From 099b7a26318581c5b3fbbe6abea5091f4630d770 Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Tue, 4 Aug 2020 15:49:42 -0500 Subject: [PATCH 01/31] First Draft of EP Reference Contains overview and docs for 10 / 21 mitigations --- .../exploit-protection-reference.md | 382 ++++++++++++++++++ 1 file changed, 382 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md new file mode 100644 index 0000000000..91350b5d36 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -0,0 +1,382 @@ +--- +title: Exploit Protection Reference +keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet +description: Details on how the Exploit Protection feature works in Windows 10 +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +author: appcompatguy +ms.author: cjacks +ms.date: 07/20/2020 +ms.reviewer: +manager: saudm +ms.custom: asr +--- + +# Exploit Protection Reference + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Exploit Protection provides advanced protections for applications which the IT Pro can apply after the developer has compiled and distributed the software. + +This article helps you understand how Exploit Protection works, both at the policy level and at the individual mitigation level, to help you successfully build and apply Exploit Protection policies. + +## How mitigations are applied + +Exploit Protection mitigations are applied per application. + +Mitigations are configured via a registry entry for each program that you configure protections for. These settings are stored in the **MitigationOptions** registry entry for each program (**HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ *ImageFileName* \ MitigationOptions**). They take effect when you restart the program and remain effective until you change them and restart the program again. + +> [!IMPORTANT] +> Image File Execution Options only allows you to specify a file name, and not a version number, path, architecture, or any other differentiator. Be careful to target mitigations to apps which have unique names, applying them only on devices where you have tested that version and that architecture of the application. + +If you configure Exploit Protection mitigations using an XML configuration file, either via PowerShell, Group Policy, or MDM, when processing this XML configuration file, individual registry settings will be configured for you. + +When the policy distributing the XML file is no longer enforced, settings deployed by this XML configuration file will not be automatically removed. To remove Exploit Protection settings, export the XML configuration from a clean Windows 10 device, and deploy this new XML file. Alternately, Microsoft provides an XML file as part of the Windows Security Baselines for resetting Exploit Protection settings. + +To reset Exploit Protection settings using PowerShell, you could use the following command: + +```powershell +Set-ProcessMitigation -PolicyFilePath EP-reset.xml +``` +Following is the EP-reset.xml distributed with the Windows Security Baselines: +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Mitigation Reference + +The below sections details the protections provided by each Exploit Protection mitigation, the compatibility considerations for the mitigation, and the configuration options available. + +## Arbitrary code guard + +### Description + +Arbitrary Code Guard helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability, and being able to execute that code. + +Arbitrary Code Guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary Code Guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). + +By preventing the *execute* flag from being set, the [Data Execution Prevention](#Data-Execution-Prevention-(DEP)) feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code. + +### Compatibility considerations + +Arbitrary Code Guard prevents allocating any memory as executable, which presents a compatibility issue with approaches such as Just-in-Time (JIT) compilers. Most modern browsers, for example, will compile JavaScript into native code in order to optimize performance. In order to support this mitigation, they will need to be rearchitected to move the JIT compilation outside of the protected process. Other applications whose design dynamically generates code from scripts or other intermediate languages will be similarly incompatible with this mitigation. + +### Configuration options + +**Allow thread opt-out** - You can configure the mitigation to allow an individual thread to opt-out of this protection. The developer must have written the application with awareness of this mitigation, and have called the [**SetThreadInformation**](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadinformation) API with the *ThreadInformation* parameter set to **ThreadDynamicCodePolicy** in order to be allowed to execute dynamic code on this thread. + +**Audit only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). + +## Block low integrity images + +### Description + +Block low integrity images prevents the application from loading files which are untrusted, typically because they have been downloaded from the internet from a sandboxed browser. + +This mitigation will block image loads if the image has an Access Control Entry (ACE) which grants access to Low IL processes and which does not have a trust label ACE. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a low integrity image, it will trigger a STATUS_ACCESS_DENIED error. For details on how integrity levels work, see [Mandatory Integrity Control](https://docs.microsoft.com/windows/win32/secauthz/mandatory-integrity-control). + +### Compatibility considerations + +Block low integrity images will prevent the application from loading files which were downloaded from the internet. If your application workflow requires loading images which are downloaded, you will want to ensure that they are downloaded from a higher-trust process, or are explicitly relabeled in order to apply this mitigation. + +### Configuration options + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). + +## Block remote images + +### Description + +Block remote images will prevent the application from loading files which are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory which are on an external device controlled by the attacker. + +This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error. + +### Compatibility considerations + +Block remote images will prevent the application from loading images from remote devices. If your application loads files or plug-ins from remote devices, then it will not be compatible with this mitigation. + +### Configuration options + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). + +## Block untrusted fonts + +### Description + +Block untrusted fonts mitigates the risk of a flaw in font parsing leading to the attacker being able to run code on the device. Only fonts which are installed into the windows\fonts directory will be loaded for processing by GDI. + +This mitigation is implemented within GDI, which validates the location of the file. If the file is not in the system fonts directory, the font will not be loaded for parsing and that call will fail. + +Note that this mitigation is in addition to the built-in mitigation provided in Windows 10 1607 and later, which moves font parsing out of the kernel and into a user-mode app container. Any exploit based on font parsing, as a result, happens in a sandboxed and isolated context, which reduces the risk significantly. For details on this mitigation, see the blog [Hardening Windows 10 with zero-day exploit mitigations](https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/). + +### Compatibility considerations + +The most common use of fonts outside of the system fonts directory is with [web fonts](https://docs.microsoft.com/typography/fonts/font-faq#web). Modern browsers, such as Microsoft Edge, use DirectWrite instead of GDI, and are not impacted. However, legacy browsers, such as Internet Explorer 11 (and IE mode in the new Microsoft Edge) can be impacted, particularly with applications such as Office 365 which use font glyphs to display UI. + +### Configuration options + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). + +## Code integrity guard + +### Description + +Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process. + +This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary which is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process. + +### Compatibility considerations + +This mitigation specifically blocks any binary which is not signed by Microsoft. As such, it will be incompatible with most third party software, unless that software is distributed by (and digitally signed by) the Microsoft Store, and the option to allow loading of images signed by the Microsoft Store is selected. + +### Configuration options + +**Also allow loading of images signed by Microsoft Store** - Applications which are distributed by the Microsoft Store will be digitally signed by the Microsoft Store, and adding this configuration will allow binaries which have gone through the store certification process to be loaded by the application. + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). + +## Control flow guard (CFG) + +### Description + +Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program). + +This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications which are compiled with CFG support can benefit from this mitigation. + +The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation. + +### Compatibility considerations + +Since applications must be compiled to support CFG, they implicitly declare their compatibility with it. Most applications, therefore, should work with this mitigation enabled. Because these checks are compiled into the binary, the configuration you can apply is merely to disable checks within the Windows kernel. In other words, the mitigation is on by default, but you can configure the Windows kernel to always return "yes" if you later determine that there is a compatibility issue that the application developer did not discover in their testing, which should be rare. + +### Configuration options + +**Use strict CFG** - In strict mode, all binaries loaded into the process have to be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded. + +> [!Note] +> **Control flow guard** has no audit mode. Binaries are compiled with this mitigation enabled. + +## Data Execution Prevention (DEP) + +### Description + +Data Execution Prevention (DEP) prevents memory which was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code. + +If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash. + +### Compatibility considerations + +All x64, ARM, and ARM-64 executables have DEP enabled by default, and it can not be disabled. Since an application will have never been executed without DEP, compatibility is generally assumed. + +All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some very old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (e.g. JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. + +### Configuration options + +**Enable ATL Thunk emulation** - This configuration option disables ATL Thunk emulation. ATL, the ActiveX Template Library, is designed to be as small and fast as possible. In order to reduce binary size, it would use a technique called thunking. Thunking is typically thought of for interacting between 32-bit and 16-bit applications, but there are no 16-bit components to ATL here. Rather, in order to optimize for binary size, ATL will store machine code in memory which is not word-aligned (creating a smaller binary), and then invoke that code directly. ATL components compiled with Visual Studio 7.1 or earlier (Visual Studio 2003) do not allocate this memory as executable - thunk emulation resolves that compatibility issue. Applications which have a binary extension model (such as Internet Explorer 11) will often need to have ATL Thunk emulation enabled. + +## Disable extension points + +### Description + +This mitigation disables various extension points for an application, which might be used to establish persistence or elevate privileges of malicious content. + +This includes: + +- **AppInit DLLs** - Whenever a process starts, the system will load the specified DLL into to context of the newly started process before calling its entry point function. [Details on AppInit DLLs can be found here](https://docs.microsoft.com/windows/win32/winmsg/about-window-classes#application-global-classes). With this mitigation applied, AppInit DLLs are not loaded. Note that, beginning with Windows 7, AppInit DLLs need to be digitally signed, [as described here](https://docs.microsoft.com/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2). Additionally, beginning with Windows 8, AppInit DLLs will not be loaded if SecureBoot is enabled, [as described here](https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls). +- **Legacy IMEs** - An Input Method Editor (IME) allows a user to type text in a language that has more characters than can be represented on a keyboard. Third parties are able to create IMEs. A malicious IME might obtain credentials or other sensitive information from this input capture. Some IMEs, referred to as Legacy IMEs, will only work on Windows Desktop apps, and not UWP apps. This mitigation will also prevent this legacy IME from loading into the specified Windows Desktop app. +- **Windows Event Hooks** - An application can call the [SetWinEventHook API](https://docs.microsoft.com/windows/win32/api/winuser/nf-winuser-setwineventhook) to register interest in an event taking place. A DLL is specified and can be injected into the process. This mitigation forces the hook to be posted to the registering process rather than running in-process through an injected DLL. + +### Compatibility considerations + +Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using 3rd party Legacy IMEs which won't work with the protected application. + +### Configuration options + +There are no configuration options for this mitigation. + +> [!Note] +> **Disable extension points** has no audit mode. + +## Disable Win32k system calls + +### Description + +Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode component, it is frequently targeted as an escape vector for applications that are sandboxed. This mitigation prevents calls into win32k.sys by blocking a thread from converting itself into a GUI thread, which is then given access to invoke Win32k functions. A thread is non-GUI when created, but converted on first call to win32k.sys, or through an API call to [IsGuiThread](https://docs.microsoft.com/windows/win32/api/winuser/nf-winuser-isguithread). + +### Compatibility considerations + +This mitigation is designed for processes which are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application which displays a GUI using a single process will be impacted by this mitigation. + +### Configuration options + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). + +## Do not allow child processes + +### Description + +This mitigation prevents an application from creating new child applications. A common technique used by adversaries is to initiate a trusted process on the device with malicious input (a "living off the land" attack), which often requires launching another application on the device. If there are no legitimate reasons why an application would launch a child process, this mitigation mitigates that potential attack vector. The mitigation is applied by setting a property on the process token, which blocks creating a token for the child process with the error message STATUS_CHILD_PROCESS_BLOCKED. + +### Compatibility considerations + +If your application launches child applications for any reason, such as supporting hyperlinks which launch a browser or an external browser, or which launch other utilities on the computer, this functionality will be broken with this mitigation applied. + +### Configuration options + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). + +## Export address filtering + +## Force randomization for images (Mandatory ASLR) + +## Import address filtering + +## Randomize memory allocations (Bottom-up ASLR) + +## Simulate execution (SimExec) + +## Validate API invocation (CallerCheck) + +## Validate exception chains (SEHOP) + +## Validate handle usage + +## Validate heap integrity + +## Validate image dependency integrity + +## Validate stack integrity (StackPivot) From 0336c89b3034fcb7aa4bbd940b441a041ff0e5e1 Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Wed, 5 Aug 2020 23:22:21 -0500 Subject: [PATCH 02/31] Add EAF docs Added docs on EAF --- .../exploit-protection-reference.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 91350b5d36..11c8139cff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -361,8 +361,47 @@ If your application launches child applications for any reason, such as supporti ## Export address filtering +### Description + +Export address filtering (EAF) mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack. This is a common tactic used by shellcode. In order to mitigate the risk of such an attack, this mitigation protects 3 commonly attacked modules: + +- ntdll.dll +- kernelbase.dll +- kernel32.dll + +The mitigation protects the memory page in the [export directory](https://docs.microsoft.com/windows/win32/debug/pe-format#export-directory-table) which points to the [export address table](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#export-address-table). This memory page will have the PAGE_GUARD protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. + +### Compatibility considerations + +This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technolgy. + +### Configuration options + +**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules: + +- mshtml.dll +- flash*.ocx +- jscript*.ocx +- vbscript.dll +- vgx.dll +- mozjs.dll +- xul.dll +- acrord32.dll +- acrofx32.dll +- acroform.api + +Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory. + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). + ## Force randomization for images (Mandatory ASLR) +### Description + +### Compatibility considerations + +### Configuration options + ## Import address filtering ## Randomize memory allocations (Bottom-up ASLR) From 0101885b9bd252aa343e6fcb05276630b7e36892 Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Mon, 17 Aug 2020 17:59:32 -0500 Subject: [PATCH 03/31] Added remaining mitigation docs Completed initial draft of docs for all mitigations --- .../exploit-protection-reference.md | 266 +++++++++++++++++- 1 file changed, 263 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 11c8139cff..aa43a35300 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -369,11 +369,11 @@ Export address filtering (EAF) mitigates the risk of malicious code looking at t - kernelbase.dll - kernel32.dll -The mitigation protects the memory page in the [export directory](https://docs.microsoft.com/windows/win32/debug/pe-format#export-directory-table) which points to the [export address table](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#export-address-table). This memory page will have the PAGE_GUARD protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. +The mitigation protects the memory page in the [export directory](https://docs.microsoft.com/windows/win32/debug/pe-format#export-directory-table) which points to the [export address table](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#export-address-table). This memory page will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. ### Compatibility considerations -This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technolgy. +This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technology. ### Configuration options @@ -398,24 +398,284 @@ Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection t ### Description +Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose. + +Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019) linker option, and this mitigation has the same effect. + +When the memory manager is mapping in the image into the process, Mandatory ASLR will forcibly rebase DLLs and EXEs that have not opted in to ASLR. Note, however, that this rebasing has no entropy, and can therefore be placed at a predictable location in memory. For rebased and randomized location of binaries, this mitigation should be paired with [Randomize memory allocations (Bottom-up ASLR)](#randomize-memory-allocations-(bottom-up-aslr)). + ### Compatibility considerations +This compatibility impact of ASLR is typically constrained to older applications which were built using compilers which made assumptions about the base address of a binary file, or have stripped out base relocation information. This can lead to unpredictable errors as the execution flow attempts to jump to the expected, rather than the actual, location in memory. + ### Configuration options -## Import address filtering +**Do not allow stripped images** - This option blocks the loading of images that have had relocation information stripped. The Windows PE file format contains absolute addresses, and the compiler also generates a [base relocation table](https://docs.microsoft.com/windows/win32/debug/pe-format#the-reloc-section-image-only) which the loader can use to find all relative memory references and their offset, so they can be updated if the binary does not load at its preferred base address. Some older applications strip out this information in production builds, and therefore these binaries cannot be rebased. This mitigation blocks such binaries from being loaded (instead of allowing them to load at their preferred base address). + +> [!Note] +> **Force randomization for images (Mandatory ASLR)** has no audit mode. + +## Import address filtering (IAF) + +### Description + +The Import address filtering (IAF) mitigation helps mitigate the risk of an adversary changing the control flow of an application by modifying the import address table (IAT) to redirect to arbitrary code of the attacker's choice when that function is called. An attacker could use this approach to hijack control, or to intercept, inspect, and potentially block calls to sensitive APIs. + +The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to them. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. + +This mitigation protects the following Windows APIs: + +- GetProcAddress +- GetProcAddressForCaller +- LoadLibraryA +- LoadLibraryExA +- LoadLibraryW +- LoadLibraryExW +- LdrGetProcedureAddress +- LdrGetProcedureAddressEx +- LdrGetProcedureAddressForCaller +- LdrLoadDll +- VirtualProtect +- VirtualProtectEx +- VirtualAlloc +- VirtualAllocEx +- NtAllocateVirtualMemory +- NtProtectVirtualMemory +- CreateProcessA +- CreateProcessW +- WinExec +- CreateProcessAsUserA +- CreateProcessAsUserW +- GetModuleHandleA +- GetModuleHandleW +- RtlDecodePointer +- DecodePointer + +### Compatibility considerations + +Legitimate applications which perform API interception may be detected by this mitigation and cause some applications to crash. Examples include security software and application compatibility shims. + +### Configuration options + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Randomize memory allocations (Bottom-up ASLR) +### Description + +Randomize memory allocations (Bottom-up ASLR) adds entropy to relocations, so their location is randomized and therefore less predictable. This mitigation requires Mandatory ASLR to take effect. + +Note that the size of the 32-bit address space places practical constraints on the entropy that can be added, and therefore 64-bit applications make it significantly more difficult for an attacker to guess a location in memory. + +### Compatibility considerations + +Most applications which are compatibile with Mandatory ASLR (rebasing) will also be compatibile with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4GB), and thus will be incompatible with the high entropy option (which can be disabled). + +### Configuration options + +**Don't user high entropy** - this option disables the use of high-entropy ASLR, which adds 24 bits of entropy (1TB of variance) into the bottom-up allocation for 64-bit applications. + +> [!Note] +> **Randomize memory alocations (Bottom-up ASLR)** has no audit mode. + ## Simulate execution (SimExec) +### Description + +Simulate execution (SimExec) is a mitigation for 32-bit applications only which helps validate that calls to sensitive APIs will return to legitimate caller functions. It does this by intercepting calls into sensitive APIs, and then simulating the execution of those APIs by walking through the encoded assembly language instructions looking for the RET instruction, which should return to the caller. It then inspects that function and walks backwards in memory to find the preceding CALL instruction to compare if the two match and that the RET hasn't been intercepted. + +The APIs intercepted by this mitigation are: + +- LoadLibraryA +- LoadLibraryW +- LoadLibraryExA +- LoadLibraryExW +- LdrLoadDll +- VirtualAlloc +- VirtualAllocEx +- NtAllocateVirtualMemory +- VirtualProtect +- VirtualProtectEx +- NtProtectVirtualMemory +- HeapCreate +- RtlCreateHeap +- CreateProcessA +- CreateProcessW +- CreateProcessInternalA +- CreateProcessInternalW +- NtCreateUserProcess +- NtCreateProcess +- NtCreateProcessEx +- CreateRemoteThread +- CreateRemoteThreadEx +- NtCreateThreadEx +- WriteProcessMemory +- NtWriteVirtualMemory +- WinExec +- CreateFileMappingA +- CreateFileMappingW +- CreateFileMappingNumaW +- NtCreateSection +- MapViewOfFile +- MapViewOfFileEx +- MapViewOfFileFromApp +- LdrGetProcedureAddressForCaller + +If a ROP gadget is detected, the process is terminated. + +### Compatibility considerations + +Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation. + +This mitigation is incompatible with the Arbitrary Code Guard mitigation. + +### Configuration options + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). + ## Validate API invocation (CallerCheck) +### Description + +Validate API invocation (CallerCheck) is a mitigation for return oriented programming (ROP) techniques which validates that sensitive APIs were called from a valid caller. This mitigation inspects the passed return address, and then heuristically disassembles backwards to find a call above the return address to determine if the call target matches the parameter passed into the function. + +The APIs intercepted by this mitigation are: + +- LoadLibraryA +- LoadLibraryW +- LoadLibraryExA +- LoadLibraryExW +- LdrLoadDll +- VirtualAlloc +- VirtualAllocEx +- NtAllocateVirtualMemory +- VirtualProtect +- VirtualProtectEx +- NtProtectVirtualMemory +- HeapCreate +- RtlCreateHeap +- CreateProcessA +- CreateProcessW +- CreateProcessInternalA +- CreateProcessInternalW +- NtCreateUserProcess +- NtCreateProcess +- NtCreateProcessEx +- CreateRemoteThread +- CreateRemoteThreadEx +- NtCreateThreadEx +- WriteProcessMemory +- NtWriteVirtualMemory +- WinExec +- CreateFileMappingA +- CreateFileMappingW +- CreateFileMappingNumaW +- NtCreateSection +- MapViewOfFile +- MapViewOfFileEx +- MapViewOfFileFromApp +- LdrGetProcedureAddressForCaller + +If a ROP gadget is detected, the process is terminated. + +### Compatibility considerations + +Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation. + +This mitigation is incompatible with the Arbitrary Code Guard mitigation. + +### Configuration options + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). + ## Validate exception chains (SEHOP) +### Description + +Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured Exception Handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice. + +This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that: + +- All exception chain records are within the stack boundaries +- All exception records are aligned +- No