ4$8IMYk3JA;+;Dcp~IV;yKO-KT6f@MlOVb%a`#q3^`M&JQ)&9Mvj(_;J z3`S=aBli1VgL30~^3m1^IbzH@k0t$}Vrhmi#hKhRqjFNC^Kt^@-f%~qfFMjKO2m-u zs9v{Jd;3L{3{hYLP5YV_6_XTeQ@`XASu0s#@jY!fOC20neen zXj-Gu?Pmd~RnjE7UPQ1JwF40q|teK~{JGtm@ zF=~NgBE++nm#f#RgO4ejllC!T+$>56!2@%VgSAl=q%F$(W;f0h`6s*BLAhMvwmAWx zh&NQBP14%eCfd}ivgtFAq~Uo+65W&k1AxRZXw@dg8IrN?96QnWmzj3>f!nz1W^z}+ zOpSFuHD|9E{Na4k+dhEVZ(@#e--7CuG|WwCS5LyHW}a$FkURjl7b&6LwtQvDb@c#s zWJH9;!0V3*vabwCbKh9^d&z#;WatCE)n6deTsA7UajG`Wy?d9;k*fT*zLgKtS%r4F zcd@|vKNthR7pCM6sEnsV#*)~&Jm9qyaqApfdZl&i^P6x2=B4k>jlJ;@d^4cGbnLWX z{3^ERao(g=f;<~4B`Z_i;>?z@8$VIwgzCs|zO7U*ITL&mMvHmw<;(KrY%tPj}q6 z4(TzSvOG;V53775y@VhO3+iuG!GP%`)uX6~D{tiEr-64B0Gx5N2e>+vOhk*_=^C)&`mvTswBvhSF4#nMgt|lMDwZ4vU8s#=>qf zhBPcm=;FEch!~7+dsb8>kZ~z9gxaWNm*N&aDY{Q0dYfmH*_l^>wxaOywyegqo|7R5zGuj^G(_M|>^S2~F+Z)_yYt zu+t1te2xt;XF5SQ%}|0OP6~SV z9O+=tC#ZO^-9q7{J(oU4gss5svNZVsb^od)B}rORQ&~yVgvYtJ`f0 z+J&W*C%6d}vB~hRGCO0^v_x6iHKW|a+ln-@W5mL0v?Z106$S05t3XqC=Zugae`$Fc z??x@h(=~Q}9gaZq$K+7WjIa)=)I{hns6D05fd#b09YbbvyS3N<_FZ82sddW% zEDq5r2oD#hst%Ys^x@^w``hY5yo1QMl05x+vs<)R{u8>fdgl>z8|_e6Gi2sKmT8@p zfTF0E^*la@VYM__KhM*7p;QD875N)vRcD>(K)BfH&LGnZk?IltVO(ZgDzx-2z_Lco zZg%-4EiVp z+bpB`2^m&V)Ou2NZTufYwTt^xnDr35VDRP>FZz=1ERP^JQx+4y^uuuH=$n5wRz_bm zI{P`IuWkl7n^jkh+>cpbpi;^%6sT1fakb2h%EXS-2;v{gK?wZQV~yOTpkw4x+PQGR z`MwHHk|&gnk{Y^IX402w#nVnKS|rWZ?MmU)xH#gcKZ6SpusSYNAXVTdu)pDLE1T8K zAumJZ5{lI0_^_0k;fX>`Wt3o2D-kj8M)~6jUUuhj=T#>tl?P=!dispfW^es{b-_ac z$7DFY9aFCVnE=~(0}v|8=RotNeA1b&b(s*_g)YuhXD>IDI*%xbElMg|zx)wnU!yTT zviV&vdvZ_c15ix9$o>fm4#p$pfe&NUq2FFHPcSKgR_8Tee)9Mz!MUnEo842ID0#fi z0y~s6n~&2-ie&8aqxceOuF@z&KS}`9-la>1Zl}i8;+%9AxJm|BAoRlMj(L|8EFa;_ z)!+k|qmX8M1<%9w>pLR5Ps&J&)=#_GJ5OGHQo(J74u=QC-91b_k3ZI!_uT&S2Q|0 zper}wLWRp{uE8;ua*2g;gZ6$Og}}3KQEuSAagNE#78h8Yg)#)N=?lQ)8y$HgWb9Ya z7(S(tV*J*4LJcBr-Vh?&$Xf6&JfEtd^6mVbKfaQG&j#AMiLXE})&j)>^EjmL%tDj( z6_{0h6VF#7WHNA}u>`yw8mPVXT6KULZs4aj><2@vW5rzoB1@BK=z`B@F<-h8AfAPoOk5C?xBut(Bzo)3G(&m;Yb*-u1vo1mSArQ)q75H{ZZQVK=;&q;f zHeRnbCd5CEfHmpokAZ>Ea-u`^Q7dXmzYHz2e$d2Dh#wJ6hFeeHtkyYONz@>{)e1MZ zg^Aa*v=q)lFR4*Q?l60%EWdNRhw3Suk8N#1j!T-_1@aWFWHKWxG7_($Ml1b0bQK8# zUB++=ri3D42I?DT4?YKywDG&1A{>rv%TbUSlex0kAvNvHw+JTCKaFRU(w|O4ge@uN z#1}S7s!KloQUb(!?V;s@0BDq<(W2Yge&lejZv?HGKU$0D@7~4;rH4LSEaue~+PN~f zmbRgiz}3C+M&Cr(W6ulgMm*Oaq* zT)H$*JUnbSUdefvRPs*`cySLcKB-&VYsk`YqkDgL)4mvgTjJrf_8W6UC@qy=(-OD0KcWBB^Qh}KRW|q zX4C^83FLsS{Zamh04BR>86TM)grGUM2e$K5@RgWseHrSFi4UK@i63z~+j7_W!EMvh3)%7mND`thVIUw=-wNqkZD;^R+Q{ zRu}vIR`=V>=TV1;Iwy|G=UGZ0I$n04IhY$cq^}k(e~M{h=cqMorgnXZ;ey@TQ+(!k zLFM<&u+Ud|r$!&ON|j?%$FHHSs$=zi_qSNiQ_AE0Y-90lm#|9Hh(fI`F3CaVoOXym znFT8nbWG&@Pu-SNl>Wg9cYfd7{hY5rGLofrR?(vUZhp>k|LmiYd&)e%=kz9t+in8K z&@LuM4HLr*e!|X7kUgvWTpfycy;*vXd3g9s`4C*k*}Ua#yj*xch|_bbcUYk+Xj!b0<8MO&#X$U?WhH#Yabq!RS2q=?}og;Tu^N6u)BI4 z(s%rj^MzKJ#mbd+rVUwf-{Oa2p-b7D6{~~aYJLYVd@bS0&EXBL{Hn+IY{^Z;A5x`q za%ldhKSH3dk%B~mjEvUXIF`!Eob&V=f43~x&U~+1IQRxPEnR&D9hs7Nk$+jW^w`Z@ zTMUzHOpzJiANIHLh734>a^NzrcK+u}VA3?MWF6goENYqY?cnbJV^jea7y-IX2Hdb9xsa_>DWLj=O@-Ir#s13-8Pp8@b?ir@B%aB{-E59=k2DUBWPktCz4#s6iONqRP}y4Kkv=Y5B{v89=fwjoV5u%YdO2sNu~OzHD6y><`)wH_orfO zYYXb8XiEgGH2JfRR8VAV>+IfVlE{=90c+o-8J2X%w0F^M_%Ag=$=jIRjfBm6wpi2E zcSI+>CwQ@1z9%|yaC3^}?ud>?Jmmafzug?t*jxO%PMpZo{US)5Rq5nc2m7C~J+y<4 zRu|Kiz{uK)%N~}qWL$UunX_UQX0C;)>W6L2Pk)g-|&{iUH0O>mvD(z|kStSl~?*VAcZ>R{UVa_r#dq~w|J z(QslG*@TE*Ogi}{kY-wqH zIhe{@+|h9jcWKnWkB=9G>}|wUM31WWerD=d%J&)hI&`QPW2odFoM~(eyY8PB2E^UC zrs?>(N24!CkvP6PZ!>CYXHcd3Bdwh6PwIi{@Q(@&wByXre*@QltGEnL?=1dWuXPFuIt{d|yC8D}wqLcQwA1Ex1?F|n^!j%b+-9AH zC=HZ4e3aqkb_L30H1*!gIPuLw7xSjt{3g2y;Ec7g9mF1%+x6Ku$?Q0s)idXZe{1b? zp_+03&e-##Ki&d|i*(<`uktHp2FKp)YU6ORF<$vlOy5Pscf&B0V4ek+ll|kf0spC^ zb=-Nn=Bq2izuq4ZS3mTLHoL90OEL4_CMqWs*$rj^vG*AG)h}h^=b9e&rR{QP2z_m{>KF+C^4V_$L!{r{{drIvXC~vt z?886dsLn-;pKB_!$5L;SwELZ`-)Wihb{^3gi`m{gapYp|WAvX{Ee>m)VZkLNCdJ*J zc>H1Jg*3SY2^QdQU%;@D=R5Bsd?Vy#5vyKi^;PTWnZL z-Y4`1>H+ts(+vH~I=K_#1a(oM5^O3H@9A?c8z6MlsvbKO_uEe|583#i{?K3FZ3^~F z7ci?Zt++o$qCU?#s2w=ri4HWBn^5VKsR`d9v?0GhKe#L&+#`vIRT6u7Dx+DSL-&&S zd&h3oFNF&Sm6udXtTV{I*_T`UGB~=5v8Jt&#;z=k+^=X?SO~SMR3(PQTz~pVh55%I z*`hWK+tz8G##7$BAThA=3B z1{O?hZ6C{_z83YRcYGruArSvT{KHG!wr=f+vGIU;+&%Ic$)?v2Px%^~WEs_C` zC|YC5R9UV{!zDsPRYut(Y;?2AINEg$^@T`=gubPY%WFeQ^|?9^1=}2gzhU7o|E@^o zWG9Bi#_~@ukR?hr{=!82(8rY1dt%=uu^(QKvW2;?q*~q2I9^x30SsMW@h6zPEi6vK(5}|dq+h5bM z4m5iPqquoj7mmb)O|+w;mgMkO&y>k`{0n6yg-xls$UEAP){i~KLJQ}mFEXXSY4!P# z|E>$2rKDgxBUwmD8e3?t$XlRFPdr31U`{&nJS(x(Xti{)TNonAocuJ+tao6Fw|cr| z@NsJOQk_vmLd@c~>38PX*yB~%69Lb%=QT!mMXf6F?8!_D5@-Duz{NXJa8o1dimA!qh5*D1{dF$R3ORTuh~6BhC3$B~8_K zmLM1u9JGrKzh-~gZ0Az}%K$zF1qBtAFUWNO5vT(J#(xM}3((rUg24q5+|ceL%sTYU z|HZjv3_yhj1_l6_?=~*S1O)K;wgFrgkzoFReG?AJ*P^=6XFM3f|1VzYf6_TovQ$Km zhK2^SI+&fMTwH465mKVdN(&eiuQw-)5i!gV5{~b%vIj5;m<N|TL^%|EZjYFZ2q7q){0gh8~2M7#Nwe zvoobn@I_1Fcz_~lSPf1+VS6HUCSkRO*^0zo9Jg}NEGqUglon-fKN5~3c#iC;kXIE>7$00AzA#6mpy%M_PDO>u}w z13_E?Yj_Tjhbc*~qL?y^7s9egkg4d?&b1a46F3==k-?^6xa&{R-glh$Iv$LwA z;#APnb9^9|qyktmfN#J9j{`iKjg!;;C6tm|XI!l`$|`48~0W z*o#(xD!M*hj-5OQei%>jaKB875g|al(^+o@Bt0q{H{DrpW`+!v|HY0VYxqeDRi+=?IM^Zn?RNb>y-MCD5Y!Aoe?T6Dw3$$A$WD+a^Gj_iZfxbH_g`|mlyW=Br zQSyGBh1^h^Z}$~NL$;29KZ+yGsCGH}DYz|+@KElDV>^7Pz#2KQOCcg>FwoI0TfeM;fPZHX)R(ESq6dg!*!WLQb;SG^9dD2&`Vgv{0ESDVSvkehmbZ3@~8|yI~MM zDTy(R*Szpn;;+h90H69ySw=>t`x%ILr!8aghLk=Z z`34_Y`cyY)yQ30lGZ2arS-l|3piQ_UCXKMsGH1AZdwb(-j9Y6Sn;8TDEb|47Hu_Wi z)S9$NjQEP=98d1h#Jd5oSAFyOXWVa~zAkM!y<76Ioc!VjWDJFJ#=8zsy^QNw3$FNa zT5;dy0x*8mB;6-~kn^}v(oB8!Z&6FKvAqL)2XRVgg@Fc#m;=(OM(ILS%Bf1zh0mk#mW49p zh`S`;$K&_?8F*(Uj!CY+Q&;&u?`QmTDXFL>aDaIO#th#sSqFLaft(zOqQy1Dk9DCK z#OW>fzA${yM$B#y@MU#0ouryC`!D)7rl!KuGF+;KUX%J}BtiAL?Z(fnn(j&uKly0e zT|39LEwC{HGh?L|=P=hXcY+=q7p% zO5&ZP)8Xvn>Cp8o&#R{Kl_IPfHamd%hZ}w-VnrJ~1Nxa!ZL~DVo<%d~Mi2=VRVIg# zKpMUIRdh6(7rnFzpruf8J6`@a86p9g5>kD%L>2&M!q#FniC3aCbG<7Srj+BOGf$UD zthEYV1eqZ*#(8wVir#@2eaNScdswtvloChdvQe4sc=uG0fQB=B+KeRs?Jl(Di&A2vcppzVfCM8w;y~gbw(9LG^KoaG~|$zs~DLkX`S>zY0BA{h%m&P{0R! zTXdc2`T+AT)X0{APWH_j!$Qd0H#f9;6UuKqNBjf@r5{I_r8-}n%E29c#Y$Icrl zX7E}peM3_PZH6pU==+D|bfG!uM0l$-ag4_Fi9JA)dHdPg!hL0XbLk1C5j!~kLSDiR z%;+G`p-KJ@9UWbU4GuTUU05JOh%_5~kUI*R*q>$2Z7u3~MimxS2MX_*RJ=y=G1NjIq0Ng_ec8r? zu)5JoI}S+?UT=$U0@-B|3SfLff0VtB;#-Y3o3xovglq+lb;}GsPeuvCUGNqWN6F5< z4NRfJfkG51t-IxdCV~+ASKuWGSu{J-Bi>uN5ObM`f%BlA^*}eH^A8xq;{JpqkO;R2 zM1TD8keA@z!2PCj^bcvf@n2?Hgkc)~5aENSTmSW+3YK-O-@O7HK1e%@2OO>Mr>CdTz9L>Md3lR5=xyP0z&QL*?uRNOKLj)_P-t}!jPx5ecqpTTdJ}ekK1TW-&XyJyuxlZ-Kbj)tp8h9L+Of}3OgZ$4+I=sf@$-gaR5|$&ms`^faVv!$nO{?H_8n}N@jJqF!nJv z*x?!#_aGGDS&GaekFOOOivKCH=e~dCUVf;+{RWy~2rP?s{ulOS1(X|fRV4WMbRAFD ziL|#rF}I5ld|x#?mm6Ewz+L=~~~1pU`Z@&cPt^=pmM{c%Dc4n1;fK z2uy#Wn$_ZBK`a*SW)GUcO5PuTA$jGT+66**5>I~!!Olc z3d|iQ+nFW1_DO$#o-quU`&pe-I?ra#)Lfj{QSZ+dVCbYM7#*A%9-fbxc)ZxHpEi$O zuQ68NoDz7leus|O$H3$3Pddk!gVxT?e!|m@r}bzbq8}4kR^NgXg%JJypP&nGC`NmG zP7pr9K22m)SK==>c=!C_d%4cC(Q4oH^%7&D98jSQ=!Dg0kX4$Ak5Chn*=AU9Vx-(Fp}tlJy2 zNNwYH|NHvca*?SC8QD6z4?*kRRYeCE{~Q&zf|OLizX|f6g83FYAtWpbVo#_BIxW1p zSi;x2+ABNu`5-Pf{naS6$L{65B-APrG@KJw+{NW{zwi&zw>*2EUxmFdEx=Y8YW35% z*hw~MsT_6TX6nPYtwou!z^4+fJ!@?LLKi*FVSRXEiC;Xq3AXzGqkeaQI|&S-b|6&t zR=MLKnMFzP=Q@6&eR3#Xfgsy)qwda>V4;-zg6Qu(h59J?duO z(6qNNbIuUhdV}G&QZfF0>~2EOd@=s;i7?Lx*DNVXeMg;b;ucZN7rsAOqPHNwN*Tov z*?zFV`Esm!w(P`XpoCFtek&AbD{a7qwa9}t168&+;AjButQ&%ojvNtGw@y8g=6#H zTt&YwXL%OOgN7{FGMrm=T-*fcMt! zxPVaXLT7!Gmq56X=k}n+a(@G;6F_$-kAz^35*Jq&28fayK}4Vi;(g!83%}#);IKG+ zy*eG9+Wv8>@|f$V*(}{ka;m4N^Lx94+^S+`I3Ac7RZmM4uUG_!ERg>4NM zS~#{a#&8+dFrZ0FPEB!<71v_73%nma9>q_6x6V4`Tus8IuoELjO4by+*#Zbf?Gr(X zhlr8FN*w?&T29VgKor0V9TpwU_`G56xj<#xlS|3S$xV27_W%6B!NeSaOb1|)kCbYl z#wXKI5$Q|OYJLYgKJ;b#hP1P<-RsKA%CL(6oN2F#$N!cLK0qSW&ptx%&HuBpAOC#- z?fO<50wbws!gB#T5X zt3r;YSQU(x%QRRFOiUI}l}y{bj$s~}{%&ORhYm6)Z9&rv^J;#6KCI6R>RD{`IjeDw z%Nmcc>w!?9At=pd;;I~wtVomnl`(WJt;1tKZw0`Cvuc=Au8%e+`?ZLzfVo1%E7;nW zjM{*XW&s?O+9jH_%io_nLmDWcaFFQg+SSzsZhg?-tif(Hi;N4`dixn|2vdN2X985! z-2@t9&Vcd{mv#(+_S1FsW1k!8z>j=z9D-1W?Q!!5=WQfE9|(j5?a;}eKY}$^kl?Y# z{eV2y{-uyFf)J%g%LOzYVouH*@=hmzfMi*Pxxm;S61tNAG;O(FVgbQ z*qjtVZ~5qpje^;#YUAHcQ;NZ$I!!t359Z}wqXnNsto_s^LY6Z?p`Q4lY%ecE_e;I} z^Dao2N4^zEzB_$<+ z^0x%Wx|+2a%A6K?VVt*-P$povWd=nE8fXwV00is1Jt$NTU8i)izOh@(XiEXwvptJJ z22L9=q(X1&3+iQ4uT4f_3`G?HRR_WG?Qd+HVU-2YH>CW?6}B$T3fNBvC`87_7LUNM zib!g3jts%jM!dvHz57Gvy1HK=S;7_K^U3?rCQv>i6znp@-4bq!5nV8-qhSppVjH8_ z1;J?A_<-{a62<|W`wC?-G5p5M?df=v@L$D5UOe6>_Q#%9q+V*6ypS zGT6}-!`qYQFs?L&H{0NdNRzRbc_JjIi+dwV<8Q~+`TL}Olv*%ms!afxOPiH=1VF6n z-?!M0*WpW8jM)n*r z*`ij$6BLTH#~5BB5fJ@|xFpQUjstyd1aeS-cJo^Qw7TEg%Lc7qVCo(;h-BY~Lz73Hk zi679&Rd3MRQF3;N$0QWF%+duC!*x07`$GxYk;RUnH@1lJFIXLx7?m{9eES{gY!G`F zx&%|VZ-VY7L?T{ZizVQ8octV|I@?;du3a@;bY^nTOkf_cHc=` z=>Rz?DiPXBvQI|K3I>$FoJ6_6f|-FbqXzW@q+D1ux&YvJl%=35N(-?&enC93TZ;2g z>6D3gbezfrliS;!R|TxBw`}9F(9xKJ24j`Xmp~n@gv}dMS{?8!=$9F{eN08%4^S`z zoKScZ1bDtM)%9U33dzepdrWc}58DtP1^Jz5EcpJ(v`QPlCp`QO2}5NKYR&Xxb6LU$ zfX_aV zjE1LQpF)U^IU^;B?m}CNb>hS)#=Y}1 z1@Ez^MiNR;h-nWN9u@%+o~IMbT_%|`YOjr4kp9LM`9OQRr-08#!y%{AngHN#LWoYI zm~In1+XA)wjQWdCt8t{S)T9gyNH@U>qCh9vJqa4zJOH+&0wI~HdH7253yl_bTOrz` zUTXr$)sa+!1?9|)Zo30=e0*)#1$3L!?rEY^;txb(Gyr7MoImUS;AaLvMhG2LFNEkQE!yI0#WOTkiXj zTQzAP<=ld)@umEs;z1dXK6{Ni#WMkS+LsjBdQG{`m*1U3*>OAo?Tqs|!QDp1a~V2X z0mW&Vlb7Pa+g^a!#`(mp2ET;+M!7&Q#BONfj3gL3C!-#Q5&m%h^C@9GOI!oB^KOV7 zN+bYEG$VzWTdyMJ^!Kc_4~V~mME#WO1MbV%C#uJ1Ok3RA4lGKM3Gy~_F193fOeWH| zJ_n@xk*jQV>ARq5kw0Ht`US@i@^4+7QkL$OiUGF2wBHoM)Ju{`pBjKUt})r?I=BZd zoFM%q7 zH#V{tojP{B$@!3&1tsPyk)rdEq-jl)>fCk1WEB1QpWAAy$t9VrHUt6|y;5pfySLM@P{iRPB)3)=1xasX{?g93 zf=IhXTVq3%h1`Y)9G9MxA$7V6A91ft>eazG?15)aQVP(<2Hz?plTcB z9vz$>*fLOE|MaW!Bj)EBjo2pI63!7C#fP!tC#2@YubK+L-9$IHB=1R7oPo}pgYq$s z2{~Ez>5nE?=Jt!smp{60LHy|?;cZ-^+-rt{$2s#5q~287E}WGXEif*})>nu_lYS!! zCosu?(w30oqlX%5-RPB$w%1@1Ua=os2ffb$!Lp9nWN1OkNklmhIdvI|9=}`9-XGW( zq&HKlm=>edod^V|N*zi(K&Mao;oH#{qsl&m-VU-rgsr>-bClDN(i{i8x}$21c%HPv zTVMJR)z_>?Vd<;BDI^ovz3ced3|;w*NtI5QgWP)Q4@Y7HQqq%tobT26Rsqv9_FwqP z{Ogp79w_P8)Gy(CLiWVX-%%IP?cJ4l50G3VMaBVGrJS@Iy8-6^1F2sH_p#levy@|N z6b|u(pTug(B>WQ9dhZ!jMFa&SWATv!jhCsji3>_MJikWCA@0QlPzExn5%wLjbqk?M z!8jlUuw({(`SJ{$x_h@&!@eL?(OBTi0#aiW8U)#OJT#xSL7cBkQmje?B@ZWB)9g^} zp~s5~dM^PzX^{7sYU)vFiTaP}epEo8iA?WOQ)fZf23*p(8~}+xVn#C5-s&Ppba}Z9 z)~Y4FQOc!>wY?udJg5R(`5mOagt?^C2)m`P*<$S51RO=M%HD!Y{+Zk$Cg`|dY>lMx z|AJr}uz^^)(nnl@chOl`N9mV6&BpVq%d=Eb0qx#=z+uaai;!;?RFM{dRv%1khBa1b z`3S!WvV8uEw|d+VT$XR8M@$M7@!bB#i0+!%RVzpzGC_N(*y6S+lMmtV#rFw5xbHmr zMiGjLdf8^P>QbCENaq<58cukI@X0MNo7QF{b{XMqTd1bm4#{1m{slxav8ZQdQWL_A zAt{X868b90dA$D{T5|eTwJL%7H{20q))z8Z_T&W(P=UlGP(1Ccqw~vd`=M|t`2;+X zt2l>Es>X|hK)6l9VF6FtZH-V#ucdHimZ)ajqMskp20_^!DB2$k%qtR{(C@0@zCM6u6$vHS zxeqeN*_xS2AnASa2=)<#4KNEdL#Q8}v_6`}2JMf;T|ARX^9dp6gTD7mp5ZSPVG%?P zVCo+}IhB+{ON}pwPn8Etj#}-xfF@S{>lQnYw)-}#cG2v;^v^lq?