exception handler pointers are pointing to the stack +- There are no backward pointers +- The exception chain ends at a known final exception handler + +If these validations fail, then exception handling is aborted, and the exception will not be handled. + +### Compatibility considerations + +Compatibility issues with SEHOP are relatively rare. It's uncommon for an application to take a dependency on corrupting the exception chain. However, some applications are impacted by the subtle changes in timing, which may manifest as a race condition that reveals a latent multi-threading bug in the application. + +### Configuration options + +> [!Note] +> **Validate exception chains (SEHOP)** has no audit mode. + ## Validate handle usage +### Description + +*Validate handle usage* is a mitigation which helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/en-us/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). + +This mitigation is automatically applied to Windows Store applications. + +### Compatibility considerations + +Applications which were not accurately tracking handle references, and which were not wrapping these operations in exception handlers, will potentially be impacted by this mitigation. + +### Configuration options + +> [!Note] +> **Validate handle usage** has no audit mode. + ## Validate heap integrity +### Description + +The *validate heap integrity* mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include: + +- Preventing a HEAP handle from being freed +- Performing additional validation on extended block headers for heap allocations +- Verifying that heap allocations are not already flagged as in-use +- Adding guard pages to large allocations, heap segments, and subsegments above a minimum size + +### Compatibility considerations + +This mitigation is already applied by default for 64-bit applications and for 32-bit applications targeting Windows Vista or later. Legacy applications from Windows XP or earlier are most at-risk, though compatibility issues are rare. + +### Configuration options + +> [!Note] +> **Validate heap integrity** has no audit mode. + ## Validate image dependency integrity +### Description + +The *validate image dependency* mitigation helps protect against attacks which attempt to substitute code for dlls which are statically linked by Windows binaries. The technique of DLL planting abuses the loader's search mechanism to inject malicious code, which can be used to get malicious code running in an elevated context. When the loader is loading a Windows signed binary, and then loads up any dlls that the binary depends on, these binaries will be verified to ensure that they are also digitally signed as a Windows binary. If they fail the signature check, the dll will not be loaded, and will throw an exception, returning a status of STATUS_INVALID_IMAGE_HASH. + +### Compatibility considerations + +Compatibility issues are uncommon. Applications which depend on replacing Windows binaries with local private versions will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. + +### Configuration options + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). + ## Validate stack integrity (StackPivot) + +### Description + +The *validate stack integrity (StackPivot) mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack which controls the flow of execution. + +This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. + +### Compatibility considerations + +Compatibility issues are uncommon. Applications which are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. + +### Configuration options + +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). \ No newline at end of file From 625463f2b5085b9210196b2b6858c8c31008e50b Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Mon, 17 Aug 2020 18:00:38 -0500 Subject: [PATCH 04/31] Updated StackPivot Added APIs intercepted --- .../exploit-protection-reference.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index aa43a35300..5cb4b38dd1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -672,6 +672,43 @@ The *validate stack integrity (StackPivot) mitigation helps protect against the This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. +The APIs intercepted by this mitigation are: + +- LoadLibraryA +- LoadLibraryW +- LoadLibraryExA +- LoadLibraryExW +- LdrLoadDll +- VirtualAlloc +- VirtualAllocEx +- NtAllocateVirtualMemory +- VirtualProtect +- VirtualProtectEx +- NtProtectVirtualMemory +- HeapCreate +- RtlCreateHeap +- CreateProcessA +- CreateProcessW +- CreateProcessInternalA +- CreateProcessInternalW +- NtCreateUserProcess +- NtCreateProcess +- NtCreateProcessEx +- CreateRemoteThread +- CreateRemoteThreadEx +- NtCreateThreadEx +- WriteProcessMemory +- NtWriteVirtualMemory +- WinExec +- CreateFileMappingA +- CreateFileMappingW +- CreateFileMappingNumaW +- NtCreateSection +- MapViewOfFile +- MapViewOfFileEx +- MapViewOfFileFromApp +- LdrGetProcedureAddressForCaller + ### Compatibility considerations Compatibility issues are uncommon. Applications which are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. From 81b212680d1c7dea7291420a542fc8dcd1d2d10f Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Tue, 18 Aug 2020 11:19:44 -0500 Subject: [PATCH 05/31] Cleaned up spelling and grammar --- .../exploit-protection-reference.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 5cb4b38dd1..90098c5590 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -35,7 +35,7 @@ Exploit Protection mitigations are applied per application. Mitigations are configured via a registry entry for each program that you configure protections for. These settings are stored in the **MitigationOptions** registry entry for each program (**HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ *ImageFileName* \ MitigationOptions**). They take effect when you restart the program and remain effective until you change them and restart the program again. > [!IMPORTANT] -> Image File Execution Options only allows you to specify a file name, and not a version number, path, architecture, or any other differentiator. Be careful to target mitigations to apps which have unique names, applying them only on devices where you have tested that version and that architecture of the application. +> Image File Execution Options only allows you to specify a file name or path, and not a version number, architecture, or any other differentiator. Be careful to target mitigations to apps which have unique names or paths, applying them only on devices where you have tested that version and that architecture of the application. If you configure Exploit Protection mitigations using an XML configuration file, either via PowerShell, Group Policy, or MDM, when processing this XML configuration file, individual registry settings will be configured for you. @@ -179,13 +179,13 @@ Following is the EP-reset.xml distributed with the Windows Security Baselines: ## Mitigation Reference -The below sections details the protections provided by each Exploit Protection mitigation, the compatibility considerations for the mitigation, and the configuration options available. +The below sections detail the protections provided by each Exploit Protection mitigation, the compatibility considerations for the mitigation, and the configuration options available. ## Arbitrary code guard ### Description -Arbitrary Code Guard helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability, and being able to execute that code. +Arbitrary Code Guard helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability and being able to execute that code. Arbitrary Code Guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary Code Guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). @@ -285,7 +285,7 @@ Since applications must be compiled to support CFG, they implicitly declare thei ### Configuration options -**Use strict CFG** - In strict mode, all binaries loaded into the process have to be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded. +**Use strict CFG** - In strict mode, all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded. > [!Note] > **Control flow guard** has no audit mode. Binaries are compiled with this mitigation enabled. @@ -300,7 +300,7 @@ If you attempt to set the instruction pointer to a memory address not marked as ### Compatibility considerations -All x64, ARM, and ARM-64 executables have DEP enabled by default, and it can not be disabled. Since an application will have never been executed without DEP, compatibility is generally assumed. +All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is generally assumed. All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some very old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (e.g. JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. @@ -322,7 +322,7 @@ This includes: ### Compatibility considerations -Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using 3rd party Legacy IMEs which won't work with the protected application. +Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using 3rd party Legacy IMEs which will not work with the protected application. ### Configuration options @@ -406,7 +406,7 @@ When the memory manager is mapping in the image into the process, Mandatory ASLR ### Compatibility considerations -This compatibility impact of