(q?&-Tl2u+c_Lf zR$l^53AzHv!*e3qdX;>iSUFE)gAUm-sU=3P4G?FW>@IdQ?X;o;Q1IvY2yUTd%1J<6 z;vb;F5gm9Kacy|H-`OgOR~X(jwN@0>7_0(e?T?xq()H($lzz)^6WAp$CpT`So8dRX z=Z(sZ>hd64r;R@#!Q6ca$h!Z)QhXejD9>ty z{NbBS6jy0i%tqjfy#&t_<a7+XQ2Zi47bhmWqNP|3b{3Kkq((vObaxY&&~oRpOPn5)KrAG0E_Y06Y3V@@Z;5*LQUS#D zPI~>yv9pmC1?50-G!pl6v7V>=J9552_Bq@2GHz1CvndDYpCR4M{GI^BqCh9524SdI zkFU}r(gA<=^xGh+fK46{x{OIFq$$CfZU+(%Zpqwo7EKUy0MtMT;YqNcV)2|PHsZkX z@UG801Pj5E8hyR3WBpH@VsEuW`tlRS``AiBKS}V_JkV+l`K7V-PU7La6W)H)#bPRp z?`7qUrh-`}?_FOZ>$%J(Mt3|zWcnw4Fsn20L4N+LW8vA0M~^VurUun`Vcvc&-s;dE z(NBVgAbcbAr+Lg5hDO(ou-`wUEKa@dzGx($M<5C&%;LQdB!v+wl>aA7)bPUljbL;n z`(&e2{bfJb%J(GDn@|h86hPFWmX;O_R`ZR{`LNL?+qcdh=wM)QKuX|xu%g7t-EsIA zhI4rDetfXgfr06=c>(54Kk!K+I8in|<#w*A&8yNq7=Zyz9@aobb#L*7kqd6qH;##+ zkiP&n#cVHa-_H(g|9DS05FC;z&sLgq)%)Lo&}6K#m8KXz&W6*h^MZl`P((n+rg8gx zmN^72Za{$`V$+R72679mv6284!jcZ)hFammf>%sOVnP4U2hKIho+#`*gGea$l<6+o7uIwq{Dq}0U&O!fj? z9j+0hRM-Q+JO=2clGyA40(2BXASb`Ov_jDb?=0Os z7;gZHSR@{jRxFTW`&MbnRpALuGo&rXTz%{oT)92 z|MmKug8wNY85wIRNJ(}HtbE7wTCb*39zKF?ty84 zf-W765Cg3Xds~Y%=W<;0k<|7bOw!Jn5WY&lZ)75HAE&12`oPX)#6{q|C%6IeS1@t( zbps4TK+x3)BU~Fmb@7zs7TJO2Zw>nswy&PMr^!21Q#h5|OFJO_jfb^~a%sPW#=x445^L)PA&JJ;` zM+K*I!yb2Iig57z<@k6QO_Y#iefE{$N0CpUDY6^SLF(eREBJ$$@qGTJs^KdUwBo$3|`_+ru)&upx6$JK#|WKhR5n2%`^|Zuss}^hz{i zz)Q)he_x;M1$2oUR`uXRB_e}BW2+xYh}{f3g4kE+_MhBPP*CEE4pl>sDAl0Qv!m5x zB=l_42STUG@LWb}WVOF5TQ((54xI?1D3{1)MxyBVm}cV zv4#TNimyr52x(;G#HwKRo_cC5%Kj%99uyQ6QPndB8=(UX!yTM~Ow(4_W|6>D)4NF! zp3vV1TU%|^*i}NHhtl%-1y1bZ#;1fk`3i2WIF|8&SYZqv+2MrjK zdQT1TtIul3$y}=?&E7NAku?zygZ_+B7%V|=CKNdTM<*MFU;uNjzP}fSPU9 znL(D5CoF)_z4#f7GePFAZ_HU7@I1T4>({-?RyxN!njDeiwJ;G}6G!5lm{wiSsWD@P z#!+7m5a|a!!Y_$Gb0;T{(iphN=Ps%AK3wGUe`pQ(T!;lo!mI&9!=;cz<%g_SNpiz7 zgKEgPCBkC*Na%<$xCM23T)$g$2=9s4&Md!hK~;$;=LM8MNE}JNEGx_4PZe~`3i-mv z4QISnAQi-3+4s$5fU<^+M4FaBNM4B#9syZTW95YrZk{;E)ocZB$5RRrgsden^&^hF zJLVuhQrk)oh^AsT-y!ngOz%9fTA(SqfTT>&C#y1{GYdoTDPwQ1=C&?mH**L_J@%`i z9yNlJOhL2sIbA{%5}BVw4YHA71De;EF@n&2$u|hTRl}Vo=Ma8 zBc-ID4@l?i@y2nmSrLII%3{&ACzo;RY}1@#e~%_noDf+$qAxk=7~)yb`Vl$+pX_!guzBI#EqD z;Q`K21&*aM95nhowK}jHv zE`H#}B0SO}Cex|B@e2f@GlEqNgVHZcYvHbeG~Y`QbiO4_ZPBe#p^;CaxP@HH_g~%!oPS_*0i)e zz;WaWGbB^KhT&qNHm*wGuuu2LQU1KH?QUGy@hDGOH6+#)l2?KN@#ASZ*JbnaeosnD zT#QDOh~saS;=Hjs_G`nKp9$JDfC$~=MB-RRPBiGOZm^fl_~kKGr|GzgBhMSa1gDUO8C@wDVO4UgOSJ{ zHI2`10+d(YzhC$|GW$__=C1(?G=cTKt=c%UuauZ`qYg}i`w)!2qItp@Fqqr5HqZo= zmHOZ_Wh#1W&4k;Y+8nXOW)SyX^NI&{>`eG92dv8FzYQWKxlpuWnNVO)|0SzEQaZufqZck^$tmU^YstUB}-YWJdhaC&ZC=AXLB z;l(OZDt&*wOrONy3Xm3*V8P}C5Z8X}S%)ox*rfMw;Q1n!PA`N6TjA^DHQ?#v_2PcZ z5lkY3>~32`C1xdfQ$%#sp`MRSC(i5w`PW)~t;-bcp~VM;0|@ z4B~jkZ6s69%51_iLncPXlRWBLbtF6P2j^q=7iJ-PA9fgCNAZW%lJN^0Kl|2XKf}Xk z2BSVASO=54`j-U`DZA)fm@FoZKGl%Wt~{u&LX-bVXgQKCDLJ8z8BLm~#2x=003|J6 zBjSR(`22!1*HZ56%UDGr zH0y5R7-+j>LO0DPW(+)b1Mf#RwV9pA?Esl%$*0PuVZ0$m@O&2y%nPK-EB2QLU#p3W zt*0aCerc$_d$f1u)wdwY!T|hDjRYigY464u|%E@S2xQtWKJe;$BoPv{%Yv4HhA)E>)NRHdHIUoTxg7d8ubhjQ&8) zrSoA(6l#S0*p0hHJgVn*PdS{>)Zz?2*y4TWAie;3Hlx&lTu2sQ=qVPp*jwzlaQB)9 z5S!m7*lGUp7;`v3?BFusilBzTVDgT;?l#3+x#Ur}tYAp|h;ClY$juio(q=)$Z6?{(vwZBk372auC-|jO2Ib_f`x*pZPrV@A%rv|LddrIoJ{&SncXWi)al|1}L zQqmy&omi&0Uvuerr;gG`qwAgEH8Lxb>XvtFjIKSJ7KwEot~nf!NQZ#S>Ik*?4`uN%jwKXtna}t2--M`3C{?M>KjEnbe#- zdDHQfue>v}$(0z#wcv7*O9vs1T&=G@n~5nCqtase(vq$BX*Qz8ceZOdH0rkl0)HUn z(k^)TW9d)fmFWB&)9}6jY$HLtV!oo*|Mz`w{+F=wzb_y7|Njb`6^$Tr6!AJ@35Q6s zzZZX0Y`k2dg#w-z{42|+$&e?$3b|$d(!_yC)Dk|^n{MQ=*9*V|P;T^h`6mG?02T?d zJB9?rFcj%W2mhi3R1O$N92j9=n4+Jmp1LDs8g%c9;(#7NQ)Y)eoi0M__ zKJd}306_}j6!4`@VMVXnfn#(>hrg3kmGe(MSh-;-q66XwXlv9{dHM#AZ<7+dpSAZF z@kQD7FgJ-_?g%Q~KR)KiZpE65p?E>JjD~^H?s%U-+%omW8FkP zFa_i6PgxvsxuCXXu8vE()J4mwOMEG5uyW#PL_-l2%5{=UEKy06=xF4wuPbG*;%^?W|2a#HvZ5F`wdp+M7VC=hx{ zfUM|mhXVluPt1xnC?jg%E$`tcTtMQjQ3)sk=+*iFi-Ul57nCr}ymOP_$$<~Ju8ou# zt_V$6nD{QUT?~R31Qo$HI4Iyt!X`n-$@#aq;AY8@X&t~w1Xr2sc*J`*n48K#C$;h# zgdB9?%MpCMyu_zZ8+|79{=RY=KoCon=GX*7uAA-MB~sa)?%`cr+B@B^1OfLrV)E^K za6{nex5E#TT_!>T9SjU6}a`5eF9R};KpD< z&%JDmM}*2sNu}jMpvspGh&+>Ix@gbz(A-0(4X}vE>@srqc0a>aA!TdMwk`~PFHB0% z@FS^srt{IXv~FQEAQN_;5emnDU{W`Ee(k*IfL$v31A%wo3_Y-qCq(X%SYokQ>Tlq* zDn%Tr>$didDMNzPP{O&IZ_R#q#E;i(cUM!j*~-N*`#XzK=ab8zMxjmg zocTL=vMTaSroRAB^T?5!!Q^&5__7k-KsAS&x+%1@yn$Uhg$=$leKuV$PU#c*4hv%D zU!3i68iXPjcC9EO&Y+E2u-*LvhmzBt)D#O*ZoP9eO*VZDf!g1E2_b8C5Y44AEsF4f zu#w6{IS|t;D(3WLKjpELPfVI|ny;(KY;yd}*t_bVA{Adehn#C8Rq4N2=)V;r-wC-~ z=~~htav~on1eH3#A-cDJB!uyxdOVj7=72LM&XbZ;XpNZSCyz}ySzhnEV=T~FoPnfc z!3Yfhqa4g~VsQ40__t*~g1CYBo3^O#BS8=aeI`twIXKb+im+I@&V}J@=~#W$dw56< z3kDYlkmcyZ=6)FJQ&r=~?jpeDl;d$$hmWkk7uYekeDz}`gX}1QgEBC3)Zrenr>U=* zs@cDdV^YFG2Iw4@Y%1}A*DjXCrdaHl4-bAvLR^rtaP$^j0@U}NMB#Zx$Et5&bNM~h z7S6T#VHGQAsM34)R^oK^AD$yJ3ShjWNN@Tq3X@u<=cm6zufxWBUr9?_C?;*(-lrgB z-zsCsW)ORZcZ;OXG-3@s!Qij<)=ZVX+d)+wvpnNlMuyAM(&f94nno4Sn_Km_&hUX??Z zdQPB|XAPDI=ZRNwsTB^otbd8Wp0M3paTYW{39#oG%3{N3JlTG#IpKw&N7#RaDfg2^ z*%8#~*5Tr*&gZ4@9wfRGtdeZ=DSL~QO{f443-6%1ofZb&nuTJE^)Uz;kiKeNebH>4 zliv<4%8g@N${&|i$UL)b;NJ(Ect#hHg(WT<-B=Wz^k$g<*NsQID>YkEJKaMlKnyqD zdrRI`73Yb?ozCetQ?=ypAtBSn2-Xra*Cq5tFUc?<5Uy&2W2}L<620C%vocZhZ3aSl zfX4_J&6cPS6eg|-wo844n(OIH&57=OjoepLsICx1JQ_ySVSOW!92uGYiC4(jw1UHP z)hWQ=r<)O8&*$HL$SaUhDyC)_xIiy(_fviVlZbhu%#tR+a^BnB{)8HCLO5k{Fs`^b&J6vTNY7 zl3|*>@;Qi$1WMGIAqh=W5ww=BobwL$z% zg?hhBUyr)C!2;~)D8CjbZ4EJN9CiAi6g#)nUWd9UioKz=&b&c0evLxvsQFX%9RhXsG9~p;S3ng) zBPEG1&eLkCv?7I3F!{F?=aAG_+#a`FmcS5cwRt7uY~2bETN&qBA$Xf(}T83@2xNtT=X*T%ytlVwDD0F<;R~#^@2V9qsl)=!9 z5_#5Jkd_lJ$xm?TT_!TrXgDR-r?lvITeA7wwbbBJ;=W7EaKE^=I1y*>kV`kawI9RP zV+%e}f>x-xKl83QM&NY0bFuyz06tIq6;Pb&$(M0M2y0FN$KO%j1=AZv1fHyO1~jE= zf{{%2#z5ozH<^>SYOFsipfj4Fy@3=wZc`5~NlxeQx_ zmoDOT!81B)-0yzvY6hO;8w;wE$ecrm61&EM3BY69LoJPhU2cQppRHPG6Fz5x3Rkut0%jK(o8m@!7yQ)uKcnkz9?gI(B*B6= z7{c@3!f51exl!Hnf--|r_3=Xi;8(eac*inQ*!qwNgqknVGvUZ)QhAD1reRfiG2{RtTbd|;Ii0=wNV;1AaT!sjb2gJf z$(ZK>Ds2`-ja?+I0@1NF?7e3rQ+`9b^CI2+4cGo6WV%uLmt=um+*0}@BaIt?3#A$I z@AWt8stR|P4)I@ve}f*ZBM<)>TApEIe*^=0!f~$DBIPBqy&5+@oN!!TxQl=ZmL!Pp zslyr9=!(PoH z{_+A&is>3T-WLq@0F8fc?fu>9Toyx9%<+-pdB0~g{^4c+4jrYgrOd-jse=6WaWVF1uxO<* zy;|SaEi(7EFl2uQ;FlSR^kj;)k$m>wd>I;fw^=^}LO1{E>1Oica}=f{cWcm0P<)SW zqjj_m)6$?>QhYP~IyXaBRK#0yVj%|@c6(tf(U_wd7uX~-;z?lxtN+ddxC(Z#pPC;$ zb){etT0uziSN#KUbXS&qa`WJ18oSJC^dFF3%4>G-Lufcd<+yl3{<&qKE@4DC08xjK zt{EKX&^q-6euon&=aG_Ra|^gq^$@GfV0@Kqn-D!2AgC=@~d zPU!wG7`vm#l2{}oI3XLEMn!y-6DH2bFfC8e%|p_Lo&_8(>Vb`sHj*t(-Uc;D?xqAQt_h*_8>ZebtT&Iajr4KluwQYG8hA!=9{34xOSlxBEZb}R5@UuNhM?lHvrk|`aRQKiCKvFA(4-lLex#E3CD{C(+gTuS-Z)_e+$cE9*N1oDcgzXzKK zg1+j2Ul!k6JNuiyb!qQ*ole%q!nmvn();J!7geNt=wNEWRsD~;Xu>8~A1u6zQ{+=UxC|3c)j&)7mj&-+L$q3=iKU{z0t9d0mCo4d|#${#FXJf zP4c+%3UY}d%Vv(+&H`kabVgCoJHrIO(=;92Pok%_KVqC@TY|y0Qmpk(OQn{U1|(c> zCXcy_-~%$ZClLpw%j^BPU@}22H(C2|7Mx|e9!n}ogk57#l@2n8F5Suw14e{*`nq47 z-XT-amuRHu_@j-^jl*8UeW@g`r=9wNO@8J6SGzNVV`rpaFWV~?7Z*QaQYb zr6+KtKQ)vWiQjn@`QHvG!Kwh|%D-Bj!RNXQEOIG2aERdeK%+#$P0w7lVNP<8O8UahX1Y z)?jhV8gAGyKY*O1Q0|s3ifFYORZq7&6?@|G_S?`zU|UbB-=5FzI77LdhhIqG9Y9D| zX`}zTjuU<|%1KIYgKx%Po&$L8kxY@S)Z9$gCSm8Pic&}B^mLQFlcR#prG_Z-L#Dx{ z+2yLS98H^r##;BjeY~^__;1FJV`u=xLo-0T6D}cvT_yCwB~OrH;GT)R06mf7UA z3x7a-uQ|v`_2TcqGkpXr@cr;n#Wnmj2~h zUZ}5+0Hg!uei`tE;15IZ_$~7l=6er#hEIM;=Wn_5hn{ar&l20-72^CX34h^>sp{R4 z@`4R{h(Ye#TZsJI#LaGNG6y>W;VdjrDM)9;Uh!++>N*s$Fvj@glGQ?j)QD3oy3=0Q zuk}x=jsf}j<5;4`mP$u03GB;~+qE?{HL%&U{WZer$3UDNJSU(I%)DN?cSgwHrM!A1 z%1?o1dxOXQSIB6xLRN}X|Kyj`-tX6g-n{Vl`#Rojt8%@jarS42fI!L03x-*oHDkS> zVSA6nbDys(j>EYVqlfM@l`5I5T-YyGw&qd^#dKi^ zE;VcbG63u!YZpVGO5ji^g%6?L>kf&0{`v!z3lDA^h=&{m4|a9o5s?*+R43=WD# zidl4guV1K=FVCwT+MTyo>zlnK6gm7_y^oO$Z8yX3}h z8Bz2bBrR&|PH)>u&$P|S@`f92@N;Ezy}W#!+QW0*zLdXZgou{crfG>fE)ooSv-wSQ|r#`LhA1C?L1C!Q=s* zRnt#3fAgvR8Ed+RCU(A+^lkQn_S$QrZ|<=nQ)0KO`RSR$zK)K53fl0Rx|LX--;C{wyxy z!u`Gu**8VL*kjt=3WB+By;~_hH!W>hQ#(v-+^Y7f>QjL>qR{uqSP>@b{igLZKPYJ$ z7~{77l^2WlIdZ1m9s!LARj%BhO{P>_d;kQoot$WznNK}B4#q4v^o(yjuVt6T{0i({ zV@&m~>X7TCD)Tkl?EP9eN(lI9kAMOw0Qf+g2en;7benBH*D(%*Tp26i{^bStuhZ0~ zxgfor1cGzJH$oxSPS=CD$9;wkSUj}|t}&%#vNVo6m&p~<5!@(L zcRzt&kYa$|FX-w8`_%%JTS4c$iZP$e&mXa?x2FcW>q3&Kzvc;yjZV%wDM?o8A#Dr| zC!Qq9U9HqeL3hOHv-O>Dz?UjHAn_W<2Twb4V1nHvV^(yJ7vr^!`8aR)^QjYuokGtM8h`CAvT#6l-fn4!GE&q{kzgF)r zij#le2-U~(gopT_!pV-Kt#HYOObgQH)+ z*#Dn9cj~3ZA((za=m=MMka^hCmY=2&osfSaNSSm=rp}A1e17jmUvE%@t7qJmKSNWj zpN=Z*+-uw?7PDW{U}hsUTylTaUD-%ISxt?ca2X24Kh8Qn#=H`OfIEVd9c;z0!3tW{ ztwR1&;)9<<7R;UEn17!%c7i{f0%F9TjHv%8cAA|rSCW%aiuRe zXv`?R8{NM%bvzO^jb$ir0H-9VW+Cu(d3fP$d~)&$*r(%>LOU>)L#Nb(A4dDM&bDj{ zU*o?%cew7(e{|`d>eKYR&X(U~jl+}mx*G2?6Ba^G)Cq|BRP`++v=|#nv3@+!yr)(T zYK6X@9^grUR|wYfGI!p8-#kgaEYUOlVmqtVw!^J9WI&&_`pd{=u2-Ax&Zs*L|(*$DFx;muHB!dx6s1l~?lm+PwaRFe>+I7VJU m!Kx1a9I3f2-cMkcPiV6i`89rM*9)G4A6-oYjVd*}i2nhHRjYac literal 43333 zcmc$`RaDhq_$RD@bST}O(jnd5ErN7|bVzsS0S?_=(xTGc-2#%*2uMoDyZQZR)_Uh| z?&iXE1jKW8JMvfv*uQx3(g6_$e8V!TsC@bJUmE}KU-wA{ z(m5?HM$?Rm8^;_v9xng399Qc$jPqW;mXnhcdAOJvN~DY3?ATtYGfkvZfkZ~KL+W`W zBO}juCq#U2zd0RJ^Yh3n zbb`_7_`Ca?^^E=aSu`GN33JPeJ+WcjT*ZeP?YfQQkwz#K+I_argLN@1M4Zll!|mNaExe9-F1>46$;qkzG#f43@^%4(U?9iz;r3rRItd55Ju>bQ+Wur;G@e>SSsDH2 zHCZtK#-5XwKWk!(+tIH&({M0ASp@}&G6<>AC*mhgXksEB^T%Gp&1lqYD|v7 zXEzy6V(9N8ffrkV#SnDFT2eGLH1zlP-(2@{-Jjkj^P4yI@bF0IFhAR!$mO(DrW%pZ zuF~S)KRU7_eqtWWc&GcrRwsc{DrS=jl8eP!^VHsIMS%YoVuopHuvQ{6*7}rL5S0RoH3gJ{po;280rvPGC||iqbjp><5aRJ*685c zmD&DuaaUK@{X2*Q@p;bCT8BvcM-B&)r%BhrBhxq`3t}^!Rta%&cywYb;-)Srjlx^a zGSzQZYST=J+~%=_?@T^)3)@WO2ptBUZ;!}4)^t32Z4D;Ol&aKUP*G92AFpQ9sgUZp zT|aCN#NpAa28`h?HNzsHzrK(S-5t*^6pw^g&f@L*UirbT#x`)s%&E3JC@6^d;X2rE z>4zHM2Q^O!G2h@~yRQJ>0EDElRTgDVeJPpogH^T9&DllD!~SZU_tnwT04ZxQ%yLmPMf`cqz%!YlFSy&dFmI zcSj9t=w!l*>FUMuYA=>Bzp+!rM1N)+2@tN-Z%L_Gpk`+^A4xGE+(J=&9sEVNfu%6- zaduWStP{rK&cVy`&#vFt%|A99^B4vPt`BjQ1)EhfcvsWa&-qJ}lzpT_SW^>-8rTC?AziG=~-NiGjyB?=I5Jh#*7G3X9L*ziii|nzB6Ts zQ4!HmR^(^IwJ}0=`N{Sw5%Sa(vmE2BQU5LN-EAjZx~sGHsHQA|a{A+9$goZUllWha z(}{1<9orw_N4}U+Zv8C$%&$>rA{Ar0`ePyL2R)Mwj*V=k;>%GQ5;lFTXg%6fbW3oS zNTcQTyS#^kt{?A?Mea`|cA!hBJ#`3M_Qp;1(Y=hn7dx&uP`Co1%ie1~=drDi7ysrB zT{u;3$FulQ@K~tB89aBh-L(-EQRj#KkXtyfW=GFx#2`otDe|(ljXGG=e%HSdJ{3}n z_tl6s3lPgbtdJ?q33AM@EA?b@~Sa0XL>lofhoG-4J3HgI4@q z@di4T97WwqYmV{|T|~0*DZkr&I?rid<8HXDjCu}OdwqUs0v5|Rrh!+h-f`oJLkzb= z4?Shp8G(a^zh0r>s)k98CQXsuD*DTsvj0^q{~5wi@*yVUmO%JlqFhayj3lB9yN0GL zt$}t)uMqgN}1eBC7HK!n~HTv zYOH)QR?Ce})c8q)Nj0H*BLe%W;fAtQq^d*vYC)$40X;i0=mGAka z>|Dc2>NpjYz4|yzO~r)1rfxHhq!Ei|4G;DvI@%;!1Sr1TZrZ$Ne5GgHb%K{@ z!gAQtb~zwnb=T4(ep&Y($;an?yGCBrs{OWf&nZ?V59onRAbY3w< zChL+a(*X#zqYo1k<}w@HfHoFm9O1iRoneU0-b^V*bin7ITMA;>Z(f0xq=S(T|7g_=XWUHB&_8d0hSuW4nM9~Gibb` z5kXym>?9Y93P)g$0t`X?<7NT@l~SSw0U9CKpy#R>fF(t0fi{MIH|By7#9!;Z|2FN) z)(-Znygb10r`rdx$OKMqMnZ1=ROvjU*4yLZ-#pD&NnmVHk@d!+Wo|N;BgXoG+@y<( zD)nA+Q92=RL(wZAN~&%|=ZM+Q2R~!y;_TT=p>lNPA#z(KI7DB?e>FHvjM2X0cijs} z?6YxU=7}-eAYApkvy;m-Qj}Z&WQ~W@71=n>@T&1N$N$ljyAK*nwT^x~SCL8#qt#cj zA>?!brK<1Ys`IC$Si)Wo=fxv`Do!;hc&o>3Ffm$0;TdM!ElTRON8z;AX(s1MD}{?g zQW9{!m78|1FvCTi?J!mF3XA$ik?{sUg$UUtz0i9*`9oRC%T@O^UnrFTogB)9;5jNw zGF<;akt~PX!EzHPUlEw4;r>vrbN~b_aQ9%(%`-BRd$yUBo5#i&(<_BeH>(>zZdNs{ za-fBVxOBv)@j6jbGN&_YRT?qKf9ynDu2qaB{;JSfnz-)lgx>iOK_ZKa&n6lZ1GnKK z`&z;!YJ7&hBn@Yyv9tVdrL;>myM7$05H)ii!9@sB7T0fbH*yMvZk(U>%U-s+V=da% zI4d;j_uHw4)VX&FguGI8i_wE8fp>Uw30%M7aH#^>>VMHBlFU)X37U9S+59%Z9SF)# zQ*|OAB@BkTOTF}_YVv;uooLEsGKA;OPtF+79Y~6>DXv=zbs7_{AW~=Q*Rv*L_OEFP zQm>qGwZkisFB$vmR+Mw=h*mlizJ5txWI{CWx-L<}22a zv2OS(6?~D)_ApHxwp9=`%Nf_{-U>Z@cA}EU=BFY@pgjI7q|2PMUPaN4Q#}tjN}@%_ z$c6LNZ-UNAV#bsoi(tnOh}U21)a+=iiH9N&&2VRkzI8Ovj22h;o|d$fb~gSMVi~r~ ziM=k&L*|`fL_DnU>oW_R^TE$58Z`6ar2KGddQ;(*g2aD+<`TK;J69;JvEFuoZbG9E zp!A~&%O5dU^P*+7r2L8<1ESz~mJiig#2l1cDHM|_d>z`tJ+L&@XIEDPJ;Jwpg|_aF z@AV=ohErK{`AW4>LoK+sBe7J&(oJT@vgIt<-soCfIx_K5ZRX5DExsKhQO+;H;S_a@$f zZ@y@ji)TC#4|13m)Fm%up={Hd#K=}w@@O$M;G1G^rZVYFs}-IXt0ML3IqAn={L~wQ z+s4m=E3xoZr+bIxVuZ^;zJ3LOf^7z*Gg@Ajtq<`9Rv`Q7;B1(|54$BTQd08je+Tn) z6w;<+wO=ZIp zcM12li(ie={^D(DezZiOx(R8ujWc69w9*ktBh2mOmO^IxgF3Q`Gdd{RNH)c%MRndc z9^lgt(HWhij7u6S!ceRhl(p31wwerJi07a^i-=|>|45_JQyr9zH4@{+n}i^>;Rg3D zJ%`-8zphUmAbakYntd?w^F=SH(#D1kUklbYn_){uVVA2FhGpS2{%p-$uxq(pio#)( zhx6Y(Pfc_$G&<#3^(gfE_ox4qEUlWj_MNy5F|YAgouoZv+@$S6iV?zj+E;LH10_}I zM8kvUSkq9)(9cXP(;-C3H{9r1AK0%p+{=DerdKzY+$e0*^L%7U@03rT*D3F1ib?Gi zdtKl}RDWmDmB3&*_P36I+j#uDYS_|hYl61+hWvtg{qSPGOT)UxLahADPMCXhef5A? zqC3nVD7^A~cOTM7EUHG7#n;D^Qq?<|B*dF3^lU6|J7ejr6L=VAN|cCZ70zDGdu{#X z_>Boaelm93)HWuJc>T947(s&>5?OzEA%&zEjns%*V!%YD8qoGez-03pV?m3`;kfOJ z^jDY-740Ug7^(W$MV&_mx1D^iX_8y_o??DM#o>iM5hi{HpSmD+eSf2)OOwm4bk1oe zhTus+7LH@IBp;Laqci=)3)#k>RN~{4vMsCfWeJB3h=bP(3u5cnpq*xj!+CTIwxzm-h7tp(w{2=J|X%R}*ffUs()^sOi*90f%}@+OjdJ_~X2fHrlWu`*5H3 zSgw+6YdGV(aM)zD6;~B^zwmT2n8g`IPwHG2qP}i2AtQeku$U@5LQ%M*Iz8WgD;AFU zF9i@ZUG124%)s8mg`chQzw5Vpy+(uh-soli9z*DSkG(U#{e#230mh)&_wF*0R*AC9 z&ct5Dd}zwWCEbatcDxw&LK63_*}`1iT@kEy-1}c&-ZN5NVKgph`6~YTWR^woj|jn? zo8UMq6W+ya!PX+c+Xyi8uN`50E<3V8zE=Qbr_Ta?#9214=Wkq7YJHjk=6qM=T04)p^vH6rhLp*c!P&7ob zl~v3N)X*;x2#S)Hk_FDITmDjxK?0Rt_|j5RY(eq51FP_VQ1&O!M`=gdE~PWjLVVMb zbbisN&2CeB2}LZ=io%*l(AMVMVm z8YL z9^QA-H6S$D(PaqmI=ezBGR`O+ zfhfCX;&>)&mD8pM{M{fH`OY|T2BYSnWbJ*L?7U@cOa7`t?;Te{It>_By;qm21ItNSbEuw^q$Vw77e7?;iU#<>*?j^W_P-Lfhg zQ5F;jXKa!DUs00Tho}`w4^i~ts{#FCyZxGIVbj^$#DC{Q4ozdXYi6diS&#rEAcw1p zlM+r`dF8hU(_3>p^94+p^wDocr#2WO_l~J7`i(Es0!nkdx%8s5BKE7$%l8 z^Ip#2v!CYsP^CLck7x@GXLs}!}6dIUrt#@-B5SxTBeQ@ zdE`~1n$uMHP=^`))nTo@lI`*k79O?nhdvfTUXfgyOW=9;qixTk#-z-v(pD(b(VEn~$ckd%UNGp_(mIEA)SQ=qpNNvqK07k5pzhy2`ZV zH|U=Ua*#4^fS&Sqt^tza4ddH1!b>~tJdIN2i;yo{$fn`Z*ihDTCd`=O!KATH*~dD+;A$w5X8Y8Jpcx*vB6UxKkd(qEui1jZc`Ay>RS?~{%Xrr^F(A`_vp<%AyIUtaTfiMN&fu!2*FQ9*lz?2G zO+D%i!GHU^HuJo`R6}%?Zi7~tYS)uPhYzhnq57xJVbcLu8RqsU#P;@f;1rOuoAd(D z00DzkuTUE8yoy~X`{d-rX|sPUlV{?eQrr{k)YOzMLrk!Uk$H1FiG&)tkPu1D=c7+@ z%E~F>75%42J1g#M`t=rQSKnKsu4;Pa&EAqR-Ng0m{Jp<9&)3-+dG}~8DJeNPVmkN< zY4?MUoS#;Bz};v%=VHC3yKnI5(?}#19WpLcn(-6FGA1VGe%|M%VB^i}sp#<zmOl))1}*;{|$R16Ld+N_}?pvr{B zzvOt@Ip=iSZSXd{6QElt1-tIdlvcmlRp(DX#_PA>tr|!sWcMq^b3-}MvkXlyhZ$?q zKK|Q`6KMwogc>la3k(tc-R*np4c&|JeK67E*#h(b?${C&6T{JnxP7iq0De2?dGzlH zhz)E#9~U@UYM40bY6r_He1Fmtjmyjdsp_9oIatw^5Wj8^p;;N6|IXZl?w*2 z@3Tyx+vVRC-S+*HurN8F30k9zy(vVI7A$^2^I_~D>&@?J z_dMT8uAx@`{J83Xv^((vjetY4-PapvZa_1>IqAUwt@`cDidrE5m*)CqjDmmO1n*LB zIq`P~?sPp~^$<+tYJ)>=k;v1%OHl%sGp|W+ghDC{MfjlG)!&shuLI_JR^L}i4xovE z2GDrZBy?d7q<=uXP74ku1`%iPCnYeNgul>;7i&K^afEKTXduLK#9r>t>;eG|iezkT z49p5k)nIru=o)*;M9l54T%im>PmVtPk{h%`f;`x?4X}fmb$=YrmSgqkwRycuJ_x@8 zUYp_E z*BAnWr~0UnCRMUxkAZ=aiqMKhr>qCS(l!M!286sXFV4@Yi1q4BURh#cVZFh>xd{UA zowp1aI>inVn^9+xTq0sBryxx6IHgq7Ym^KX8&;sRl91>Z%j58k=88OhC;L_m1@@2# za3Xe85+-+>KOd+k`xGNe900?|w{R*D7NOv0K?yz2pVa~>6!_0qEAAL%!dc`{w$!to z`5*-&`ARuPY}4>AX|eXtzmmV(%vb9*K}q0yShXs(>n+Bpf%sy7Bc=FkXZ~1cXQ(pl zXcwH95;$(!C56!_f@#{Q)vEeP>^wX$fPh00crSR;3A;U#N~a{Qx!bVj$LSyNnmwiF z4>`KhV%SMuSak0Eeqw3O7%GzNk`*KD6Dx#=m>_so5K1Ytbq_1)Ft^bU~K z?TWJGX-zJ9RD~%h0v`fzyrofp=(o7Vs8tuA#}e_dXq2E@i#s-d^Efq`4ygynG$Hq$ z{dAGs58Fi+!*<0hRWbHgMz~>e@%o_1U6M&Q9Kw&16?0JhN->nomy&(}qNXvzblK-H zx(RT!ccMwGn1q6j{oQs^z1j4 zL*!ci)93O4dGpg`-b?mv;B-c!N1`Al&``gE`wAE}6h2AauRbw>G8f9wb@Bc9wKR#E z?-zc*dtQDouP1AVEN}E61qD=v_KQY~o86yMsUS|tXo;x&jiPOm z?sqmn4_Djn0QTdw`N`BP2R=J+!;(e({myqIrZx{A1;4uDCoI((!?IfeEJ1B(bhyLn z4O=LED3|B<;pzIlS#O#=zC~D_O9X#^Z?Eg0*>a${-qT!HYnDTuZZYU-@zm+w+Dk7T z(kXt|0yUk340y#()Z^LowE#*%fpgLar2F(5F_@2(#>5F_1X&4GUlva>UY}y%xZfJ<}ZnB=r_Z;bnmr)%q>%_h$;j zg$ZI}Vtb6~1fqU>F-}Hxf)|q#XU3#IU?j6x+b*D6D2VuN(43jq{|e3E1~g63ivT$S zy2yqze-kj)z!&)uTU6c)TcDQMBGM{lNLntuRK=-s;d>>U*FqzoBwBR$??A?G_5}Dj z3NF=ymKKsq`uSm>=DrXhJa4g*O(j7d$92)oL9|KK4Yp;kOm4gTED?>)wTK8r>;mAx ztB2(!2C%B+2;#Bm(HpdSfSDMiCZyVvd;@BzPOVWFaA64<3NW{j38YaNHOm72_&hya zMG#Xs06bF6?WO!ck4r(K2Yyj18dp#178GcvpFr%!Q3u4I2hh6 z(6@a7$K)Yh#9vr9_VM8kD_Na_C=~P)4GM1Ki7rT>30yBI%etVd+38n6v=0H22ljU< zJpZVl3Glq}1wjV_wQn>>s6|Z~Bq@d@r6I)S9jJ-Ph!_}8rvqd>whNurQf?T7Cm=WA zwL&-jJbAQvB41Pf$;!(^ZzyShe5`76-llw;tnvJ#okRlljFgm=oE*qnYAQSq&*^6q z;^)vsL#8f$@!&2P=0p~s%k9Pf-ky~!w$l4|pAk${ZSjeT508(JcXvOu``mDt4-ejj zfJ&dV)K>+a2AaUpYMa2^O`k-ueDW~JVTg(bwBj+?{5GdS{zhrie`*(IUsOy-BV!ON zkxBNyzF7k&-tO18a@Bko-W)7B(l zv!!{sb_TrEVTb=r!y)Xuw>&shL1HMe6#;)tKh1n|b_ekiJl=HYYfm=@s{rIbAE2~f zoU?)HNRJCIb_GNcG~z$MzT2#?J^o$Do`59EVZ`y{`LXnE9GExJh@}7F-p5sN{kR#n zXxXk!&eZD-#8+?({wy^(gsJrYhl2=pt}0 z>ILKTz=8*gTmd)+Fs#OD9qAW@-{#0?@Yi2?X^MoOI%;lQXA%S{`{VR(P^v1 zbvT&3Nf1z`xw*Z0XS?9|oS)%)UY2?Qg8r_w@GvorYB*3T)h`mE2`P08w`D!Fd_@pp zcDnMm^jpAZw!HImx1P7`Yv?evb@v$V&PKXS-|lxGVJuyyX6Sp|EaCMo7<+TNQVGR` zd^}9K${pnV4mM_6oUZOs1NTbHzSUXsDNTZqcSiQ@5d*ikPxGeXmoc?fv`S$uUDscK zU?Ek~`9ZHXH#bd9O}CQ(JcIIiNXugo^Qz{HzuN4y>t|_;${0U7zUKF!|Iq1hniu3- zst1WuArm}zHfgn6xGyt4rxMY}Oom!`JALYvPEDI588=W8@MP%Q@bH}-Y$BLu!im29 zXO;DkueM7`sm^RH{8Rk#L4^Nc)9%PS*RkK<~(bikOWK4KM9f z`?j`o^stzL-%oEwxK%^uGU>Vi+m{A$vqM^3qnw6Cc$sN_G~-8c?F&az&bQR1OIO)S zb=Qw?R>M44m$25#d;dHFP&QU!I@j~IxN^k*xWj5VPFv< zeGYD!!2s?6s<6t#t!wkxU%T(P<44!XFduw;E8Q|*z4>=u$6bN1UGE|Kui$YJrZSch z4re&M?qn>mpoxHtzgE|$t;({xXn>}AX!*Bolyz_9@+(_-s{ zbg^Nil7l)!e7*V~+PX!BozFfLVZDVq4 zw9;Cf=84~&-+To7&ic}Djlr3p<6)#&P3+NNRSV|B=1@)QeC~c`&zm#^ZxJol5La8< ztTBt38VpTPhs^+00v%k)_tw?StjOt*)R+I_pD?iB($CzjAD=JT2~9` z_8}o51Ek)gyyIUhMY1McuNRXfGv`jF(0C#xwxHKnGP5yT2%ezyK*%{*RuV4%aZCpq z@XW_+$Q-?wM;JXYtThu}D=I1iX$9B6%S~2O1=2{*K=9}0(DAw*=tCYJ*Z(C1nMPL3 zgZ+Fc{C~W582CU>{(&cSQ-aOPOqp!cklSH^2P@&&?t9p6UZH=9gR%_L#HMYs{Ehz% z6&b($IB-;=@K~$)zkqsjDZ$9!9MBr}Dcb`y%W2UN=2Q#{)eywD#1ZDJ>2(&Bl z+(2$*EKR1F+(xjjLRm;O8|@he3ReJdKU!&N01$cF|9^Vf$#F7(={}&h)U;h@`1G?^ zxcpK7qoTXPO(NHdnfmuO`Aq{#=2#BZ;9dJCF_Htz2^?E(kEI`W0152_9YI?=ZR@$m zr-$wO-x6`#FE;}GyfcNPR+N(iIm*bWD1MIKF>sAP zSG3ANrv}s@=SMa)3hYHs=X8-*xZZuvUOpMeGUU1SMi4V_zbwWx0?_2-R zUZVv*%FD!&w)sE#ZIVZ`0sUg7#hnO&XMCzqrUQhDp2MWq9m9a`b$~!9fEw`@1jGVv zif3S#{}mOaEe5Ds9b^H?Ku8gtg#THVkgoOy%k(Ps6S3JFusF;xjxLf?Qb)hOGroH_ z$NN|VO-pNZ*&V;W_Lyc02I*7zc2FcqA_j`MXlTqQ^Ta?*s;5$?9&rSbAqLBS{ovqW z`*W#C5F|F%Zte?CwIMo?vwwXxSCCtSTU}j^`Ss~L;lR`T+5o;g|9VuAn>v41YwpiR zR6u<87FimgNHG2X(vV;!Gp|la<5TXfpJFz)6)41q32bE#sM1DFJ2=_U8leHz}AyfttXhEVtI( z-Tkv#UqQ9eeuZEBH%MxMX`h&wh%*U^q*KmXf2$lC76!I*d_d$l-doK*FoGD!4-j-! zn*q>wT7@Nv7JuqzmF~7DYx;dLr=9|x|IKzPfVs&`I_ep0eEyGu+nHR}8^^~g=|H)f zMqV*hCE~H~6~<2=c@8^36pdu0QC^UJ*S8TIanyIswj-ydLx};8URG0 zdQHy0xBI1U-n?m?0!ow|YB;A9wjDQ7Uw;fia3Zrt$tZY>(>ROx@Xh{zAojM@OLOfc z84cZoQ+{eWZkO09N*nrM=o|X8fH53{EM*Y?9nk--GLT|SNH2nqZpx+zLqu`f+@O}39A70UR{hWmw(-2|>Z6AC_q`5~yPGD~}xz&hN{ zzX00*b6zBZ{t0AGHnxX~o^t&kZ@^-{)vA=u_Wwtnr36bNnxe|U#Af%4i>n;OX0?yO z+{=h1u+M5DyF`&7JrsE(3NllQI}gKEb$9kA|2q5!3_9Ix)jSf_6!Z{PN(Fn1@ zR@Z$@nsfo_0f;fMK4%pN*vJbl)alQk`nS_En({=LGC@7QI$q0FtA&|51fPD9z6i7t z2GB;3l0n9B6;x=j6E^%a-`PmhuHN+F8GHnL5(}{?C8bJ*R4^WFV>mRx#w8!5G3o9O(g}W)Py_mfQw;4N7g#^*{tf;n%V< zOa1|!>$57^w>oxk_@er5y%K>8w;h8BNFTmqP#Zx3&Alox(a} zdE<@(JugnjA z3roY%4pgRGj}4^T{=COOk=01=*;y~(tfI$W3cyx(U+*Hl_dx47Q4{X}$5P6`; z*a5}#^cOKSvV|HIiX3Tik~toYis*WIy!Os=xoD$)MNhC@+t^Jyx21K`cj`sH{$hG=vaEBH$KN zQ5(7Ch~ppFvp>h;XJEH`W zbsuUBTrmsTr_9uuy9(;_Ol#FKU7WNe3DfCvn;dcLUZ-)4xT>H(!Ee~I6e(P!$4Y^+ z#71(18uebrvMB8t4+9ysPh|Lx`OPfYU}XHRh^b2GU!Lu5Uy$>YECWZNSQG^Cm2(6= zZ_doA!^@(xfcQVq+spgOsagEK(2DvMB0?m&+B@{q z1zq2!khDN3vh`K-Sj1qF-~4z0VgS=%w3^higHDRx^_lV<8lJ{%s9lRVW2x-KFKCwufMJ5o`%W^ zjUIynw@V?nY3OXDWbhkr<4cr*g)I1;Q$nH3(Sd1?&Ly6%{jwB<8%XA65wNG}>-s zyP%V>)WZmbSvUfvOtRj*2%Jo+w53+hdhAYBC^@!ns|UL-?mm1=A~@TWJ-wlWf>Sxz zu$Nd{K=RW;uVeEa&*Wj1xVszItTA{19Bo#SP{XLfMhc=J*|66SIsy%+pkUTf61H2_ zjH19t=aPN+yBFs;ivSCZjPzK%WW%a{eK<`fSJ=Ct7d1t&wdmuK2P!TSsJN%*7PeEM z+JdgVaRIEq7?oq-0hTIfM^u1@LjNkFY?Asy8XeTh^!WIAVDA=za{`oBsuCm=6e_aF zf?wd`L_tZ}$a0el2<1n<6$A-c%?Mcqb}V8mz;D*PkA=q7--9N88{YFyLXI4bejCV- zD!uo;SSr9D?pj;Rg>Ge1U=P~VxxPm~o$VEJ-3J=Hc>p~D-Y^6FbfFB!MGmgDvfh0N z5*Gg1vl~>cF95e0if2HccuSCQPAQXtD;2IdXqFp@|60AC&ZzZ6wVv1y(5-xLMytyc zo)y@T=Q}5Up%Mk7^M?Lyz&&!U0XJ24Oy9q(SH&m|U`C`F!hQusKS}*|a1z*tk|;jW z6y=sqm2T2(H~w8y97ch%?XY0avcvCT;Ua#Bp$=YFZj@d+-ffWwO#bfPRN*LtT{cj{ zLE*A6-j7Rn3?+frf(}Pc(KHu3BiBE0kmUnG$_(Zw%q!$90rzoUbv+}VlbuY5jIQP1 zJ>lV~1VPiA-)VM#0Qc`W@8Yjd%sU0JBBXBmU^{{8H=aN>0Oab0(D;|zbUsh$9u@j98XdKOxl_{J)2rzg? zxp4e|ge27v20YwdbzDpACWWESU2ylOWCPhmj z|LcBRA9JcY<+FDxB_&l{Qc`k%H1L${5A)kO9xKT7ruySEL%noHDdrLu_5-d$sY)*H zJWyeeH#dVZ@k^64gGeIBEEMGBo1M3#8XB%ZBLwZ|{btsGeq-Z%b$NPso#Mr>x9w5EF|>q-O4)Dbxpnq^_>c}NRQj~j(j@(_hV;p=jd)=+zbE%6kMjp&pK7vK=%9fM`k|*Eko9dxVb;R2=|3VuC$XV`fJ{T`w1!&u{s;q zb$V^Gy)q;`Iqe>Fa;bTJsnfdcJ`i(H)R$x5K=&)g ze~7?ecTB0$K&zqy@AtmKnqfx$J4hD5!DbUV`hGLI|MP!Q6*Dj}0OP6Lpsm^I5J`(f z*28@~Isd%c=h}r@+-&P3Q)x{RdN$F`zhNtmc@lYij)UQXY{;72Kg5>qL>ZR$Pe{%x zQd3jZy5p~p=gCGMEJ|zLNin=@4Y(D8!soCn+qHC|N1KKP1sfzHS?VCu2Hd87ItW-f z4g%oU0}Kjg>~B}D;*GJd;x6kr-tfK#dHBR-;?U>tEQm6fpGC!8NQC}xxloszL!rd8 z>&ECLB=i$)TcOW(qkSXg;~qf#M4Fr$E{6Hhs#~OOpBp`8O~+E~H$%0S8Mj;4%j-vW z@iAt^9^L<-WaTsy!tb{S{HbMYYil(%HD~GPX&@G)5(f~DQNQ_{(>ix%98LS<%(mwP z@}(8#uR^E27(5hB#y?N9sd&8R^$YW)^29fi3lDR_6H+Bh%$EjZ;>XNSyFA;?J;e(b zV={?MZZeXe%vN|WUA-ZC!il*f4L%MgH8m{C+Qje7_vh|?l~Ir4TeRkk6uz!tT2hIB z?