ASLR is typically constrained to older applications which were built using compilers which made assumptions about the base address of a binary file, or have stripped out base relocation information. This can lead to unpredictable errors as the execution flow attempts to jump to the expected, rather than the actual, location in memory. +This compatibility impact of ASLR is typically constrained to older applications which were built using compilers which made assumptions about the base address of a binary file or have stripped out base relocation information. This can lead to unpredictable errors as the execution flow attempts to jump to the expected, rather than the actual, location in memory. ### Configuration options @@ -469,14 +469,14 @@ Note that the size of the 32-bit address space places practical constraints on t ### Compatibility considerations -Most applications which are compatibile with Mandatory ASLR (rebasing) will also be compatibile with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4GB), and thus will be incompatible with the high entropy option (which can be disabled). +Most applications which are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4GB), and thus will be incompatible with the high entropy option (which can be disabled). ### Configuration options -**Don't user high entropy** - this option disables the use of high-entropy ASLR, which adds 24 bits of entropy (1TB of variance) into the bottom-up allocation for 64-bit applications. +**Don't use high entropy** - this option disables the use of high-entropy ASLR, which adds 24 bits of entropy (1TB of variance) into the bottom-up allocation for 64-bit applications. > [!Note] -> **Randomize memory alocations (Bottom-up ASLR)** has no audit mode. +> **Randomize memory allocations (Bottom-up ASLR)** has no audit mode. ## Simulate execution (SimExec) From 477dca457be50a9d72bd69c5af09afaed5f1da60 Mon Sep 17 00:00:00 2001 From: Caroline Gitonga Date: Thu, 20 Aug 2020 00:13:01 +0300 Subject: [PATCH 06/31] Add activity.windows.com & adl.windows.com --- .../windows-endpoints-1909-non-enterprise-editions.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md index 9e2a244111..d0d7ff467f 100644 --- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md @@ -93,6 +93,8 @@ The following methodology was used to derive the network endpoints: |www.bing.com|HTTPS/TLS v1.2|Cortana and Live Tiles |www.msftconnecttest.com|HTTP|Network Connection Status Indicator (NCSI) |wdcp.microsoft.com|HTTPS|Used for Windows Defender when Cloud-based Protection is enabled +|activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows +|adl.windows.com|HTTP|Used for compatibility database updates for Windows ## Windows 10 Pro @@ -155,6 +157,8 @@ The following methodology was used to derive the network endpoints: |storage.live.com|HTTP/TLS v1.2|OneDrive |skydrivesync.policies.live.net|TLS v1.2|OneDrive |windows.policies.live.net|HTTP|OneDrive +|activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows +|adl.windows.com|HTTP|Used for compatibility database updates for Windows ## Windows 10 Education @@ -203,3 +207,4 @@ The following methodology was used to derive the network endpoints: |outlook.office365.com|HTTP|Microsoft Office |www.bing.com|TLS v1.2|Used for updates for Cortana, apps, and Live Tiles |www.msftconnecttest.com|HTTP|Network Connection (NCSI) +|adl.windows.com|HTTP|Used for compatibility database updates for Windows From c3b42ff5227d07de0abc677472578348631141d1 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Sat, 22 Aug 2020 11:20:49 +0300 Subject: [PATCH 07/31] add info about creating the tester account https://github.com/MicrosoftDocs/windows-itpro-docs/issues/1630 --- education/windows/take-a-test-multiple-pcs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 69d4efc9c1..164f1ec626 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -166,7 +166,7 @@ This sample PowerShell script configures the tester account and the assessment U - Use your tester account for **-UserName** >[!NOTE] ->The account that you specify for the tester account must already exist on the device. +>The account that you specify for the tester account must already exist on the device. For steps to create the tester account click [here](https://docs.microsoft.com/en-us/education/windows/take-a-test-single-pc#set-up-a-dedicated-test-account). ``` $obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; From ec565628248827c9ac8d11a92520d4c16428a4a8 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Thu, 27 Aug 2020 11:52:33 -0400 Subject: [PATCH 08/31] updated configure-endpoints-script.md --- .../microsoft-defender-atp/configure-endpoints-script.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index ebc09038ff..3e5de86b0b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -31,8 +31,10 @@ ms.topic: article You can also manually onboard individual devices to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all devices in your network. -> [!NOTE] -> The script has been optimized to be used on a limited number of devices (1-10 devices). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 devices](configure-endpoints.md). +> [!IMPORTANT] +> This script has been optimized for use on up to 10 devices. +> +> To deploy at scale, use [other deployment options](configure-endpoints.md) For example, you can deploy an onboarding script to more than 10 devices in production by using [Group Policy](configure-endpoints-gp.md). ## Onboard devices 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): From b21919413057cc08ea7250b0f40456bcacca0820 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Thu, 27 Aug 2020 12:11:18 -0400 Subject: [PATCH 09/31] remove ambiguity --- .../microsoft-defender-atp/configure-endpoints-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index 3e5de86b0b..b33be00174 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -34,7 +34,7 @@ You can also manually onboard individual devices to Microsoft Defender ATP. You > [!IMPORTANT] > This script has been optimized for use on up to 10 devices. > -> To deploy at scale, use [other deployment options](configure-endpoints.md) For example, you can deploy an onboarding script to more than 10 devices in production by using [Group Policy](configure-endpoints-gp.md). +> To deploy at scale, use [other deployment options](configure-endpoints.md) For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md). ## Onboard devices 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): From d7a584f2ef38032f99c5e6cf2fac07327a75cce8 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 28 Aug 2020 10:51:15 -0700 Subject: [PATCH 10/31] Update microsoft-defender-antivirus-in-windows-10.md --- .../microsoft-defender-antivirus-in-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md index 3952f63c4c..a8686a586b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md @@ -20,7 +20,7 @@ ms.custom: nextgen **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ## Microsoft Defender Antivirus: Your next-generation protection From f85bf5ae106567fca9194da912cca6593bf28378 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 28 Aug 2020 12:20:04 -0700 Subject: [PATCH 11/31] Update windows-10-and-privacy-compliance.md --- windows/privacy/windows-10-and-privacy-compliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 2ac7d9dc79..cd308c7143 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -168,7 +168,7 @@ If a user signs in to a Windows experience or app on their device with their Mic ## 4. Cross-border data transfers -Microsoft complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States. +Microsoft complies with applicable law regarding the collection, use, and retention of personal information, including its transfer across borders Microsoft’s [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data. From 617d5de8721a1770dc4f680f9a89a914c7086b51 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 28 Aug 2020 12:47:35 -0700 Subject: [PATCH 12/31] Update evaluate-exploit-protection.md --- .../evaluate-exploit-protection.md | 30 ++++++++----------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md index dabee673ee..1946579864 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 10/21/2019 +ms.date: 08/28/2020 ms.reviewer: manager: dansimp --- @@ -22,7 +22,7 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](emet-exploit-protection.md) are included in exploit protection. +[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.) This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur. @@ -72,12 +72,12 @@ Where: |Mitigation | Audit mode cmdlet | |---|---| - |Arbitrary code guard (ACG) | AuditDynamicCode | - |Block low integrity images | AuditImageLoad - |Block untrusted fonts | AuditFont, FontAuditOnly | - |Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned | - |Disable Win32k system calls | AuditSystemCall | - |Do not allow child processes | AuditChildProcess | + |Arbitrary code guard (ACG) | `AuditDynamicCode` | + |Block low integrity images | `AuditImageLoad` + |Block untrusted fonts | `AuditFont`, `FontAuditOnly` | + |Code integrity guard | `AuditMicrosoftSigned`, `AuditStoreSigned` | + |Disable Win32k system calls | `AuditSystemCall` | + |Do not allow child processes | `AuditChildProcess` | For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command: @@ -100,13 +100,9 @@ To review which apps would have been blocked, open Event Viewer and filter for t |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit | |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit | -## Related topics +## See also -* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) -* [Enable exploit protection](enable-exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) -* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) -* [Enable network protection](enable-network-protection.md) -* [Enable controlled folder access](enable-controlled-folders.md) -* [Enable attack surface reduction](enable-attack-surface-reduction.md) +- [Enable exploit protection](enable-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) From d3f280fd0b6f71a26843e12faf97aae7ee744d8b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 28 Aug 2020 13:01:43 -0700 Subject: [PATCH 13/31] Update exploit-protection.md --- .../exploit-protection.md | 116 +++++++++--------- 1 file changed, 57 insertions(+), 59 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index 49d1fcd691..b330f4798b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -36,10 +36,10 @@ When a mitigation is encountered on the device, a notification will be displayed You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled. -Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. +Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. In fact, you can convert and import existing your EMET configuration profiles into exploit protection. To learn more, see [Import, export, and deploy exploit protection configurations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml). > [!IMPORTANT] -> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. +> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). Consider replacing EMET with exploit protection in Windows 10. > [!WARNING] > Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network. @@ -61,34 +61,34 @@ DeviceEvents You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app: -Provider/source | Event ID | Description --|-|- -Security-Mitigations | 1 | ACG audit -Security-Mitigations | 2 | ACG enforce -Security-Mitigations | 3 | Do not allow child processes audit -Security-Mitigations | 4 | Do not allow child processes block -Security-Mitigations | 5 | Block low integrity images audit -Security-Mitigations | 6 | Block low integrity images block -Security-Mitigations | 7 | Block remote images audit -Security-Mitigations | 8 | Block remote images block -Security-Mitigations | 9 | Disable win32k system calls audit -Security-Mitigations | 10 | Disable win32k system calls block -Security-Mitigations | 11 | Code integrity guard audit -Security-Mitigations | 12 | Code integrity guard block -Security-Mitigations | 13 | EAF audit -Security-Mitigations | 14 | EAF enforce -Security-Mitigations | 15 | EAF+ audit -Security-Mitigations | 16 | EAF+ enforce -Security-Mitigations | 17 | IAF audit -Security-Mitigations | 18 | IAF enforce -Security-Mitigations | 19 | ROP StackPivot audit -Security-Mitigations | 20 | ROP StackPivot enforce -Security-Mitigations | 21 | ROP CallerCheck audit -Security-Mitigations | 22 | ROP CallerCheck enforce -Security-Mitigations | 23 | ROP SimExec audit -Security-Mitigations | 24 | ROP SimExec enforce -WER-Diagnostics | 5 | CFG Block -Win32K | 260 | Untrusted Font +|Provider/source | Event ID | Description| +|---|---|---| +|Security-Mitigations | 1 | ACG audit | +|Security-Mitigations | 2 | ACG enforce | +|Security-Mitigations | 3 | Do not allow child processes audit | +|Security-Mitigations | 4 | Do not allow child processes block | +|Security-Mitigations | 5 | Block low integrity images audit | +|Security-Mitigations | 6 | Block low integrity images block | +|Security-Mitigations | 7 | Block remote images audit | +|Security-Mitigations | 8 | Block remote images block | +|Security-Mitigations | 9 | Disable win32k system calls audit | +|Security-Mitigations | 10 | Disable win32k system calls block | +|Security-Mitigations | 11 | Code integrity guard audit | +|Security-Mitigations | 12 | Code integrity guard block | +|Security-Mitigations | 13 | EAF audit | +|Security-Mitigations | 14 | EAF enforce | +|Security-Mitigations | 15 | EAF+ audit | +|Security-Mitigations | 16 | EAF+ enforce | +|Security-Mitigations | 17 | IAF audit | +|Security-Mitigations | 18 | IAF enforce | +|Security-Mitigations | 19 | ROP StackPivot audit | +|Security-Mitigations | 20 | ROP StackPivot enforce | +|Security-Mitigations | 21 | ROP CallerCheck audit | +|Security-Mitigations | 22 | ROP CallerCheck enforce | +|Security-Mitigations | 23 | ROP SimExec audit | +|Security-Mitigations | 24 | ROP SimExec enforce | +|WER-Diagnostics | 5 | CFG Block | +|Win32K | 260 | Untrusted Font | ## Mitigation comparison @@ -96,38 +96,36 @@ The mitigations available in EMET are included natively in Windows 10 (starting The table in this section indicates the availability and support of native mitigations between EMET and exploit protection. -Mitigation | Available under Exploit protection | Available in EMET --|-|- -Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Memory Protection Check" -Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Load Library Check" -Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)] -Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)] -Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)] -Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +|Mitigation | Available under exploit protection | Available in EMET | +|---|---|---| +|Arbitrary code guard (ACG) | yes | yes
As "Memory Protection Check" | +|Block remote images | yes | yes
As "Load Library Check" | +|Block untrusted fonts | yes | yes | +|Data Execution Prevention (DEP) | yes | yes | +|Export address filtering (EAF) | yes | yes | +|Force randomization for images (Mandatory ASLR) | yes | yes | +|NullPage Security Mitigation | yes
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes | +|Randomize memory allocations (Bottom-Up ASLR) | yes | yes | +|Simulate execution (SimExec) | yes | yes | +|Validate API invocation (CallerCheck) | yes | yes | +|Validate exception chains (SEHOP) | yes | yes | +|Validate stack integrity (StackPivot) | yes | yes | +|Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | yes | +|Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes | +|Block low integrity images | yes | no | +|Code integrity guard | yes | no | +|Disable extension points | yes | no | +|Disable Win32k system calls | yes | no | +|Do not allow child processes | yes | no | +|Import address filtering (IAF) | yes | no | +|Validate handle usage | yes | no | +|Validate heap integrity | yes | no | +|Validate image dependency integrity | yes | no | > [!NOTE] -> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. -> -> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology. +> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology. -## Related articles +## See also - [Protect devices from exploits](exploit-protection.md) - [Evaluate exploit protection](evaluate-exploit-protection.md) From 14cacc4c14fd7328a18bdc75db93ef3b6d61b1ab Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 28 Aug 2020 13:03:55 -0700 Subject: [PATCH 14/31] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index aaf6321d69..72163a76f0 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -857,12 +857,12 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", "redirect_document_id": true }, { "source_path": "windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", "redirect_document_id": true }, { From 287a6d7ddacab17a7ec8f4e0109a95246bf64328 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 28 Aug 2020 13:05:16 -0700 Subject: [PATCH 15/31] EMET link fixes --- .../customize-exploit-protection.md | 1 - .../enable-exploit-protection.md | 1 - .../import-export-exploit-protection-emet-xml.md | 10 +++++----- .../troubleshoot-exploit-protection-mitigations.md | 1 - 4 files changed, 5 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 55552af86b..644ad754c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -252,7 +252,6 @@ For more information about customizing the notification when a rule is triggered ## See also * [Protect devices from exploits](exploit-protection.md) -* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md) * [Enable exploit protection](enable-exploit-protection.md) * [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index c611445181..74c12b3f99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -242,7 +242,6 @@ See the [Windows Security](../windows-defender-security-center/windows-defender- ## Related topics -* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md) * [Configure and audit exploit protection mitigations](customize-exploit-protection.md) * [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index 322278414a..0901c27e53 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -122,9 +122,9 @@ You can use Group Policy to deploy the configuration you've created to multiple 6. Select **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy). -## Related topics +## See also -* [Protect devices from exploits](exploit-protection.md) -* [Evaluate exploit protection](evaluate-exploit-protection.md) -* [Enable exploit protection](enable-exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Protect devices from exploits](exploit-protection.