_FZ5<5qxf@(8S`X~=x2O38JnjYmft8#h)|jLA}eo+<<|Rp16C3P>UmH%321Z%<+T z9M!5B&4szqnHNO)(f`!UlYctNIaIfwY=BmCV{u)d$dbjEn{nP$xKYak~7o(4K80ROzX5oY9>dX(Qu{n<<0iM zzqdy0e)vmhK5e)HWKMTCw`cSB<#x|9kqgk)X{o6fY#}d3e4*-0y9LvKQjysp*>HEB zuMj+Ex-%%Gg2dY}{Pb+^Y6}v*wpeu*SpOVMt1Oe4B)P^mG(Z`fEOGAKVl`^8@0yD z-g5-sx31>mSu^Z4T)84U>*hz~_Ico3ThuMNz~7y8+#3bdaB@EfS~$=qWUT>21d(zx z;>K`{0;BKt!YO9N0+CAcadC1L2Ft8tN^>{5&Y>P)<3a=UYvyPBC zaDJs;{DOTc;y!m8DraB-VWs-!p@XGyBv*cU&*xL!;dH%Qq#G5=SIqS;`G?^34(oFT z&IN<2(r>v0k-Zq$tCP#G5D%uSN{{+00#x#~UT`b^&k*n5)va-W8d)N_<1J&|1(EZ*i% z^&)yBr`a;V$@=!O3dAp*<^R`dC@?$yX#A5j?lJ**SYJ_{+2R>+XBcIUFIHq}2qS{RMJHxXL$r?e403CV{*5JSL zEXqH%*J6vYjQ%?B*F6+vcm*>^E1$5>pYHctp~su%%!Ug!_T`IDCL|#`lck_MymYqJyV!vB{F61 zTD9iBdvsv{r+=VyVdfBWfjd3q#<VEaa`nL8hk1`qe5oz@hhWOW^ z2WjTUq)5<*`EP26WSc(KHg&zFS3bN~*Y*(Ket@s!Q(0Du*1lPv z1JE0V%`gq(FTRnQ&oLH9g(7T#5I|7mtKWlH<`}s6&6$CSj(!P^3ov77t%UIKPn`;g z$#i}CZnEUE%bLUM=`}E(efZ(|`cx8O>3<^ru9jT+5Rlh-?0&fdi5ZMJ)9(plV$!e_ z929i6GZyXh6C}m~Qttmxl;?IDDF$yYrS`buaYpiAe(h{c@_)XyEdKxawL4LrkbuB* zO3v1nDIA2%p3Um4W+_x+UdOYop?)zfa3{STK)PrA2ysYx)^mZ-#Do5o>G=j52xr9x z6VcJqmH?;?lJp!9FhTZMq>0l&+589C80qmAkg#Y61_tPOd9}yA;sInQ8B1|BGRo`d z=qPe{1#XRk98fK=Zhd@xff%IK>}tJvZE<>jewP_o$ga&GBm^$#zgw{V0TOeDZC*er zwj>6;xkA1fNcYdKZ;=B`%p~w7Kv0EX;8|-&0##L06Z=g+$lj`IJlp8hYoET$cLz^S z0`Zbs>A}FD;e_BHh(+MC=vfhaz_dOAo~T=@Oak86IP;9>M;lPLw9YOsxgic{+Kbn1Rj6TnWO!FdT$S08)n|mBqt|d2Z@Ca0F`1*wThLRXG7BcYZz-m`_ z{qNc`HRcRT47hOPzCSI6j)L>HcMS-uAU~7Q`114`%#Y&(U~#E1&(C!Ltd$J_IZ&il zfa(Mu_5h@=QNRv>AOIBI=Uc(uivY9HP*eL{Ov%tFq<}1iz=!g@+Jf5R=aHBlZQ7J7<~lr%!(d$oxlXz@51=aH|~L{r)`t z@*_o#0l0Ake0czac>(GLZVM2ka{@9Uz${54KLlDs21tKM0F@5ccoAgO_U_{;B)}sb zWW)FE0B|Jry_f>(+0dkw{o+@1*R)T8UJ<_t-mH`)0!+>F=mj>+`wA_Z?h;2pKm8tW zEQhgL`33Iifa7AT)eejWz(Hhtbvpcf1s_4J623d+^pbiR7OZMq+}OyQv1$99MtZtG z2b$D)Iwu|2n}7+ZXF7so2sjqd^!08P5m|;q*vl<}{xphRp8}q}KpQH*GoBqSw}@Qp zc?;5rk*wh4eglucxXlHkp*3Qmu?sxCk`K^?L6E>y6%Y#pKq0=ouYiz=w1aI0$Wr}V zd=%f31yE0b8zjk2=nHc2L;2^Z)b#XLK!9`&jvTCgMR8riN7(&^m}3>N-(1oR8lcY0 zqHWb)J*Q^)z<|3SU6Z%PbYm(!PB$RUkEy_Q?r*UeBcx5R=J&eT1MH8DLB9>BMFLp0 zT!Z1oz#w;1VFORt_%Gt%Avz>xh(rjFL8|BlECTQzBBZfgFEzkM%91+d6%g0PjCdI@ zTC9q=Ol)2Bx9w`xCCMcp987>nlem;G>jp@B789hmR5>sso);o}_bAur3<=6${gOnA zb)U|f<#4KS0PMAs1EEqWX=&&q5I&1O1mtDRwcq}!0O~e*AoZHdgb-AY zMum?ecDVhd8>P{7+6uopLNmT!#uQ5)1ei|2U16D_K}r2dI%Rg;FctKKNnM9Fsc!IO z62jti{?Bi%hbQgAqzQGzC9|atfma{~BbOKP4YCZi;8#QewkCmR{I||+RAiE53ERO4 zS@Mbt0tI2a8R=fqKj!e)<9p^~c7;+1obcn0~%N^`iE6|5*1!N0< zmQlq*Q%vZEyd`D$TC&soc&TegK~!ppO|JgVm}McCFZvz{c}$zP&r7;{D4(?Y&q5v5 zFIIDK>J{VF;)F<~IKU-|u+-k|Y+>Jz97w^F;+QyZHOap`XV)?UwSIpo5(SSh0ndPl zI^nYWh5fnf4y)(8^$dIh71jrXa&;O8YjI&`dTZAp*>9jz6(J#)ts!Qc`5XAc|a)-L#Y|#NAXvmLe z)bXk^ClDZ+;AOEIjWvHyR}y>(EQee^ddr65RmcS(0hcSs9@NQWTOoq}{p zNp}bqDUu@HC7>YEje;U2An~5-`RzNivw!W*?Ck7c&y2$Z_kG3rp7W{Gd?zO&DGA@d zp9M-OFTpO1*3r9|&vYbZWIo}{+mVIkB1*YZtl#jODJ`mIuV5rDhW4##7ayP~q!~<7i*fMDd53_JJ3=-}aH}06^DsfFk_NeMa z8rtx%cdhBk-1>}u%zUkkJb4ZZum*}IryE0t>R71N{b$|#>qE)6V}^{e6epr@D;K(p z+`7EHL_t9T7j=^N-K{$r8n=L&p~A+)PI6vsllpl>N8er!dt$UQ0-bwe7f}m(Liox} z5>Dn-uZU}D%j4{ip{CMQaFi61oXK_%r-%#!`FbA8X8x!fi_n9fyPxw9%EFC?^)nMz z=jeVk7QRGoQffmT9sF83R=v;({Er~;B;1S`>v;w!@I1S}6uV2?zw0;dt}|mk#pJ@A z$9z7+h5thh#S-Lro>;R5Vtt@=;^3pvC1zw>M_ILC_ox=) z+$FTD;gu61$6l`r3i5GP5520PS{Z8+3qvTS$gzq#?A<$P2tnhj?UH4 z@Ym*!1!wtt3@Nb?%hGQP+NJRimJYRyJha5_j3}O*a*%$tVe$ccLt0jsxTm}8_qPrd zg61Lx^pI))C-lzkepzR+S3N(!ynB!#h8KOlw**{*d=lp4y{B+&rKPYo8W=x<5mA{K+U-^f#dxZJ50N z2uenL2CXJDB}-zHiN=SmO{EWqo`UI{T);*Z?g8iywOf^{AhtfqVSsG&G4fBz0=m`~ZIz*>*_c`rULz{8M$Fj89q4M`UU&so9UodtiX)j#&|D$zd{e5xgAvgUNj|p+@GtU)YEbe5KxOO8 zFTSo0+~(IRbKX#lA6Cj(%%$R?o}W#OBz)BVU&<-jLcXw znbe3?O_Ig&-kD+eB7M4++CBG(mJA5Xe;MY%9oQ}2*P`2zLzrg~ph`H9b$A6hEMC)p zaZks^|8fCm>HTX(#Sh(e3W3h33oQ&@DMwssEC^ZqIUY<=v2su5n~xw>iPQ(LpHpF` z)^-SFCCo$`#arEfOJjQRy($sVzMsEJplEEEMha+?CTI|B)C+p(p<-I#eSTxadn}b1 z1h^+V%PA&~9MzYUfe(dHjv#QT6ek4yP>bix$S zp|KKZ6+HEIrF;jMt|JTsD7rXKrA%IvEwXlk=`aE&#(t17GVN?hZ!w?VN% z);VBG6sE86(f{Z^;bCa5ah=^~I&Zt3@J94qn@1pQxAD{q0kCE5)+XzF_q`=K$Mki@ zzL~{p`7Q1iSxvWHZ$;g-D}j^1+Y3n*J^ea!OTdu;<2?)BrG(YD?J)1b_w`z_esRMH z+9F}+Ik96|C(QAEP?sgM?%REja-xcW1|YY3{_o!7vMbwY_u=wnV~lN&$Q$K133j2e z*8#CH$Y`{)1Tb!U!6ks!>~%?Ou_@ULz30p8>t4I7Tawgg)RdHt)a*QK!&wIqaFHz? zbOvk?qPc7n=mFY^z^9T*zG z9JF@eH+c6M3N-W-l$6;pbG7_xj{7tn-1QU@i)ImX-QP?94+DhQEg!fxE-t@0@4a3d zE0BShGKw}?9u13nlk?Vh3udIew{IwK>~=cVyexg$+ta6F8hgioXYCU02A>lIGr%;l zb#@^KpGn=$U858c+5nfNBnN#i16oYxF;c zhcNWDIPbRj{5EcIeh3Xco!?sW+eUquoKMM?{5a;}3l%HHK_1JW$Dbrchxng79GsB* zx?;&O|0(1Ovd`cFPWkfeGq3`0@W$RQ{yxbz@2i`aT-yFsP*`!UFhlfY?8C^#ksz)< z%pGGuT7crWff$+R1#W2vle6;hIQPVoApW@@64}{yRf5cc7o+HLc>IMgRL2Kpsw6k) z@{$uHe6>%+_m_1ycf5xb@T7=|iG?6==>H^#uCZ3RfB!y+DH2w>G=94<;nHf?q6dh3 z4uvL%l+5TqIo=XlH4kjQcy7-02Qx94fagZQ$Reev_x3$^i97rK;HqO}WGwyfemVf> zH~sE`{iSKP3Ie##eN0>rS@x|7W?MFuA!mfXO&OW0FilaK{L&yI`pSF|#PK(}jk;*?D&F#;`DwFv^%vwIzZC4lgQGoTABc)-}sYTkB z;J1Z~%iJ5%oX0aW*rx%sLr2}oCM>8v&u=@#G!(r&CeD!>an}AIekmTTHY*i$RFg0B z;{ApN>VQC*2B-~VkSK;4gyh=Y?mU%1{+e*A_Vd3xVT>*%8~^~0mT zXAT~Bwn2*IPEJ9=Q4UuvZMXvj!BkWa#!vqZ|4MbP(y527?*g>h{)EWNUen7?TT}f{ zS04!)ZFr)9z4;%FcB6(BVYcuQEShUr0_*!DKWfMC`cfA!&O7TCO`YzK zo_@UP+!pRwUs@{pdhhtphD-Xt5d*j&ZxiiHr^d#3IXMT#T=7<3cN;wL3{>`$+r%VG zop7p94yJeq|iE#N3?CQpi^~C=4Sz=0~2+}a8$o$PU&J$Iu(QRll`F$)@*w;q4f8;WiAJaBi@W*y z(p{C5w+o59fqT6_&VSpTJWjEzy5G-G#_{Su-)aL2ydZF(LXoqEfY0`?;<$O*eyeP& zOg!a0<!wb4qyp@{s^R;mf9FE zdk#)2gWmMN_o`7klaMwrIZDu{^BHAwlyk~<7v}zUswl+JLrbu_JdM#JJeV(8{#;Vq z^qrYuKz7+?Y4k`RA@6fuFDvz|HOkdd-r_BHogJSd@) z&Y2&q4$6&iiko>zx$T!06qo}lwe}YIJmS7PlD?pfN&(ac+9|5Oe0t$|t+kEylLSF+ zDV&R|tX9_MfA(ZtZKJ<8Ta0(2YvzCL+I!yN{_@Kgs~BUg_nTYj{4p;@VCW{Y81DS}v(@ zZ=jVm2<>W1Q(l5hq=HiHsw`|bZ|oz)i`K*V3~hzl)qkvYcdAUSUEMcC-U8?{Sk=D* z?`#^QVcsNa*^zic!+#p4*fRYe}ul~TDmI7TgX-f z7m=z1NDW|&CdS8K0)I*FkX}D__UN==US9*1e=<0)GSkvBGd*F@0P8s@1usHx&|+dA z43nK9RYY{~U5Z|GV&cMPHwaek>XKL2*K4M2N%sE!V@+CeSz}Z~gQ#w>g@wgvZsKAnzdLeazITJf0R9K1Q=k9;Xr-}VOg!j^$Wl;O zLX0je%NkB3ld>5pI^CdYu6#0X8{`RhoH<7pM$;wR7Q}Tu(Y|!CN4S%qgEF5 zypDVTH~*ZjLPVcVA`kri{Q-vs90^f2rnx|^KulpjUX|C{k2w>2?f;Kkt{Q}}r6tA1 zy@@nbR8$(xFhf9kM^at1oT6g)C2jeh6+$e_wVr_Ep!-TZ7(!he3mNGN_{OWps;T2qXZr8rYz(t(V1P-Q4{B`*|Cf zJk2AZlwN5Idd_Y?_;n`Dp0CylC(-SJ-(lc_n~2XT&+Z3BRUBKj>Jg4tiWv9??3K9L zwI6_*#DnylZj0>)2_d2U;Wq%S;bi%SpQI)v4t^94R(ct)A5+OfHC&Pe5;0~evUgd` z;bpOF-C+im2g64z7dhN{iwt^OXyTJ)h1}uy<-X9Y031SLiOb=-QV4KcFi?|&PM}nJ1Q6s)i0R1JME3&Nl$tR$SHf?uUp=3?p60l;$;IM72Wn8&(nyD1O-BIO z4OIdMp?Vn5JYNJo%~gs4%oYwNO{YFfa8ZJg-Sy#TRAzhvmi97@eokdyNIKm@o44zS z*`g4~@+UmhA`TO!Afs!Rwyye*y4Zpbt(9Haq!>d8F7^emn@3Fz@RR~xIvRF`MuiR0 zc@(tjXv+C~mZ9rHR40DUC5$(H9AGVIZ)i%Yyp( zc&?G({RHA3=&8be^k!fx6Er2q$Ct&7{+scLP>Er`B&E8VkNG%Rg;ox09IXj`?K68! zd%NtV-U%QRWv_uuK&m(-+nhjb0Osw7t1_}GpEn?%4DD4(Csg+Im%HAQXL-El(n9eX zrOYu%zMML30imRxFFe!;EKU!vz^dayt9Y^%C|m$Oi5xb1XL2OY#st`gs55n}s+fim zpa%aySF5woIPoe1z!;TjHKMQ*gw9Jo$w^Av7mzi=)Lc()2lMCWV4jRXqT;|07&z(t z6A!v`G>0RE8x;o;OO0q$U#S6lZ?|K8%Cl8vVZhceCp36_y1QXS#8=Tqk4(P<(1!M% zKj;!ZyKmwZi=!X8y7Esj7 zNy!)Rd;xI6)%87*ydMD0bxX;8wR=uvYsBusz}S4MMZ($lwf8d9R(`Dyls{F)e^|tV zo*Zos$p=Z)#KgSM?XM0ewL>8H44$rFD8GtMy~0}2sentg0s{w_RvQfPaGJ{DuCFVv zaF#v>l20#X@S*Tig@bu1J84Hn9Wk#T2H8Lm{;nXkP0>eXNhU&%+`uPqcFa8~NdfsD zaPFD&vT*N4G>J?UkH{bpCejw)fe6bZ0ga9PCJl?ALYo>SeX#SvOLe(1_#!SBMqsT1 z>Aaak_^s&ztT@z9Hg@7E1i`yt-4-(&e(NrrpRpPqGgknUIs@HtN}WPMLc-F6Oc*&` z)_PFC91ghUWt-s*u9yPlZnO%W?@}m8i9Mjig)63=1HV#Ao@@vMTxkSgame}q`2sT7 zPvf>22ljmt*Dg%@Z=h*N8%|}zlPkSb5TBUHdX^TITZumfg?zzjWtOeR;>S1OsI+m^ z@4aMJ01p_n9v=H^YJOeG#+eqs0MkgZi{I~M5g)!bYgnq94Eb6846$)14C$4U&v6P1 z(Z9m`&JM)@u+RYz&Z7|c0f-6YDYGpgt9-bXp_E%_Vd~kJY%DBUHNrvcI)zVv`Xa{@ z738*`0qnN?7D}|Z@7@xqt4TgO%{L350-E9Xr-uyW>AM6>%B>(HSi`>}FmGE1X|uFj zkj+g1RbT5Ag}E&SqQ+F<>l5k__5e_W05OzM(*_mU)n?A%;ANUHjo?(hhlPc;p`rpP z-!vR%8D{_^a#z${BHGu4)*ujCwu3S?y582Ck(g`|NKH#io0++U)Y z^%PwXi0*d3dbGj*2vhkuWK%;kfO>Ml+>BVuux_Ra#z>q#;D)m>*l14Nic&cJO@3t0o06T9os>yVMC5U@ zw+ue9sK`iZpw&W-cJYyK`ECQiH#o?XCcuSK3x}9;y8B~QEiJQJ8?2Ue`+UER=EX4N z^UXPeaI{+!p!hcEc;a~59@*I1R`!%JUz7g%>)qzCGhU$1C#U=CpfGTxwl_}SP5dp% z!N}d?EGPZZ`I4s3J7+%MQSh?to76u!dI@C<|7E=&9;rOPB-T%6F95CwAz{Dv7V;Ei z#Xw#FG*U2n2;ko7_*U`$D2hmwT5T?H_|HE!R;&RL0UwE@)y^;P>!S#tD~Sb54>RR9 zrp;Pgg|8Y{iZc2iJoil2c5!)pu^;Ml57Y5JM}=ardEBbxvDE9Ao?~PFznliCWFBg1 zd7bZXLDT;a<}j-NWJAN9f_kxuq+rmyx^PPg8T~+{b~mcv(o=0Jv&^U^*sJF6TJ)6X zYG41EX4BzX2AQ36q7-HF?0#1r6PeOQv#6X_)7X12{&E7ls6=M`)j;amql*Lb76&?rWT7vm1KmP#eL|0C$m#63)rHgqob$i``rJOhlu18 z+EFN7_5eWCL=ywy`nAdKm^+$&m(tAhcUGF*B=68SI?=vLO4E~zzRpoowHD$WX&2d! z{JRNso*t=hus+=TN5sAD-M2cK)8kxs1Kls-cfP1fwb6WomW;@`X1S&P>~nD$7;$@I zPfBW!Glc@=o258M{_qaWyF7LG6rR8Q*`_!l?jFuq`QO``6%UY;fPes~yn92x2i7yb z43zt1e}%6qL-#YB)=&BY<;PV6_xXlSqNK$I%`)4HCxyoefD&IX6Eu_&#pSrv07D?vpx)?!n$*0Crr^caBx^>H zCB~)KljJTix2MIq?T#!zez+BQko@W3mO03mM@?bgWJv`zs#%kJkG>3DUYgZnAXm+k zcUPxj-`p|I(E>m6nB866H~YMlE8V9;^8K%6&2Rq=UgK_FH}|aaUw?*uE|_0_vm$!( zD|oBNZh&fqh9DILYZqf=rf467C6jdOE9m5N*t-9HiE=mj`OEogyJ=u--DCJ^4sVga zF>lXH@k^ge)y9#H<-UHTTr7gA9#p9bF@H24Men1Z`3+>?o#PoQcBbUoY20l9n1GE* z;&XcL#(?PliN7%bV83qW=u@nw?rw{;yx|NGKl@!VyEr}T^Mggh@)N)#`V%`CU4c60 z4b>0iQK{*kC;LtIygVWWI zDh=VL9Say9j84BCUVTYPcjnC-6MayaVX*ESoa4w#yWzt!O0e%AV9aDijq+GCjGJe` zu&A)0g?qMQF5^mHPtRd!dOG=k#Owfzfxrj6;&z~it!g-GVl9GT0=GMlFP@3on{hmt zsS1>n=@eu7Nvgx1pNudKHb21Jusk>{W{&Nl@)w5)Y2N z$W5)Bd3jZ)vN!S*C7QFH-kA6P@swg^ja0bkWP%E=*(<1LQmhyQ2W)}3N3WRo^TZiTf&=G2Ww@=n!zvW$$Tkg{=TlN_QfJbZcp1KR4bFZrtagcRK%g<{uX}$OcA)&zkgay4d{0W5=2tG&H2ZQ#d&i3Fh?I!{Mo;Gwk zm!BUjmDVpL+3h`3-r0UB9GCr_CZzGSpx)0`oAXBKZxFfPc+O@Vcw zD{nZW_x1H44Inh4R`Lmx$TRrvzan-M06}ZDZ~#I?H-Bv{tI_J@&sLJ)Lz`Nb zae`Wqrp|(b^miUvAkCsCI_@8hTI2IpOtXiR$~7VJe=sFFj$KQ3CjCk1XJF|;I&4(} zn}6OW(#C0arkdN+5fe|r;|DZ6Gn-`F1TRF<&jfURR~k&msa7nPG!wns0LcS?d#}W$ z3nQh7jKgs?|v7B`UUOrbd|XbKwQes>9z+oY0ozGtWunu+obxL zW_Hsd%A{W7x*^Zn3H>%C6hZ%!nUXRANDWwg)hUpABiO{EcXN4p8JK@*@Mm9s)XI}k ztN{JX{=+-Q*lUwxeLqfi21nYgeptRuPb*!E)=0J=GoP#TF%Jw31Zy;i*It?rfyCFn z1&lK{z56manL$ak4*6B!dj?sd=*1;X4~aqQEp_Osq0_!!Yct^V?Q)Zf^uKGrLHa+Q zo^!IjHA$qaCSLy(^MBZU{_n4``hU9i>i_MZcTgrIA}T2cuCoMgw_e?^Hqg#PpWkl=3QWjl zwOm`^0+rwcpqXLnQbiU+dBWTz>AjQ5q=L(__qV&J2S6PM5ORPijjz`EHaO8PU{*tv zbBMd@r=2)pMlXmt^uiATOo{CH#=j>DU>V@BX#x#-@87?Nq)5=qHaLFy0a$9a$-CZ| zkYR-0V`4H^1?j45Nz4T3)bbWmdLyBWfk=C{krCA!z}Kc(euTb`>@lDN_i(ceU0ht; zL5&O_)oZ{2w9h&aBF07cA{YcDATz(Mmz|r7>@=Wkavq0(H8L~bQ1nYr814WYaR3m2)nDhvc$PN0N{(d zKeV_&lG^nj=GK4)cv>?wSD*=+clZ-J!mDEXVy;W=&?F-wPQ;X{bp4Wl7k3K0)5 zwopQ1!0`ZELFvnvRt<1Xz$^(E~wSMNwdpbX z>wClVKoLtQm~yA4^?@+WyjAe4tOlgrZ6GqB%e-yC+H$%DF6862_uaO2n&O-yEC`uzr|G{8|JckY-DfF0{ zC`fmZ9fe+hi{ypR&Wvt;f&H~7eCChI0YuJWCIneQ8%U5Pe0~k9)-Z^J*2h+YTovw$ zz@sj}^!UY&5xrt#5;a%kt?e$@|3Cg;>H?du#b-Tx!%uShyccqYXnGMsO@YByPm`fQZOiqKk$fK(GFO)sm!Q zcG^-<1ka@#lO50dN_a*DeOyDN@S71%{S1zO{(})zz||={(5=gu#SD_?e}LUBe^ULu z_=%3ceZHULoFIFR{YgVzM~2ajKUM~+Y4oS8Vm|Ma(1jt}Y#2Rb zN-E|PuP=48a6?Jc)tm6uTuZ75^HfwsFHw+p-D1Z_m1RXk(ykM84##A!?mQZ&=V60K zRU3~&0R5Eh0!;18eV?ZRi$vb_DOuK>>zAm#9nQ?4s!rroW%Uk#?K!2)&8l>zoJ8K_ z6DYFZA>xkRp)deyt2|!3H5>39g?KnoLLZdEbqpsA;Dk1xq-4cO(qK+#g5*)9u=bzu zW-$Xa*CoWT=OkIGWfv;MxZJpeXIN>fHpX%RVT_X~YJx#;ZxUj1tH+$E1z*n(_$6MN zjc&(gmZ2H?%|^5fpPcpa)A{(dx{z#0gT>NJ_#vn_kx6hDCeC+t(RqI+Le#L?rB>$~ z-B!UdfJyP~fvPmAGRCXiPqkdeoPZZG64Hpd7N#)_+St}IbnT?1qId^zv87X#SQG=E z*FK{*xdPc53G%VUzL+*bL!S&|wL5kht&xH^nnC?xS4{GtgRF>QA)y;cq0>0MU;wDr zmWKFH^2x3kwZ$On5ojWnmvN($h+F>u)` zghD9F5BXuhJ`!Rzgy>+bE+w4X&w-m^UWd0Ef zm4Kw4JoF9b$&9!q^~;=gY^4khbY<>&yGPLbDX6m)RN(%@{{e+qKoeDez$d~`>;X*w z6ZiExt%$fl?JgB5dr@g9JZUi0Y0;~uqNGH?Pn110x-%P$N|gsOk3zIPO7jV(<@_=6 z-()Rhag7^>y+TBLMz)2tWezqnm^2dgGlHt;6d|ivA9H{^S{t@>|1h zM+|h-r7BRyq-d(uar5O#JD}!)IFrEqITO4Mjm8t`7l_dzfzX7Zx%))i%7YvpK z*95{@Vbb7y*Wv;oW!T#y8;fF4dYq zZ-KX=`yDK>Y&S6f!N4umSC`7MyPqK~$$5rNj{7l1sEu|A-_z`0o9&Mb&3Nedz4axr zn$*+SlZ)=u#rUz@$%=;>An%ojTkSv52Hz>WS=%}VU>1>Z%MeSUIEJdJ)1YVY32D^W`acoP%8M6hhL zHT&+iDZadhuS8i!BAzy2+o!O(-3xCk6SnLqW90^Z_3Klej&NPT60;99T(W{*rKWJP z*&`3J+Sl|6uyM433j)AY^9E;{Wes>KW19EK8uMYXB#^$k(jrfdiunRO)ZH85Oov3E zFm4&zq-vMT^HU%|Oxgm)<*=H=Tv9g6rWDrJociRzmB`-p3fd?t;}BVoZ~_DO!!2E0 ztlK>;%b)g|Ov9{MMyUktaQu~xu%bs?Rp?6sxY-pBAi+++lr2xt-odgxn?hBZJ+)oJ_&B_s2~Ccp>uDMJAn{Tb_hJSZp&b@tE0 z>oyu;8$kP+<;mMyufd(`4bRGesAXSoehm6`6-8q-&D&vv3_+=2$t?CIbvZ{h`z|)< zSp8?y#nV$LKf@E&m$_2-`kl`M-`e!#yGS=728(PFIRhnUgq=>NYv_IGO=0bY>MAf{ zZdJ^#_0fzq*hN(Kr?;n3J7uF?fl(u{S53rvSE%Os>@mQs>I&VOVzv@p_t06+ds;pt zDo$VlVebXnw3F#hc#4qvOn6;a4G4G0$~B{vw-jWyx%1?l#Ut#~gn~)Quza6XvZRj4 zLFw4b2a+F_3|)JtBRFrNa~QjC8W#=%)dJZlUDqNUXgG8AnfL1A!@S*Ez_(!$>EZ>3 zOx85wzLAKuj+DbDn6txoaO7Y~L*$2w1oWUn_m|hV2va)?UcOuinB_7-_4p35#5Z80;OQ69K)7Q)l*G<5f=jeOAbcOF_Bo-oM8$EetCI=iM%@ zI#aB*zIC{g zrbJ2n@ORLW!-JuO7tggWgOl@2EtM4kW!QzHcCcn10(Bo5POL-RqhI}aY!=VA3Oh9K z4&wpwzN{Az+)!MFYJc5H(wjC)d~qcfo{t>+&^vw8?}SwvDtBH($YVovNKsm3czFLb ziQml?-Ic%9)zy#97g{`E1nn-NFcbMt+8G+Mj5wzeA?0Nr-hapdi{QYl?zYjpO>+s) zFMW$Y{pso;c@ucJ-aiiLZ&-fmO_Z1mzdBa!eePt6t?K~Ai8p)L;YjOa*cbQma=Y`) zLSSr)=gp_icRgziAskj*Ih!Z#$IxFMQ5RBaxr;ja7Okx>1$V zV#l`n2IDd^r0a3nv1iZ+1g-QXZ`r-xt+e<*gpYHP9z<6bvpfIc&CqL^zx?s0YS2ZZ z(ztE|Qo?>f%sG&sYdiHji=U9SmcOT7O+scIge84~_!I~f>s<%Y@{3$(ZF6&{%>uXw zPO+WA7=y^^rGW#dXsg?UU>Kl3_;9(>K~cliW*a6h(p`> zRGc$dEHc2b6b((&1gt^(dG&WF8TE(Vk4A!H9tRhc7;J`nN0B5-rt^DTd`-ke?W^7He9 zpP8)8xY5-TW>J23aM4u#dt5?(H<;$QASpfl7_=ICP1LYTCG>O`Op!mUKDGHDIl5;e zy(@zWRIg25ap)|Huhl_89fS56vZS_}KlyDALio_gXe2skv`ua7_!5lXsa^XP2Y-eI z#|+-yCm_i%Cn`456r%aw;#0MHc4Z5i9L;o)MM9ecZC~h1O0W(O6ce-STvN$XqWJ#k z>*>dggl9kH<^&z5*a^2fB!9OuWi@_=NJ)(|KpEk|V75z9NQF4Pl^Y1v;q8rnR`46?&i3{>I~LIoRdbj zT2b&#`luA9p=ao1gtZzk+k+p$<_G2(A};ebQ-Oe^A3e&U-C!q_1lw%nIlvM99EHJa zxx!r$niS#){|^9Ak`1IE3_h{>m!(G3Afl-%5;)sA{naHWSal)G6!?p^kwHTpkuJCZ;<0~ z_-L6y2P-Q@Sqo6A*ngwH&dZ$LlkTB1nItEhWq?o%{60DDCbTMo=kTEhI20+b5IGA} z@rHgmju`9eB9XY#T@6Zz98ki(GIPn8*iUKj703~aU*vVc2xP}B8R*XJHL7PeI zuS$a&6-!Te`GbR}?idssCHzypm$G3ZH?5aJc?d}caqK$kwa=EF;0UxeO|#@&Hvq2t z;SE$LY<0-vJzI4Kpn|DxxH3#=5WenXlefAh*Ev;3;je%5v%p`YxPWbH7EeaqN$w)r z1A&W+i*>Tr7%S-dxmp;-mDH3KpO7awYe>h1I|@#{1rC`g&(nY7*RN&WpQC-dLbcA} zA*WLDd-Q0H+~;}cjT~zrY-`Zk0Qx)n=C7HWXTBJ8eH`cWVAG#1(;#~fJJoKCMei-O zVBNwJhT;){=XLSb_n4_$%_jS3=(%EcRZ;fMC?b{T$?b5Q9_@V77r2Yh9VT)%S^wC` z?};$jlM52**scJGNwLBt9}JhyI>HVqDN!^5V061s?iqD~r1xuH$8OTlq&T6^R4?g! z^T27UY*DgwW__(+Bs&eXT(I4#!Vxrdo;V8Nh*wcXRhAVaaB>>@@H7`X^Wtde%k5ji z3nb&d7X9eDE(dq9$JSRbx;3kts6HYRo{>QVL%g3f?Ev1?F@KF3sc_rrE_BmhT6|nQ z>cVbjYgd1J%a_BYg^%^pPh;+ z{7;}{yGB3z^||Cmu`nzmHDQYy1-l&TMenx* zT}gDWln3w)z+;`~t&zqqXUP?hSv0cd;fIV$=If$M_)5*;{E}Wjm{lY5nt3=!Jg&{O^*8k{{hBt5R+-2Mc$2GLbmV>7!k7&MQb#jbR|YHuKcCyBOQt@ zaiNW#@z?%ib`*CkT5a_Fn*BA@9}&3}W2`s~PL^opPL|B7V|bONnp*AfGzc6JWFVvtf)>hbiY3zNy`z5;G6!b<| z2Du5a1^tQV(}fg;Mf?qjpcY|&^xDb1KjS7t*CiS)Kn&Yg0F-ZGd3Wu&$1bR&>Il5H z)rs%Pbnx^(}sZ$m@dm8_iI`cVZiJQQ4_iqO?3-wB}K5j1`P2s|#gf zXBnzt57SRLQ;XduxMgSW3V@mQ7zlA-uOA}7tM#Jq&e+@=E;)$33hmhdUA%M9@Ca!a zvi%8O9gZj<&QaA~LD)L)xt;#}40F_^SwP@PY)JtbF885@lFEsv$9YZ}akSSO0i$E6 zkUDGP^F1&uaDoz$$rS&Sa-qVEWpET@e%`0XX*kds(pQw>q}MD|ej3Kv-=YAr%)~YN zVZ^fU7H|9(o}Nl8*N2ZX{1q(#YYLzFbUgdG6j<~~{1n*@n)Tc~1{>zEW#YR_8AZS& z_LJPz$if+Kj(-Cfi)k32D;BC63rKZ5NMgWZH>i;_;dl0oIQbOLPJ9fBIC9mz2}`Ga z*bbpGr}iva5WS7Wu(J% zWdJbiC$Y9)VJ5<`qMwS#ASWY?yC7hWX(}T`HJ{SDDOu?z&1Wx4uPZP+@S#1>FUNxH z=*8yyrx#c&cOy!eiAKo3o%KI67V|%3M@xI(j@m^$eT)B_(dP!bOW!!C-gQ|zgwQ79 zVPjikGoB(B-m+so|Fy6*tN7*Q5euH;@WpO-KoeS>jM3kag(CNo6Y{GojgGO{e<1Su z3lPCP@UBZs7GdP_u-*xOB?U%Wpx;*S0q_cgF8yl+4&M+mPh$xdmtKj-ePG~Q z!{7Gap1`1JFHomfim2c^f~Gf*^r87prFTk{p_lj;Mfdt6*Dx_@XAeMJxUvN#1(F^q z06k51TAHFgzJp0}R6-}52GP%1(o?7vmCXK~QzfBK8B9PXv0c2FXKU+usknRGOrb*e zTzuS~53poTyjz@7mYeyzkm+9I7w`hMft}Gy`%*AN9V|m7LyVaH_=HGyk4p^Qve};`O26Sqy=7;$V)eK205Y}Tu zS&#iU{;qVx&R)Rc<%0Cg*yi$Jsyu2XUHZ8~?fLXKAM$CjkTRJ?^t4bAu`j=qh6QmG zjiX3XrIfFb;2A@T><`yJNE8Yo%olRGG^f#7C#LOD!1Sa1H3F$C`aOYx4lhO*pdm7H zf%ffWowEXdf%%YNZ=XFum7tCGVe8MzmbJ9o!<|4qLcXS4xFY|#aAM9iTwXeSeEQ$9 z0!8ich#=fAE;>zF>nYFr&rVfn0*w$<8r(BQM&wbqLLU+CE8Oayy#H*Fg2s&YQ88Rf z_U1ZVG^bkcT@#)rsN0C5(72kmSUwM~p5pL{M*U2nFZL1cma&gzt769paS6EbeJE=fy-odc ziIBBtF76r?Ch4^od}cAk5b{ozZQV9wQPko@S$g0UITJ9D8bX|nJ4vcw_cd3T!s3a| zOyDGGY+{75Nj&c3H0}rK1W2<2@<6X3twLzT_)FcRzY{xLNJ$jUvRlfS7A3AA zJ;wVqdI=+8qdWCi7)TV_ZEQFO^H2h~iWguofhT>wUk?)ej00A>0@Pa_sn2;unai&B zr`2P$VDKxIcs&=2pHFD>CXsXS$y$}?q4H^l#(&)ZoTGs{A~xvZu5C-BbZG&cL6>;U zjcFyNe$o3-DOG$|`eV68{he)xkl>Gq*R^;~C=pM2hCA-M3zvbQc0%G+sLx*F69|yV z2>H+&>YcM1a1Hq#Jx{1nwg(b6AK<+DS8&2N91&zhSe)`r8o>u*`&^~xM~oPZTz~xx zJeEQ;Hv8{0tRL_HzB2v4e60Wd@&3R5FE|sBZBme6!VGY2JvqhBKt41;S^nE)8K5w+T=PdgX2E>s<|+km z8lo3kTeDd`acP1N2}nxa`{DCXFpD_C_XOQtuNx^dZe%*cfv`G7M1j%qJQq0xsE0OG{vTr-Vd%7*g@&<%Pr*Kg6i)dIvyL z*!J(2P!j!HS*;TQFr6{`S_AP_5R800HYGVJR&E#;`Yo}`@4Tu5by!!4lp(G z7}qjyBO%?-#yBr;ioCsnOPvY()FiE^B_HZu4*5ofheOcXxS0F%MabRf;CKZ?biXoO zNEQ!hLL0ZitN}^QXd$x|x=aFpXrg&K@GWftp&wwNAtF++SM>-{R#H+sgF|o&MJq`t zJTkI44*+jiA14;IWefMe;#O4WGAz6>faC%An0nk&az3wa=&EUI-f>^U{1O=v5o4jl zrss2Z=rD1Dk!t{VUDbo6Gw|1(cx5p+2uLK_*AbA(30Pl+Bu`&ovFwp?1m4Ql$$bB& zbp*1G^9YxtZ5iuvLmk?Iwuo_W7M-;?Ot;=>3@ zR<10@`9ce@{xUKtgCL8UPyRYyoD|1oqnmZ4GG0^eUW8js5r4wKxLD8i=tyu}04DWV zmy)tfaH@T3TrJz86xR8j+m;@ZcIn}?=rRCvfU7p%0Q&YpB!KpHrzg%ate~`RYs?KD zA48T}Q2fX!(j6w@DcS_^hK*r;Aniki3_$dHni2!?7T$%NcB!n@%t8IYwK@E-jQ7O( zXDwl90e8W+A4kR8x00SP{NL07xvk?CGijk94ks+8)b!{IHST9tCJu1#-U7=Y~jiTinN+J21j5qh+Ll6}3BCM0#Rg?EL-Oy@4wKn`J$`*H3YE!cbU(GmuI2M zj%5pDKd!TjPT6*a&hgPSdlCDU6l~Mm=I2)i=VFCL+2r1fSYVFIT0PRRM+>?8RGm7!5mv>1LX*Ga7 zK->(570C7ukT#Knk|o;WJnV}D){_X;nW z&X6wI0$TMK#5t>CCLf$)9#~FmFGFYhnF#gn6dCU^=#YvNPsEs0UzQa-T^Lsf77t9P zHt=%$R)8}kI`T6LHIKc68${i_Pqb!vT?t_Q*&mn}mp(sT*2fZA=DI*^ljLN=)#e>W z6Zd)}_Ke;bjy&qZqUrh>lLir#cXOo^R{k|o3%VZzIz;q0R@EA4Q4<~VxR|19P9^}i z=8)WQNMln@&<_SSJrny(5EkB^b%oakF)$Bi@X|$g`cFNpuPHwGDiKx5&vgtH>)i*TV0M#smEV4W|6VAG-cECx^M)qSiSYa3-n1)KxW zo!BdS#-LbL}1t zD52K$=GHoc)~E-vR>vPi_O8$QC^IOX{tjI;ZlrTX|MjfAD`&}A70Nh~3(KjPSa&44 zvlReY%zIO?Wyd?;v;E%OkGUjx0atkwEnsg(shdP&CWzEf$}Nb!I`bC6UO=e&8Nvru zt4Z4B3iTi!vM(>WtC!-2Vwf{xQfs_6Ax5bffliBlgG~;HCv(W{YpHG<++!LQO_NA) zy3^q^2)z0Mh!-3A3aFY|Ql8n%<*JVJ(9kd6{2qZU1gTkSWU&X`mFla~Z&JwCX68p> z$?B}>MFGs@*ui%Nl5b0}Dx}sd^&yhEVWsS)r_24usqjfY0rl#uH*xX}gsZBT8oVFF z>(%Z6KHfc&atd)r6FlkmriX?Cq1fN*lMuZBUE!+$Beu~!M`airfFElQ0wc9^%gzrTd; zx`=MHHZi!C*8#Fx#Ccv`|HIVL8!d!I%6(hTEa<6`nV(Yp^JAu(lmV_BK`lQ+N-Sqx zZ{3t85aof8t6u??$iO(A(RJ0esFWk7hO6PQ%|!MjQ~xw zXjbO0*;h7k?Zh5`-RNpQtZ(>3M(6!Eb}g~{bm$aEGmp!B3jh!$yp?1ZH@HCB$5yVn z=0`vqm3hzoscY=_lyPRjaVs#*V%Vc*2&!TgO11nQh`lDNEft&tuUn6*hNM21Dht3ZenFQTiy9l=kOcaB{iD*-W5Y;$KE< zo@dM?w5KJCJJ#ICB#7p;c_ctOi2qadj*3yTrfF-*)=}ZL<-$^aRN4ceh-Z={SW<%- zMZ!zBZdu-(i0)hCO;L#Akj>^MxXcK|&EgeOi(RfAU|6t{vix6-on=(iYrDn)K}v}s z1nCB)K|ys1^m$DIUY+@;lF9a&G-AIJ^u*^J08ZiIa$|YHTU55#BzU~stC3U zz5CHO#7JEbZi(7PD!A>b@VEh5@9Gtr`{vpN{48>Py^-8gMpU6h?Q>O{6ziebm93Pa zo1_YPGS|Z5^v8rld$fH<8e zr1HlxkpFp{tfu;Hx{H@yQ9-q%dRpvPo;+GN7dw6L2`<|H_zN(4$J&GqA(FT zZlQnxCVQnIu`&p_ZIs*x?(%qzzfbb3@T8h9lT^?AkF( ziy%_PNkCKzF3k*Y(BEush=%kbK6GQa&)0=X;`NBjX=VBz>SHl75}?U~sUcYHLV+x) zZruloR#Xa$2HmO`6oucBL3>nRhWt*;^e{}irCyjm$9Ua{omP0(&$RE%u<%$D z6(uD^fE}+|%z9-YcZ|}<+~G+z=JB!|hFbPGtjO5O(ZToSd6!qp6X+V_u^L7t@Q7N} zGfC1`7_3%1*OR?akfru8ZF-|7VOdUbv^ z;Wp?Cdbi$@bO@(kO-jN`e1Mk{{iOmymG|zthe3RdrZTmC;umk~Y!TP%dB5!!nytH8 zKIBp7Bb8k%lmjR+s*kOt;1`CXZVAdo5q2ZS?)Xh1PewD`(okWEGjQ2wqnas|xONH5?HhbMC~`SV zWgf|y#ty($*=1Au*_Rj7fA~sx?XlVzFj0~^8AH=K`GkJ+t}*ev#Z6{4f082@Fi65k z^4e(%mH4rnGqJYo_K9v~nyojn2`b#m*rSZ?htOBO^` z8h?g6%|2&4OoOAVB)0`Tft$)iL^rAm4MGyEqxzMl%y9j~ogk4b47m&5RB!@{k5Qi_ zY;!Lir6jOg`Uy2P*^o-B*TQk!O|*Hi=W~Wj`&aYVsMHc#$w-m&BU)}ZnIo77En$om8-y*P zR@4?6-fAfY4KqiBXhmrYY$uXnE2YA%iv761=+=;+%}i_{EKAZYX7)7%;10}zMt3|m z^rk*gkx?brrEr8|rIIraF=kcLBBfH91JPm{ZopI5hI zQ2TvE3SF)Muh|G5Sw9$W)r_L=p>ph!1vSCB0;i`ycTuKyMBIQdGWep!H^GVAB}hPD zWGrC>KC-GldK@P|OSwqutUM7jGs{%GQmgcvcUOZs73oqfvp+uV#&n&~Moo48}!tB%0?A2z6 z6m@$0@4T(7Bl#j}3W{t~Z2@mAU<(NB-VPZ1LqkK+{Vwk?qdLwJl@^v*Zr&}ZqH?{~ z@gU65D3yUJeR73hecdTWw516ya5iaJP{$@Nii5v#PdTbjPwpn0nt-EDskvW=8KIq& zp2!?I%?)fCJAU3zEtXy;zt-Y%Pd&@${}_KrqbN%F3n9pEEIWJkn_XDzpY8g)o)yZt zv;>cLA!k2HAd!v$IoVv4xYU%omnU>VsD6SPM(!I&p>N$4Z(;H29+*EUxdZ z(fCtK74dUTi{M&&L`i8z5iM-z%k$a{cXLr@LX7?V9)Qkf92s8gRp_E55 zD`N6QhdGEfp*w@OqXJ&5MPgEZ6EpvC?O`s(yA=Z}P8Mwz5vD+2>j$mtwkQ&=+CwlNUicP-{N{W`yRCIyqB?)f9W|HH_f_X1Y8PBuCK`06w zic(k0MeJn-y{veW4^(;GFf3RUsbzD8Dsc%2lYV;RGV+|~E08(?50Ug z?BqvF9Tsq{$u0zMlk5@;_7?3QfXhA0khfwNh_KMI!-vI6L!fh5PY&3@YOXvYQ zFF|t!L+2cUey<6laLwl^?kD^lPC8vXO8Q!_{4xKXvR-rlp^q*U;OvxM8Br*J{I8VH zp*<3b4B98dQ7Cn(G?g_mnSl-+5Yq*nmp?0`Q$~|5JkOeZzykv=suqyk4}yb(&oZ*) zg?b-zZIv4v(wPV)r%{5`K|!Gd3kG=o=?o#7Am<5YL657Px{2>k9aYutN1oF5=lTn2_9)Bqnq5JC?)kT6Hhw0Bk*sg-X^ zr%QUNZNw4&S9#tXx(B!?>1Lczat0C8 z^LACWyUcvHPc*8iFKA8d{_YUv9~8hEBuqwSrMo$=6fXt@1V94B0~|BfZ?$C59xrZa z0)%iFBYn@#=Hk|$B7zRnInC(6G{YUgE@dU9Y6r25n*CR@LcJzxhOYd(WAY16G^SRX z3x?>)SZMoP>ZcPJUu=)lK#oFW08d=5qe|VlYMD;EqQ4pCf!2!Ixv?c3w*FYf(5*5f#67qYTB zh=#_a83K*Ew1>8{#mKVEzYkiD2}z3sr=wLL*_|GINY98tN;r>`#@}ocRjjSI)w+1G zgoUf#_@CgkW4Huq+(d~NQDoU@Zy)l|CcUen9P6UCy4_6K{TX7k=5TqZig${%@8Ysg z`FwZxKiD~KZS6+cQmEKgR7PTgPHP(5qMg$!ojp(YL|)I=~D0%Z$mm zOe$s2z|-?YqYp}8vd~RF_`_Y^;v>77qr3E6;MG#82Av;}a|+1a*-YlU+AS*YWf$5F5_Q)h;+^Qx5$K zOVOh0MfrDsbZmSP)k1$VFR&pn9f*Yk0a9pg`cGgw+}W#fJze?{mu@rhFjJIJg(K#3 zm*WS#8&1yqLfOV6S5{E-@f*K%uX{YhU~jQfuE1H@|NK#AcB99+p@Aq^rF(N}Da?TG zO9_qGWnP*+z)e*ZPV)%A&-HMUqFdb^M&7|GvjSwQmlnTP^`!H4s_b!$C98j_?)