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Enable exploit protection](enable-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md index 24dcaab4dd..05cd741da3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md @@ -196,7 +196,6 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu ## Related topics * [Protect devices from exploits](exploit-protection.md) -* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md) * [Enable exploit protection](enable-exploit-protection.md) * [Configure and audit exploit protection mitigations](customize-exploit-protection.md) From b1d90941cf0b8ca760ea220adf1ab7b17dfa40a7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 28 Aug 2020 13:08:16 -0700 Subject: [PATCH 16/31] Update import-export-exploit-protection-emet-xml.md --- .../import-export-exploit-protection-emet-xml.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index 0901c27e53..3e4e0b9f14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -64,7 +64,7 @@ When you've configured exploit protection to your desired state (including both Example command: - **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml** + `Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml` > [!IMPORTANT] > When you deploy the configuration using Group Policy, all devices that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. @@ -88,7 +88,7 @@ After importing, the settings will be instantly applied and can be reviewed in t Example command: - **Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml** + `Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml` > [!IMPORTANT] > @@ -115,10 +115,10 @@ You can use Group Policy to deploy the configuration you've created to multiple 5. In the **Options:** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples: - * C:\MitigationSettings\Config.XML - * \\\Server\Share\Config.xml - * https://localhost:8080/Config.xml - * C:\ExploitConfigfile.xml + * `C:\MitigationSettings\Config.XML` + * `\\Server\Share\Config.xml` + * `https://localhost:8080/Config.xml` + * `C:\ExploitConfigfile.xml` 6. Select **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy). From 2b25e40433b665edd0401a5e326df87f65c755af Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 28 Aug 2020 13:44:54 -0700 Subject: [PATCH 17/31] Added a period, corrected indentation & numbering... Second-level list items seem to only be formatted with the correct hanging indentation when we rely on automatic numbering. So, I've changed the letters in source (a,b,c) to 1, which will be rendered as letters with correct formatting. --- .../configure-endpoints-script.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index b33be00174..de35e7ec30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -34,29 +34,29 @@ You can also manually onboard individual devices to Microsoft Defender ATP. You > [!IMPORTANT] > This script has been optimized for use on up to 10 devices. > -> To deploy at scale, use [other deployment options](configure-endpoints.md) For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md). +> To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md). ## Onboard devices 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Onboarding**. + 1. In the navigation pane, select **Settings** > **Onboarding**. - b. Select Windows 10 as the operating system. + 1. Select Windows 10 as the operating system. - c. In the **Deployment method** field, select **Local Script**. + 1. In the **Deployment method** field, select **Local Script**. - d. Click **Download package** and save the .zip file. + 1. Click **Download package** and save the .zip file. 2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. 3. Open an elevated command-line prompt on the device and run the script: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command prompt** and select **Run as administrator**. + 1. Right-click **Command prompt** and select **Run as administrator**. - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) 4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd* @@ -75,7 +75,7 @@ You can manually configure the sample sharing setting on the device by using *re The configuration is set through the following registry key entry: -``` +```console Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” Name: "AllowSampleCollection" Value: 0 or 1 @@ -97,23 +97,23 @@ For security reasons, the package used to Offboard devices will expire 30 days a 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Offboarding**. + 1. In the navigation pane, select **Settings** > **Offboarding**. - b. Select Windows 10 as the operating system. + 1. Select Windows 10 as the operating system. - c. In the **Deployment method** field, select **Local Script**. + 1. In the **Deployment method** field, select **Local Script**. - d. Click **Download package** and save the .zip file. + 1. Click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Open an elevated command-line prompt on the device and run the script: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command prompt** and select **Run as administrator**. + 1. Right-click **Command prompt** and select **Run as administrator**. - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) 4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* From bc2544feefb20aed05b3882c4da2a148709c98b4 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 28 Aug 2020 15:02:43 -0700 Subject: [PATCH 18/31] Removed "en-us" from a link and other fixes --- education/windows/take-a-test-multiple-pcs.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 164f1ec626..1bfa750d6f 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -145,8 +145,8 @@ To set up a test account through Windows Configuration Designer, follow these st - username@tenant.com 4. Under **Runtime settings**, go to **TakeATest** and configure the following settings: - 1. In **LaunchURI**, enter the assessment URL. - 2. In **TesterAccount**, enter the test account you entered in step 3. + - In **LaunchURI**, enter the assessment URL. + - In **TesterAccount**, enter the test account you entered in step 3. 3. Follow the steps to [build a package](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package#build-package). @@ -166,9 +166,9 @@ This sample PowerShell script configures the tester account and the assessment U - Use your tester account for **-UserName** >[!NOTE] ->The account that you specify for the tester account must already exist on the device. For steps to create the tester account click [here](https://docs.microsoft.com/en-us/education/windows/take-a-test-single-pc#set-up-a-dedicated-test-account). +>The account that you specify for the tester account must already exist on the device. For steps to create the tester account, see [Set up a dedicated test account](https://docs.microsoft.com/education/windows/take-a-test-single-pc#set-up-a-dedicated-test-account). -``` +```powershell $obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; $obj.LaunchURI='https://www.foo.com'; $obj.TesterAccount='TestAccount'; @@ -232,7 +232,7 @@ One of the ways you can present content in a locked down manner is by embedding 1. Embed a link or create a desktop shortcut with: - ``` + ```http ms-edu-secureassessment:#enforceLockdown ``` From 4f4c97e98dfe35efb8cb0a876b14f993d9acf877 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 28 Aug 2020 15:10:47 -0700 Subject: [PATCH 19/31] Corrected blind link by naming the target --- windows/privacy/windows-10-and-privacy-compliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index cd308c7143..e1011307d6 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -40,7 +40,7 @@ Transparency is an important part of the data collection process in Windows 10. ### 1.1 Device set up experience and support for layered transparency -When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the set up experience for privacy settings is described in [this blog](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97). +When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the set up experience for privacy settings is described in [Windows Insiders get first look at new privacy screen settings layout coming to Windows 10](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97), a blog entry on Windows Blogs. The following table provides an overview of the Windows 10 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information. From d8bfc171d70534b2e7a720c3f6e08a1d09cca412 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 28 Aug 2020 18:15:27 -0700 Subject: [PATCH 20/31] Update ea06643280075f16265a596fb9a96042.png --- .../ea06643280075f16265a596fb9a96042.png | Bin 31624 -> 29614 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png b/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png index af5e16e9b6eb78f08516c16d525290bc94baf51f..89da77d8664d6e7d19c9255d7ae25e9323ee79e0 100644 GIT binary patch literal 29614 zcmeFZWmHvB8!oD%sB}mp9nx&1QiDw~&o?wk=w*L21q^^*Wy<;DwCwq`oaD3?4lu`sTbcoyfz0@ zzkGRQakrmcG=6KlDQ4O-=6=Uw!I_Loz&hXTu1f4Hpam1EbAUQ9<{Z}r>~PG>8$IwE z68oY)9x1e~tvt&NIIqlqKQ<(NK#&pLO~Sy!;_T`g86F3OuVHU zyXsI?)