@0- zI4hKoIuieTRp0k@k5rTn%PXpjDK=>4H+#u+OJeSvsv={;Z?w60O_up? zb+TRADoZ~5dZR`9obCUJO!HFi*juz2{sr!U@Muu5J1zsWt~*5d_|y=@0oWR>gJYti z4u(#iGQ6SB;AuK3N$iJsGot8R>Rni!KkibLdd0Nv9ZslfL)Nl=2lf{#)@Yuz^TxrX zpWyNAE^B1W0*|D^)^+oLQq$*>u<(AUGSm0euJ_$rG?V z{#@;6f%vDw!;wW>8SmFjbBY@5hFEk=Cu)Rm{}^6A`r-9ubhk%tmZXt2y`?X5cKD71 z`AHj9Og5Q4u_(doiQ6Vh0i(d09_w-2oEY{pMjzX(lE-v)U{8E&T>l$3D-P9$$0ON> z8qti~FSp6LbOoCbueY8~3r}wyiA>X6tQxO33NH; zD&NC*DGer2nRwZ3_)pCb;s3wp=c|hU4-|UK>3Gv}Xm|Ju%x-G#=eB5ICw#qW-Gn72 bPcJY6zKdT+GBb=}z>l)Lx?HJ@Y0$p_z-}$b From f9e9e3afb69786c726c4f7d4526ff37829293810 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 07:51:30 -0700 Subject: [PATCH 135/149] spelling --- .../enable-network-protection.md | 6 +++--- .../evaluate-network-protection.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 25cb0873bd..fbd863f1ef 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/09/2019 +ms.date: 05/10/2019 --- # Enable network protection @@ -87,7 +87,7 @@ You can confirm network protection is enabled on a local computer by using Regis ## PowerShell -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ``` @@ -100,7 +100,7 @@ You can enable the feature in audit mode using the following cmdlet: Set-MpPreference -EnableNetworkProtection AuditMode ``` -Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. +Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index c0ed880905..bcc8af6812 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/02/2019 +ms.date: 05/10/2019 --- # Evaluate network protection @@ -22,7 +22,7 @@ ms.date: 04/02/2019 [Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visted a malicious site or domain. +This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain. >[!TIP] From 08579d2e06844a862a5255c0ae7cda48815ccbfc Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 08:55:04 -0700 Subject: [PATCH 136/149] edits --- .../create-wip-policy-using-intune-azure.md | 70 +++++++++---------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 3b01319d95..c77253574c 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -566,50 +566,50 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** -1. Choose to set any or all optional settings: +Choose these optional settings: + +- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: + + - **On.** Turns on the feature and provides the additional protection. + + - **Off, or not configured.** Doesn't enable this feature. + +- **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + + - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + + - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. + +- **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + + - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. + + - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. + +- **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). + + - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. + + If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + + - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. - ![Microsoft Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png) - - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - - **On.** Turns on the feature and provides the additional protection. - - - **Off, or not configured.** Doesn't enable this feature. - - - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. - - - **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. - - - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - - - **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. In other words, WIP uses AIP "machinery" to apply EFS encryption to files when they are copied to removable media. - - - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. - - The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - - - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. + >[!NOTE] + >Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders. - >[!NOTE] - >Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders. + For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service]. - - **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. +- **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. - - **On.** Starts Windows Search Indexer to index encrypted files. + - **On.** Starts Windows Search Indexer to index encrypted files. - - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. + - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. -For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates). WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). +![Advanced optional settings ](images/wip-azure-advanced-settings-optional.png) ## Encrypted file extensions -You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. +You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with te extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. ![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) From a89de968768a50169ab962dc4da7c724006011bb Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 10:29:09 -0700 Subject: [PATCH 137/149] edit --- .../create-wip-policy-using-intune-azure.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c77253574c..2ca3e9daf4 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -562,11 +562,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) ## Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. - -**To set your optional settings** - -Choose these optional settings: +After you've decided where your protected apps can access enterprise data on your network, choose these optional settings: - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: From ea8367658d1826c9c2ea3bbe836dc2c1b8279159 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 11:01:34 -0700 Subject: [PATCH 138/149] fixed image and list --- .../create-wip-policy-using-intune-azure.md | 74 +++++++++---------- 1 file changed, 36 insertions(+), 38 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 2ca3e9daf4..ac8ada75d1 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -562,46 +562,44 @@ After you create and deploy your WIP policy to your employees, Windows begins to ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) ## Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, choose these optional settings: - -- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - - **On.** Turns on the feature and provides the additional protection. - - - **Off, or not configured.** Doesn't enable this feature. - -- **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. - -- **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. - - - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - -- **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). - - - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. - - If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - - - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. - - >[!NOTE] - >Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders. - - For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service]. - -- **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. - - - **On.** Starts Windows Search Indexer to index encrypted files. - - - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. +After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings. ![Advanced optional settings ](images/wip-azure-advanced-settings-optional.png) + +**Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: + +- **On.** Turns on the feature and provides the additional protection. + +- **Off, or not configured.** Doesn't enable this feature. + +**Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + +- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + +- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. + +**Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + +- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. + +- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. + +**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). + +- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. + + If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + +- **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. + +>[!NOTE] +>Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders. + +**Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. + +- **On.** Starts Windows Search Indexer to index encrypted files. + +- **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. ## Encrypted file extensions From 7c773be415354c7ad36ee5f628d9aa7875c5b326 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 11:02:03 -0700 Subject: [PATCH 139/149] date --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index ac8ada75d1..1d57580668 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/08/2019 +ms.date: 05/10/2019 --- # Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune From 951f8092f962a0932629e8b141b25fdf3f91e2e6 Mon Sep 17 00:00:00 2001 From: DocsPreview <49669258+DocsPreview@users.noreply.github.com> Date: Fri, 10 May 2019 15:12:41 -0700 Subject: [PATCH 140/149] Release info preview (#162) * Latest changes for 1809 issues * New Announcement Added * Latest Change for announcement * Updated link for japanese era content --- .../status-windows-10-1507.yml | 22 ------------ ...indows-10-1607-and-windows-server-2016.yml | 26 ++++++-------- .../status-windows-10-1703.yml | 24 ++++++------- .../status-windows-10-1709.yml | 26 ++++++-------- .../status-windows-10-1803.yml | 28 ++++++--------- ...indows-10-1809-and-windows-server-2019.yml | 18 ++-------- ...ndows-7-and-windows-server-2008-r2-sp1.yml | 34 ++++++------------- ...windows-8.1-and-windows-server-2012-r2.yml | 26 ++++++-------- .../status-windows-server-2008-sp2.yml | 12 ------- .../status-windows-server-2012.yml | 24 ++++++------- .../windows-message-center.yml | 7 ++++ 11 files changed, 79 insertions(+), 168 deletions(-) diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 3cab3fb9e9..16bf511276 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -61,9 +61,6 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- - -
SummaryOriginating updateStatusLast updated
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Mitigated
April 25, 2019
02:00 PM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4493475		April 09, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 10240.18158

March 12, 2019
KB4489872		Resolved
KB4493475		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 10240.18132

February 12, 2019
KB4487018		Resolved
KB4493475		April 09, 2019
10:00 AM PT
" @@ -74,30 +71,11 @@ sections:
" -- title: March 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Custom URI schemes may not start corresponding application
After installing KB4489872, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4493475.

Back to top		OS Build 10240.18158

March 12, 2019
KB4489872		Resolved
KB4493475		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493475

Back to top		OS Build 10240.18132

February 12, 2019
KB4487018		Resolved
KB4493475		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - - title: January 2019 - items: - type: markdown text: " -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following: 
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 10240.18094

January 08, 2019
KB4480962		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480962, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493475.

Back to top		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4493475		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index b22aced938..d444c69dac 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -61,16 +61,13 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - -
SummaryOriginating updateStatusLast updated
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >		OS Build 14393.2941

April 25, 2019
KB4493473		Investigating
April 25, 2019
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 14393.2931

April 25, 2019
KB4492241		Mitigated
May 10, 2019
10:35 AM PT
Cluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Mitigated
April 25, 2019
02:00 PM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		OS Build 14393.2848

March 12, 2019
KB4489882		Mitigated
April 25, 2019
02:00 PM PT
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Mitigated
April 25, 2019
02:00 PM PT
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

See details >		OS Build 14393.2608

November 13, 2018
KB4467691		Mitigated
February 19, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 14393.2848

March 12, 2019
KB4489882		Resolved
KB4493473		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup.

See details >		OS Build 14393.2879

March 19, 2019
KB4489889		Resolved
KB4493470		April 09, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 14393.2791

February 12, 2019
KB4487026		Resolved
KB4493470		April 09, 2019
10:00 AM PT
" @@ -81,6 +78,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 14393.2931

April 25, 2019
KB4492241		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -98,16 +104,6 @@ sections:
Issue using PXE to start a device from WDS
After installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:
Open an Administrator Command prompt and type the following:
Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:
Use the Windows Deployment Services UI to make the following adjustment:
  1. Open Windows Deployment Services from Windows Administrative Tools.
  2. Expand Servers and right-click a WDS server.
  3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3:
Set the following registry value to 0:
HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension

Restart the WDSServer service after disabling the Variable Window Extension.

Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to topOS Build 14393.2848

March 12, 2019
KB4489882Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489882, Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493473

Back to topOS Build 14393.2848

March 12, 2019
KB4489882Resolved
KB4493473Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT -
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493470.

Back to topOS Build 14393.2879

March 19, 2019
KB4489889Resolved
KB4493470Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT - - " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493470

Back to top		OS Build 14393.2791

February 12, 2019
KB4487026		Resolved
KB4493470		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -117,8 +113,6 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507;  Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 14393.2724

January 08, 2019
KB4480961		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480961, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4493470.

Back to top		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480961, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493470.

Back to top		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml index 10d69d6cc5..c0cfa4ac36 100644 --- a/windows/release-information/status-windows-10-1703.yml +++ b/windows/release-information/status-windows-10-1703.yml @@ -60,11 +60,9 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 15063.1771

April 25, 2019
KB4492242		Mitigated
May 10, 2019
10:35 AM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Mitigated
April 25, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 15063.1689

March 12, 2019
KB4489871		Resolved
KB4493436		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 15063.1716

March 19, 2019
KB4489888		Resolved
KB4493474		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Resolved
KB4493474		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 15063.1631

February 12, 2019
KB4487020		Resolved
KB4493474		April 09, 2019
10:00 AM PT
" @@ -75,22 +73,21 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 15063.1771

April 25, 2019
KB4492242		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: March 2019 - items: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Custom URI schemes may not start corresponding application
After installing KB4489871, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493436

Back to top		OS Build 15063.1689

March 12, 2019
KB4489871		Resolved
KB4493436		Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493474.

Back to top		OS Build 15063.1716

March 19, 2019
KB4489888		Resolved
KB4493474		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493474

Back to top		OS Build 15063.1631

February 12, 2019
KB4487020		Resolved
KB4493474		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -100,6 +97,5 @@ sections: text: " -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following: 
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 15063.1563

January 08, 2019
KB4480973		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480973, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493474.

Back to top		OS Build 15063.1563

January 08, 2019
KB4480973		Resolved
KB4493474		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index abdaf311b0..2618d42ebf 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -61,12 +61,9 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - -
SummaryOriginating updateStatusLast updated
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >		OS Build 16299.1127

April 25, 2019
KB4493440		Investigating
April 25, 2019
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 16299.1111

April 25, 2019
KB4492243		Mitigated
May 10, 2019
10:35 AM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Mitigated
April 25, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493440		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 16299.1059

March 19, 2019
KB4489890		Resolved
KB4493441		April 09, 2019
10:00 AM PT
MSXML6 causes applications to stop responding if an exception was thrown
MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Resolved
KB4493441		April 09, 2019
10:00 AM PT
Stop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.

See details >		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493441		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 16299.967

February 12, 2019
KB4486996		Resolved
KB4493441		April 09, 2019
10:00 AM PT
" @@ -77,6 +74,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 16299.1111

April 25, 2019
KB4492243		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -92,17 +98,6 @@ sections: text: " - - -
DetailsOriginating updateStatusHistory
Custom URI schemes may not start corresponding application
After installing KB4489886, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493440

Back to top		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493440		Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue is resolved in KB4493441.

Back to top		OS Build 16299.1059

March 19, 2019
KB4489890		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT
Stop error when attempting to start SSH from WSL
After applying KB4489886, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh –A) or a configuration setting.

Affected platforms:
  • Client: Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue is resolved in KB4493441.

Back to top		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493441

Back to top		OS Build 16299.967

February 12, 2019
KB4486996		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -112,6 +107,5 @@ sections: text: " -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 16299.904

January 08, 2019
KB4480978		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 causes applications to stop responding if an exception was thrown
After installing KB4480978, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493441.

Back to top		OS Build 16299.904

January 08, 2019
KB4480978		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index 3e58d9c048..9fea9cbeb3 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -61,14 +61,10 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - - -
SummaryOriginating updateStatusLast updated
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >		OS Build 17134.753

April 25, 2019
KB4493437		Investigating
April 25, 2019
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 17134.730

April 25, 2019
KB4492245		Mitigated
May 10, 2019
10:35 AM PT
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.

See details >		OS Build 17134.648

March 12, 2019
KB4489868		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Mitigated
April 25, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 17134.648

March 12, 2019
KB4489868		Resolved
KB4493437		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 17134.677

March 19, 2019
KB4489894		Resolved
KB4493464		April 09, 2019
10:00 AM PT
First character of the Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		OS Build 17134.556

January 15, 2019
KB4480976		Resolved
KB4487029		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Resolved
KB4493464		April 09, 2019
10:00 AM PT
Stop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.

See details >		OS Build 17134.648

March 12, 2019
KB4489868		Resolved
KB4493464		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 17134.590

February 12, 2019
KB4487017		Resolved
KB4493464		April 09, 2019
10:00 AM PT
" @@ -79,6 +75,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 17134.730

April 25, 2019
KB4492245		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -96,17 +101,6 @@ sections:
Issue using PXE to start a device from WDS
After installing KB4489868, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1: 
Open an Administrator Command prompt and type the following:  
Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

 Option 2: 
Use the Windows Deployment Services UI to make the following adjustment:  
  1. Open Windows Deployment Services from Windows Administrative Tools. 
  2. Expand Servers and right-click a WDS server. 
  3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.  
Option 3: 
Set the following registry value to 0:
HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension  

Restart the WDSServer service after disabling the Variable Window Extension. 
 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. 

Back to topOS Build 17134.648

March 12, 2019
KB4489868Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489868, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493437

Back to topOS Build 17134.648

March 12, 2019
KB4489868Resolved
KB4493437Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT -
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493464

Back to topOS Build 17134.677

March 19, 2019
KB4489894Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT -
Stop error when attempting to start SSH from WSL
After applying KB4489868, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh -A) or a configuration setting.

Affected platforms:
  • Client: Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4493464.

Back to topOS Build 17134.648

March 12, 2019
KB4489868Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT - - " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493464

Back to top		OS Build 17134.590

February 12, 2019
KB4487017		Resolved
KB4493464		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -116,7 +110,5 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17134.523

January 08, 2019
KB4480966		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
First character of the Japanese era name not recognized
After installing KB4480976, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487029

Back to top		OS Build 17134.556

January 15, 2019
KB4480976		Resolved
KB4487029		Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480966, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493464

Back to top		OS Build 17134.523

January 08, 2019
KB4480966		Resolved
KB4493464		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 2b50998415..afb53b80c9 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -65,6 +65,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -73,10 +74,6 @@ sections: - - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Mitigated
May 10, 2019
10:35 AM PT
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019
10:59 AM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
May 02, 2019
04:47 PM PT
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
April 09, 2019
10:00 AM PT
Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
May 08, 2019
03:37 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
May 08, 2019
03:30 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4495667		May 03, 2019
12:40 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		April 09, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4493509		April 09, 2019
10:00 AM PT
" @@ -92,6 +89,7 @@ sections: - type: markdown text: " + @@ -104,7 +102,6 @@ sections: text: "
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
Devices with some Asian language packs installed may receive an error
After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround:
  1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
  2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
  1. Go to Settings app -> Recovery.
  2. Click on Get Started under \"Reset this PC\" recovery option.
  3. Select \"Keep my Files\".
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
Last updated:
May 03, 2019
10:59 AM PT

Opened:
May 02, 2019
04:36 PM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\"
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround: You can use another browser, such as Internet Explorer to print your documents.
 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
Last updated:
May 02, 2019
04:47 PM PT

Opened:
May 02, 2019
04:47 PM PT
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices. This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
Resolved:
May 08, 2019
03:37 PM PT

Opened:
May 05, 2019
12:01 PM PT
-
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue for affected platforms. For more information, see the ArcaBit support article.

Resolution: This issue has been resolved. ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
Resolved:
May 08, 2019
03:30 PM PT

Opened:
April 09, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493509.

Back to top		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
April 02, 2019
10:00 AM PT
" @@ -119,23 +116,12 @@ sections: " -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1  
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2  
Resolution: This issue is resolved in KB4493509.  

Back to top		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - - title: January 2019 - items: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:  
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.253

January 08, 2019
KB4480116		Mitigated
Last updated:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480116, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to: 
  • Cache size and location show zero or empty. 
  • Keyboard shortcuts may not work properly. 
  • Webpages may intermittently fail to load or render correctly. 
  • Issues with credential prompts. 
  • Issues when downloading files. 
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4493509

Back to top		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480116, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
 
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493509

Back to top		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index ef1b22e4bf..0ce3cb79c0 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,16 +60,13 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		April 25, 2019
KB4493453		Mitigated
May 10, 2019
10:35 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
May 08, 2019
03:29 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
May 03, 2019
08:50 AM PT
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

See details >		March 12, 2019
KB4489878		Mitigated
April 25, 2019
02:00 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

See details >		April 09, 2019
KB4493472		Resolved
April 25, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480970		Resolved
KB4493472		April 09, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		March 12, 2019
KB4489878		Resolved
KB4493472		April 09, 2019
10:00 AM PT
NETDOM.EXE fails to run
NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen.

See details >		March 12, 2019
KB4489878		Resolved
KB4493472		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		February 12, 2019
KB4486563		Resolved
KB4493472		April 09, 2019
10:00 AM PT
" @@ -80,6 +77,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		April 25, 2019
KB4493453		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -99,25 +105,5 @@ sections: text: " - - -
DetailsOriginating updateStatusHistory
Authentication may fail for services after the Kerberos ticket expires
After installing KB4489878, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, use one of the following options:
  • Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.
  • Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.
  • Option 3: Use constrained delegation.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		March 12, 2019
KB4489878		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489878, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1 
Resolution: This issue is resolved in KB4493472.

Back to top		March 12, 2019
KB4489878		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
NETDOM.EXE fails to run
After installing KB4489878, NETDOM.EXE fails to run, and the on-screen error, “The command failed to complete successfully.” appears.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4493472.

Back to top		March 12, 2019
KB4489878		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493472

Back to top		February 12, 2019
KB4486563		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - -- title: January 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480970, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493472.

Back to top		January 08, 2019
KB4480970		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index e159932ae6..a16b0e0d20 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -67,10 +68,6 @@ sections: - - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		April 25, 2019
KB4493443		Mitigated
May 10, 2019
10:35 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
May 08, 2019
03:29 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
May 03, 2019
08:50 AM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		March 12, 2019
KB4489881		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

See details >		January 08, 2019
KB4480963		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Mitigated
April 18, 2019
05:00 PM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

See details >		April 09, 2019
KB4493446		Resolved
April 25, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480963		Resolved
KB4493446		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding.
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		January 08, 2019
KB4480963		Resolved
KB4493446		April 09, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		March 12, 2019
KB4489881		Resolved
KB4493446		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		February 12, 2019
KB4487000		Resolved
KB4493446		April 09, 2019
10:00 AM PT
" @@ -81,6 +78,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		April 25, 2019
KB4493443		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -101,16 +107,6 @@ sections: - -
DetailsOriginating updateStatusHistory
Issue using PXE to start a device from WDS
After installing KB4489881, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012 
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:
Open an Administrator Command prompt and type the following:
Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:
Use the Windows Deployment Services UI to make the following adjustment:
  1. Open Windows Deployment Services from Windows Administrative Tools.
  2. Expand Servers and right-click a WDS server.
  3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3:
Set the following registry value to 0:
HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension

Restart the WDSServer service after disabling the Variable Window Extension.

Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		March 12, 2019
KB4489881		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489881, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1 
Resolution: This issue is resolved in KB4493446.

Back to top		March 12, 2019
KB4489881		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.

Affected platforms 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493446.

Back to top		February 12, 2019
KB4487000		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -120,7 +116,5 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		January 08, 2019
KB4480963		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480963, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493446.

Back to top		January 08, 2019
KB4480963		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding.
After installing KB4480963, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493446.

Back to top		January 08, 2019
KB4480963		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index 102f665769..689abfde38 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -63,8 +63,6 @@ sections:
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >April 09, 2019
KB4493471Mitigated
May 03, 2019
08:51 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >April 09, 2019
KB4493471Mitigated
April 25, 2019
02:00 PM PT
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

See details >March 12, 2019
KB4489880Mitigated
April 25, 2019
02:00 PM PT -
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >February 12, 2019
KB4487023Resolved
KB4493471April 09, 2019
10:00 AM PT -
NETDOM.EXE fails to run
NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen.

See details >March 12, 2019
KB4489880Resolved
KB4493471April 09, 2019
10:00 AM PT " @@ -91,15 +89,5 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Authentication may fail for services after the Kerberos ticket expires
After installing KB4489880, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, use one of the following options:
  • Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.
  • Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.
  • Option 3: Use constrained delegation.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		March 12, 2019
KB4489880		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
NETDOM.EXE fails to run
After installing KB4489880, NETDOM.EXE fails to run, and the on-screen error, “The command failed to complete successfully.” appears.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4493471.

Back to top		March 12, 2019
KB4489880		Resolved
KB4493471		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.

Affected platforms 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4493471.

Back to top		February 12, 2019
KB4487023		Resolved
KB4493471		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index 831a726f86..be5f206c02 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -60,13 +60,11 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		April 25, 2019
KB4493462		Mitigated
May 10, 2019
10:35 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493451		Mitigated
May 03, 2019
08:51 AM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		March 12, 2019
KB4489891		Mitigated
April 25, 2019
02:00 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >		April 09, 2019
KB4493451		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

See details >		January 08, 2019
KB4480975		Mitigated
April 25, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480975		Resolved
KB4493451		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		January 08, 2019
KB4480975		Resolved
KB4493451		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		February 12, 2019
KB4487025		Resolved
KB4493451		April 09, 2019
10:00 AM PT
" @@ -77,6 +75,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		April 25, 2019
KB4493462		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -97,22 +104,11 @@ sections: " -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.

Affected platforms 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493451.

Back to top		February 12, 2019
KB4487025		Resolved
KB4493451		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - - title: January 2019 - items: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		January 08, 2019
KB4480975		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480975, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493451.

Back to top		January 08, 2019
KB4480975		Resolved
KB4493451		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480975, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493451.

Back to top		January 08, 2019
KB4480975		Resolved
KB4493451		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 2a4ba41456..64f62b302e 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -50,6 +50,13 @@ sections: text: " + From b779a2462eab915da80af93e2075aa45b39f115f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 10:17:20 -0700 Subject: [PATCH 142/149] spelling --- .../create-wip-policy-using-intune-azure.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 1d57580668..18eb0da280 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/10/2019 +ms.date: 05/13/2019 --- # Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -588,7 +588,7 @@ After you've decided where your protected apps can access enterprise data on you - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. - If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that all users can access. - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. @@ -603,7 +603,7 @@ After you've decided where your protected apps can access enterprise data on you ## Encrypted file extensions -You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with te extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. +You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. ![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) From 91623a4d58af4d0db2873912b77e3b53daa23c5a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 10:29:36 -0700 Subject: [PATCH 143/149] spelling --- .../create-wip-policy-using-intune-azure.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 18eb0da280..33ced2e6e3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -98,7 +98,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK** ![Add Store app](images\add-a-protected-store-app.png) -To add multiple Store apps, click the elipsis **…**. +To add multiple Store apps, click the ellipsis **…**. If you don't know the Store app publisher or product name, you can find them by following these steps. @@ -187,7 +187,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo
MessageDate
Reminder: Windows 10 update servicing cadence
This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
+
    +
  • April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
    • +
  • May 1, 2019 was an \"optional\" out of band update (OOB), non-security update for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
    • +
  • May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
    • +
+ For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
May 10, 2019
10:00 AM PT
Take action: Install servicing stack update for Windows Server 2008 SP2 for SHA-2 code sign support
A standalone update, KB4493730, that introduce SHA-2 code sign support for the servicing stack (SSU) was released today as a security update.		April 19, 2019
10:00 AM PT
The benefits of Windows 10 Dynamic Update
Dynamic Update can help organizations and end users alike ensure that their Windows 10 devices have the latest feature update content (as part of an in-place upgrade)—and preserve precious features on demand (FODs) and language packs (LPs) that may have been previously installed.

From 9debc2dabe6990dd5c4e8709997902507c239de9 Mon Sep 17 00:00:00 2001 From: DocsPreview <49669258+DocsPreview@users.noreply.github.com> Date: Sat, 11 May 2019 11:51:23 -0700 Subject: [PATCH 141/149] Release info preview (#164) * Latest changes for 1809 issues * New Announcement Added * Latest Change for announcement * Updated link for japanese era content * Made some change in Announcement. --- windows/release-information/windows-message-center.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 64f62b302e..bcea3b01d7 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -53,7 +53,7 @@ sections:
Reminder: Windows 10 update servicing cadence
This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
  • April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
    • -
  • May 1, 2019 was an \"optional\" out of band update (OOB), non-security update for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
    • +
  • May 1, 2019 was an \"optional,\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
  • May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
May 10, 2019
10:00 AM PT
-To add another Desktop app, click the elipsis **…**. After you’ve entered the info into the fields, click **OK**. +To add another Desktop app, click the ellipsis **…**. After you’ve entered the info into the fields, click **OK**. ![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) From d30d89b19b2259e021a68bc78345dc8a464bf8cc Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 10:33:44 -0700 Subject: [PATCH 144/149] edits --- .../create-wip-policy-using-sccm.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 84ebcf1861..8cb0bcd6e9 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/30/2019 +ms.date: 05/13/2019 --- # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager @@ -474,7 +474,7 @@ After you've decided where your protected apps can access enterprise data on you - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. From dfbffb033924d6cd9a79b6195186941dc06b0187 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 13 May 2019 12:58:17 -0700 Subject: [PATCH 145/149] fix indicators --- ...-blocked-list-windows-defender-advanced-threat-protection.md | 2 +- .../threat-protection/windows-defender-atp/manage-indicators.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md index 78b40b3a95..de4d01bd79 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -64,5 +64,5 @@ You can define the conditions for when entities are identified as malicious or s ## Related topics - [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) -- [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +- [Manage indicators](manage-indicators.md) - [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-indicators.md b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md index 46f6939d8e..2a60cfdd55 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md @@ -38,7 +38,7 @@ On the top navigation you can: - Apply filters ## Create an indicator -1. In the navigation pane, select **Settings** > **Allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Indicators**. 2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities: - File hash From 0e0a602102d712a74a297c084fe633824a554d8d Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 13 May 2019 13:36:11 -0700 Subject: [PATCH 146/149] indicators --- .../threat-protection/windows-defender-atp/manage-indicators.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-indicators.md b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md index 2a60cfdd55..c74b1a805e 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md @@ -62,7 +62,7 @@ On the top navigation you can: ## Manage indicators -1. In the navigation pane, select **Settings** > **Allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Indicators**. 2. Select the tab of the entity type you'd like to manage. From 7e1f1cb739ba64bf813b7bcc0f3970c7b6d48b72 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 13 May 2019 15:08:33 -0700 Subject: [PATCH 147/149] Added feedback from dev --- windows/client-management/mdm/policy-csp-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 9d7ac6f259..8e56b33127 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1254,7 +1254,7 @@ Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/C -Supports a numeric value from 0 - 5, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. +Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. Default value is 2. @@ -1323,7 +1323,7 @@ When disabled, if the device has installed the required updates and is outside o Supported values: - 1 - Enabled -- 0 - Disabled +- 0 (default) - Disabled From baeeac3e0909bb2defa029f9d6c8632a6b771fc1 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 14 May 2019 10:06:17 -0700 Subject: [PATCH 148/149] Moved supported value tag after ADMXmapped tag --- .../mdm/policy-csp-update.md | 32 ++++++++----------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 8e56b33127..3650b5f1c6 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1188,12 +1188,6 @@ ADMX Info: Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. - -Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. - -Default value is 7. - - ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1203,7 +1197,11 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. +Default value is 7. + @@ -1253,12 +1251,6 @@ ADMX Info: Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. - -Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. - -Default value is 2. - - ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1268,7 +1260,11 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* + +Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. +Default value is 2. + @@ -1320,12 +1316,6 @@ Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureD When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. - -Supported values: -- 1 - Enabled -- 0 (default) - Disabled - - ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1335,7 +1325,11 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - + +Supported values: +- 1 - Enabled +- 0 (default) - Disabled + From 5297438f59503b0aa8897169d609d4e185f8a9df Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 14 May 2019 10:08:42 -0700 Subject: [PATCH 149/149] minor update --- windows/client-management/mdm/policy-csp-update.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 3650b5f1c6..8e9d7a15c7 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -995,12 +995,6 @@ If you enable this policy setting, Automatic Maintenance attempts to set OS wake If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. - -Supported values: -- true - Enable -- false - Disable (Default) - - ADMX Info: - GP English name: *Automatic Maintenance WakeUp Policy* @@ -1010,7 +1004,11 @@ ADMX Info: - GP ADMX file name: *msched.admx* - + +Supported values: +- true - Enable +- false - Disable (Default) +