^EDDytwSat<&qbB>lZ;;NYXKnX>j#JPF+R&j_^{!M?JI5^;m1Pec1ZCpOJQGlaaj%I{F&I~AWgTF-OHI?IVX6lVfg#qYSM4I#T!d`mfZ1!5L6L&wm6^mxR{D~dM&B15L$TF*9XM^Cu#cCD>+PR+ApX(7%&FnduHcYr%tX--Y z7#ysxJKx{AXFo6KC2XR9_E16ZavN@K(d=KK#%N}?Iag;VyK2{QVc*eq7_s0>FG=ic zrM@#eLdLMN_Yfb#WVQBeB0RLZ@cr9q@ez}mVObfO%IfN{(9oD}LpDg+&ci(Z#Elr# zsEdh!W!Tx)IR5Hk0snQns{hD5hrEvR`C$TqL93n%tMP?}sfD_{v;00R_QYnYs-O6L z!`=klUb&htt)7>{_<+b%q?jnQ^P zSa9BGt6=mOx#7RDz7xg9PF zS^NxI91x%l2(dhm^;>McG>}^5_f%Y*U2{?=9udWxYTlssBldgyW4W9%e4}KLT3uZ| zPa*ZarU9{UR%PLA*W+!;!*%&fWo~y$ozokR;VYt7-|7mUb#-+qC@9#?Y%`RUCLN~x ztoST)rdRLfPAL(azbjt6Qe{xElS7m6JaQwBQOmaqXkfToN+f*8nn2A-C=|7F$|#^q z@9R#}D*ChmtLSD!>q%OO=fE?(J%cR7DP3KD?`4H3^~D#vopG&=rFVAZ_ ziV4%*7$>&15eDK*H$_=5H!x4K?O(%Y*xk5gxZ1TB|9W`FSUr>H4(&c$*%8J-$A#_2 zkI_85nb-+U+GR6)-S*IjVi?Lsv{&3t0t$gwL%Rr~Jyj2K_s-y^#bPBZ)&atp&uA4; z&&UdwnhLQd+jK3L^MO6*Z?hCSKYNRaPudL{#(MRNCLDJ}z&rr{m*5p;`0k#7vu-+J zUr`~;;Iqh?bv~1rQ4qvk+xC0e-g!56PR(S| z6uDpLjHFdDZ_pOjs=E(VT$WQ<2~Z~{CSITuuo-ZAD8lx$RZRSwInWzb^Ez`Pmq)b4 z5{^yGu`M4BW_XjX-*g6?-p5;MCqP5<-15#VW6Bz087$wqJC{tr?kHIqgltToKXD98 zBb1eu#U?&jY+(v-TP%S`6Sel;aSS-6bGE&(K)2Ufa>BFHa$|mD_r=dEKa?u-pp#c) z@y5ug6R`@KYk$9|67pP-2IuEqhc(&EIO818ZDks)QN^oT>D3ctOzT1A6vElC>WCQXsu3QxV^2?;vZBoq9iidjF>_34U))#^Yd zjKqr#Y2P_qfp&upGMym&W<#y7lo2N{=~WF)EP3!J2!zhZunYBhs&40c>C@!o2d8Xf z-7I&{_k=G_UgoJNZ&Xl5s^-8y)0Uc4OZHKC&SX|?XR7sVsIdy9f90u5NVT3S37E<$ zFRKV_frUmnbi3!`Yfc)jb_^12WxwGt?;xqJvwfL7J8M+Rkk%MCg&QoIPL1b3v0!al z!KZGtjkn8cW)Q@3@bQPqxl~h@3QAE$HKoFdkuAdtEL5F<15I_RG=wtVP@66Xjf*pTF>SyT1c!S-4C4W+M&fp-qR#H_4dLMfS(1_2$5UFqe5zh#Uz3G~ zMD+Dw`D#sMMMPIR5gb&LvK2@^W{woVz9EZ z%Dc@S;4ks|sT1+VS(1R7T~s%8?KMvo|%(!t3iXwT=mSn-iEcEEPn<|UKU1~y^YNo!s%>S0aXm6rE;CojLp9|dY?EaKsS^m(I zI?hVT*mUyoBZkW}DEf)E?rAoe3&&cgKyS|UTdAD3O3~| zS@Y$?li-dcN2>9w4`0EY6Bl(R*j+<*WekFUF*XQWS?IVi#{8Iv_$>HX`IG58s%&esueV8^?y#xDH>lQm957q)Bh!Dj(vesdn2vG zmpQsoq)i*g^}Eb=sHT9Hp>4;{?>HzRu`Rb2e`bo^w;3b4F)nVR%4{gxp6W&(U=lSe z%kD#=>xDCz_oTp?!RGMu$a9Qzx!JY_dEN4Kc<#A@ReChbdF1h?kXK5|+&LB+Ta_Ts z0$j7&&Za>}I!W~bgD|~adAMG^a_RygTo3bBGUJla@Yr-dK{Z!26hfmes zp7k01`wt&-j&px02B@k;mwJX6aH)LTnq46kYL~8{`E{>8Yzm*jMJlCy#+$V*`(n`a zHFHdC;m-b4m1KQhkOX@gfs?nruI?Pqq2teY6#LD!ICD%A!MGz&MIgZhBth@|#J6wFzWD4DMyjFxjAW3& z>SY@H)i&M1aqXk;-!A=N7Mk6SmoFV8%F4>>?_YK%iB1VQbBQw2#R^c`5nIiCv>(Ve zR5KS%g9A&`ouOW+_B@x%E{w4)al(~}Pwj6ngpxq?lnng%v)g2z7O{RB6v`@AnOgD3 zSc>Z-`-MDos=0z5*KOD;7Dysc^6rug>nSzD*)7k^-}|*mW;T%}2jti7T#qRJ4{dBL z{rNeC3(gWj=ByR*PhCo8U5pD>l=c`dKSI?4f8K;@?u3S+G}~jU_Ram25+u?HQV^_F zHq20FnA4@Bv=mg;`1tmCBgBQdHe7qf(UeaE)!At*jycwd6IrYv%8I&*F}fy)b8wl9 zT%3}+w2jK9sdr)iJR#@93u5{JakDXkba~%+4IieAS0gr!tUsiNwm)vJzT9 zNquy%&{jvkM;;(wGfJSs1eja$=^vJfMfRqZ=8G@K?#i5lZ=H+HP$J}*Q7lyECahjGI`Jtx z_Eb=qcXXJ!2AONV9_$8QufnOmo@^KH z_Py953_l;oS35IS>O3dsH;K=8CTC1o{T`v<%ce`D5Mk%I6kqQYd78j^PrUWn*Agdk z5pNPpe^C(=9&FW&H^IfL=`n%#dutEHsmvaVE?@SJUXk3KlWR6}C4bj5BQi9m@;8Up z+(9h|tn50&b$UQUBcoK*7yG;*|Ggu1MRu8=o}oy&a*&u^>#1_R?}KpVY)YF&FnoB- zAYcN^>Kj!;l;%voL4fK*RW-^unm3d%r{8GK&V-tL>r+YHomY2qsLJsNu1<$DQ@m!w zR~d*ErSI0322~U*=+=JCGp}|Y^SADO~o6;K(s~Sjt>S$^Tu1(u7I!xjEo#)JfE+21ZcSGKtd3<&oU#>k=%SHH9#I*;Se1CBQngt0B z_q#_sn{OUI8Zv7*e-C|PFZPt#THJN+hJ-k3u~j5lsjh{=SPySyICZ(`6*)U)GHFv; zxC}4O(ZNzo0@YW_WK8>LYJ79oEYH5?x7*X6yh`?@E9USUPk+3Url0jdnV# z)>H4^zkhPSwdT;ksUX%iAwY|KTmbi%gaC$YwA8es`jRG~qDct-A-Rsq=)z8S9Hv#26qIil@p7 zCo(BJC408iBpdPH?s*JMt0fETuNZ#Cgj5M4M-g_X%T1I$SNN>exvFL(BCW2yil5oS zE<8YA0{;v9+l}>#nVA^}7dPj4sy*~q!hDS_dfqi-lXm~-?w%yPMN=i{JE#CGOKV-3~AVGH3nYzC0?3cp}KXW##HSG_W`ao$Jn5u;5i3Diq z|C!dlL?=)iR+#KvK?(Uwr19OGR+uarPwlYv2V(ul)BeC~P&g2;*Xdz9Na!1#3ZX+2 zx#%$Xm!m-V@Kpk4vK-p<_mPAAUA8)d{^Xq^1TV6{Sb2a^&kin9;l|f@`$a)@DwoX{ zOlaPF>o-H*2ff+wFRNGrqU0)g{^~;e)xn~kk9!%f_2eKC5(^I5FOSsNJoy%(7W3^@ z)hFEa(R8VDh%P4d$bvNIRtS#@LzY{(6|RFFZdR1r(B#h1?5UYBY~lx?#% z>B}e$sZ#D@Vl`QdwJavzIBbclx^x+=prGb~z`MGZBQd1)iRm+4htYzUotNT*qD)Y4a1!Z?DohdMlO(B zSfH0e6WU)3NYFj2H5f|szKKhbEf1ypDTm86y5@~`Gi07jb6`B|i;|mnJL|9aFlGc; z;+!_!=A?e+J8PUJ?XJmXgua8qttaNn?^nT;>hzj*oXr;fLuP2s z%GQmA-i{RsQNca#xvkf`xk0E`S;l%4maK=dfVodl6F-poovI@aA&J)_TjhT&mkQ?M zH_0%THX3335;Z!WH(Dk>E=_ajkO5Gz{A%l8#aSx)7mkK}O-V)imIb+^kU2huhVu0& z2uBo#xx3J!3L%<>5Phol)MFo@x2ZMsIJWYsR>&IBYjRd+`2YGs^)-TcQs$wiw><1bQEo+ivSa2tl=>wgh-3{30x-?s9V(y5 zjy2ms_PSSy32gfj&w%vN4I^PXlD%T7(Q_GZgIC_(oT3Gz_{}g^$2R`tFAAp_?Rrkq z75O}R#!3Zhj~_p_!zFkWTo~@2S?`T$N7s0Tlv?A;+qs`Tswlsb<(xpytv?`k{6Szb z7toC@r-OzhKcUFNU^C^Rvviq9mNrGW!9l`Xu9=xY8R%tHPAIZUNF5q(jqJE~dwJ~r z9;jk=o-;2lUlj#jzY$rmF})$VQSuaHcoMs)K_4Ce)I=|Y3DVr`-$BV5a)B>B-77m} z`msJ$Ji0Y6VhsYS4;Pt$O@EDbHm7nkB1 zz8+qnB*`473+pD|$pdKG6s_#%V=%|d>!s*y@v$!*Urb{m7R_;REH&rWRFMg+pPB@* zPD(niHZ_3~@ck~bwZT{vtw8JbEgn3l&8aNOG%$G*^wiqiCVHJq1mXKa1}n-;lR zC0_lpfEJ2f@O!&OOdg5&JDF4%Y9r6aY)NMRc_UxM(!G4H9sO!pXVKX@8`%tZ3`*> z)=Mv89W%XIQJk{JyzA(o!+-3&&uT)6<9Ttt!m+-h%y{(Sh)XbeQjIe z?C(+a#}L<9B=MP9*(BbPtWfG%dt^xwi|v`SRm>BV{-tURyN59qw~{Jl^eL=o6I8rq z)rH9Frxpu6C`4ToTj3d4Ab;7295VB@ozz;Oabe~3MaSD}DZ`dWadsm_rmMF?`tMQj(={>^DSIgVgTCYhoC>(<_bxR6r z++*9W09VM*LQDT z;7x-R>%#)C*Bh-^zPVm8d1h6hIF}5pdcjDb-xK#_b|tR^)Jfg9%#{{#9?rrwtIm2@ zzQ18|S@Cev)j3wirP1D7}2b6jYg) z6LyMdzS42XhMsS~cX#s)0i&r!B#|&EDCjpY9WoUa6-PwyS8x<&41S%8YW4r-rFvg` zXntvFL_~zo%~^p;5*^oeen?1mhDgfj=;+bWXKQ5%iGcC!Q??nZxWeEE2Oezf5xalr zR5)+W#&{?j!sT~>b$b& zo}7$}!^=EYd}^Oz9C$(QdzMiX7iTWY=-~9Z9bY>!B`zT$v^zd`#9UBNkS>fo(lxWb zUdxh}it45$nG&)$TXX8?d%rrSD15&ua(~-STp!f;jN|b(R6}&sXKWmrLGr1;&AVRc0*um2Sr? z;%>}(^^YEeJ3fZ#?em3(Ogqn8crorq0#cSosZB$k8=9IQu@7waKS(RuosOS>AjA+C_Cft!#qV zRfmX~TzWtd1s5dF#9Y%J(cDy=0O^B$nQ&LgMjOstudHM4A*|TRVR;epc zbv->jIk~WV)Mo_@42is4TMV=@{;i>UhhGK84GGK;=dp$7N3noCnN+0kgq^q-=!{^JIz+8$X z=b7y2==dC8q*-=%rb^O$wm(-_K}^C^dN`dSguhs17HOkfM|coZS$R^Rn(K8ml-BPX1@R!F+ zKH+%RnVOMgS~kba&nz!u=oK#x7T#K}y|5OjeWEMkIawS^z!sFRrmimJI!L;QQeozE zQ-N-9mi};cI8*g0Xo^fq}PwMg3Z@Z)BSvhvKuocFWHvG;$3uRyZ>~yftHg4DCx>Xo47D+UjFx zD_vD+2BMKwTWwZoE&j+@yBLJN*EBxCr&xE{&*I|N$8N- zz)yxxl3n6;p0I%Ptz5-qUP@|eB$nCC>8&TNU(6y&`5f-1E7sO%?7f8{5Nsj4vlY*a zEo{|GTp95 zOF;pn_P95O9yFtCclX3crew5Bumyd?Lvq3T$jtCzcJJA7s<;aQ0^%Ct49f;v*9-^` z4*{(q{MmG^Gn34Hy}j|dtlKdaX~)6okcjyEMjr&RMs9QS-AGnoC;`i>1i8U<5&B#) zs8+K%_Q_*n?CmFq^BsfIva)jxj?bawwS$x05^~aDP6vOIMYHj}FL2C@(C2sUY;*hQ zG`Kf&124ClQc&Ykn>->|&J?frx^}p|*eBLAHjg6wK9IuWeR3>0YwM9EfJ2;LP+)OK z+uh`fR3Y=`>kE|3XGl_y@?-lGSjIH9+mE8VLa}Wn(8%e0>MDx$QV5k6D)e0s7w}?U zYL@ER&Rv)>1I0nRx>+9jhJhi8&$0X8N^$wKwYFvgNg~VbY0IDat)3}9)ZI>62m%;VtN2-=#%Lozf3N6W>)X6Pb0~*S_R?Myu7@E zf^urmI2o?>gx>tit-et0v*9|4vX%~SG*H*yx97@}RDAD^q1#yB2vS-F zJX4iNI6)V%J$AgKTW5`pyOohVm?}hK)#N?LJ#xYwygZsCt3}jYZFJdE5%fC(Gh{HT9O zBt^u|){o7+*sx6@fe@bqq@7wclUX3m%X4wPy}cihG2cVWtE;1uch=U|xjdmk;o(F= zmNbPrWobf_rTSHNhh!vHyFyK_b#_y=&PC+JG|2F8QBhbUnXZ#d5k-u-6)C@Gs zK58C&L}EnNQ+85l!NI|P$Y}4N!)1w-n3$M*6+Yg#@ExBXopi#DfmGuwqvwl3&byQU zxrIQVNO)9C%v;-e!g0n|B=&3>WCo3jhl@)-h`14Wx&12g_?{u1BBR@?9hvd(c zx4yy{y>54=%Ix)Qog@ak92(V!`DXhM)mug{r!yZTZhO}q{>=k;mG$;0GWlYbBMLeljcj19kE8O1L8np9lK8akqZ0Fv7Z97*!jA$JX{*nDU><5*P7&$C z69$_E!>wkQrH5^|wG)?1Eqst)oi=l|c)>>V(-3e43YphCD>u%&*>tI^xw$K{L;=D7 zAo`njrg%02kvj@_R}VUI{(fkgPD5s)jP9%51FyR$srT*e0#J_Sza4&B?*lLP$pqaf zbQb9#Ya1I1KiM&yUC;7=*xQ%g)fFh6V?T*%DaX(Xs;Y`P`+m?<7SE#pO#)_xmigUy z8J9k6>X0>KIW@AT2GqK)*v668*>+;bL4XzVhXMUzzXywj}dKb{;*W zhl$BrYl|mbk)s%tIz!
  • ?uYq_^NK=jREAXyn}EGrbUgentj{5f}`~v{lLsu%krN zyL$V}gT;ZqKVJ8D*SY8TY0K{QAG|)4 z=1=xEx1()iDi+A!lt}#j*0^dG3_rG|2Ib-w76u-s;Y1`{>DU#+-z9w>nFK=bOTgVyisj=`5*m0Y5ro7t1+b?Y=mez|}U|jUR|46B;)wMkN>=N_yL5m%eD+6J}rT+TQHb+6tOw z&&fFf(j)adP>D}B2X?3OFfYQg{E&2pZ5_6hrUp|t22xUPcQ$!ta&U@-%r5qP0B|;g zN@T|%Kj2jq78Zt+@HlOc+wUh&1T4k1M*}$O|GUy27SR2`g#vg#s#O5|3$funad@bV zjSb5zdQ)Cp-0Z_UZhWfn-M+X)39nq+7kEV-dv;$Kx(>0wCSt?$Xee-CU`l$P_u-9v z3qBts8Kn;ZgR#}mhi_Ux=;21m{B(#IIhn^Adn-Mz8~vlrajXwdh<^BbsNBbViLuW^ z&DY`+miy77Z6Ao;7IcDL5R8Bkdu9^hz|z%L;Ya+SHug$^4t|!<18@JA=lvJ%{a2uV z*dN;clVmdM{@0lAVHzP+;c&L5|0bqIU80Hx*($#*Y?j}`2Ju`9ZI;-e&EQa{bqN?H3Ekh%KODvrF1kMk z8q+|wHV$mt6FClD{lF=#)yuNTxLP~@3e+R4M0Q+u-`tx8-iJ+^HoBc5|&Oe*^_djS2=+=C&!t59ZK~snTgHL!EpQi~rt?b+G82FYF|X#n?F~ueF(IGK)t++wj>giZSB- z4k7EG&+yM*b(|erIa+Lsd*Q=dIXTxPWnb1N)_2Agi}ZCCs+>z2iIVkxx>)LW@wn9< zTZYDs4=t=kziTQ-W<&H_aaeNSd7%?!qvsv_Q&iIQDf%CeVH->qId6Sq{ms4Gsf6x%k^kpO*-226OJC{b)%B@*5F!;?|BA4|?zJA~GH zE&qMlcMEKX)D6aRK=-K0aQC z`k($>Y>MkAk=5XNd5|jLT3A?=om;1>q2Y4W?!&`V2PC+HZSPDuSpnbsI}4Gvu{=bY zpgVKTJ+T=A;d(Hytgp`!{!f2SiI+zMLf!uC{rFDc;fJ(9DS5lR`g*s;dA{cthYufU z1AhJbMZ#k%Ma|MX)sttqBn-NxUWL~TfW{c)+y(jhQE8q6ze$yqe;k@Ef)W`&Tp8Rk z+qaVdm|PgS>)sZ2!S;~#?3qQA>wdI^PIP+NVTRxHu5vlL6allr7SBug8&DM6#8Bx1 zqE}V`fp6dySp6E|;N#PJ2JcS*U23+{^t3WZR!B&wu&|n3>&@B;b)bAatG>hZnv$)p zt+R7Y(#%V8J2r^7g+)P23nJ4WRY*wi2@(=$IxGqOBL{y!9&T-65fIebEiIn!P6~Nm z$jSL0%=4*^8UOh4Lo$*~yUxYN%}vY3rljp5DMvPbdS(`%pa^aPLZ%3Lpurim?CeZ1 zWv+u}2p+e5P^7DqlU}X0Mf*&ZIq1eSZN7$^gRh^Xlh%Jaw`3*?4-S3_aG7DPQ?LD) zae(gSK@_1J#_MPagI2+E-!_152_qsy1zh&FfEI#4AS#pr3j-qyIQGiS$q5RkE06zs zY#f{w=bc!c5((;i@E8B7wb8|V&7T+>`#nB|#|~<@wc!SK7VPg?R}4Y)z_{;>OaEa_ zv!q~Uz1SGw(T9TN$`0Yn)~$P+OpLBm{wBK{hzv<7Nx}Nx(O)(@O7b*Jf*#Fk*ckM< zI2(Z2xjGvzJ|}iQ24z86Kw?Q*5(&Q@EPU{mmy&w-V|Om^vSxQm>~>u?0T~U*<`aGL zDclE3b!E-XqzhYMs0V*SkkoA!X1OXVD$GgQe?6R-%0j%|wP*U`m^_>g0|dWX3jOkJ zn=H}Epjs&aLc8kwlqxXcl@4Y zvJBj^?XHGMBAGylPH3+}`US~bkMRo|w;2|{=jdXjqFE*319eMYEuYRA#~T33skyz* zW6~^D(@^`#YdZ_1d2Co9keirW&s5;SiJZmYX zs0-o`YHF`sk|XOb!%3#5O11Ylc67A0gH!!+dC(0Y!F z>S&SuBg$+DpG9YDbJO*Ho^P+WFGQxf@%2S+&G|ypR{=0vD~tu8Uz<`$I7rhvnepP{ ziZn{$DCV4&0-jA^;mkKU&dv0`)Q$c5lNtZtm|=l2bJ?G7Fgb=on$4HLfvFp`e7-w{ zPRjl+mTCCne(0yg)WIfTJ0bA^qOGi~R2WOxjSqZV^aW}|nPD4inz$rU7EntFB_7DM z#fl%Q@)VV?#r8RcT#CJ$YQKJ+ZMD`i-@;t-<*_@^Q_fMs{%4G64)yjDaXEbVYw>n= z=3<<=_x23LBq>xWP}=vgUf3yivdH)c=7U}n0&b9((Zm+8u%IX4Y)+2*nngmnq3c~$ zyT(WVp`U#FySsk;mUec5>&7hD8d%R{oWJ>z|49@^Uv6JoA}6{!JU8yOtj@iYkg&D^3v9y{shi#?$B60(1%C0N@u zcGYk7>IKf0tu1Q+iQQp=YF?CeHumeiqr%4CP8iH=C@m>9oHIJuRsJb6CslV`Ttc9~ zuwk8TiAn)nW`$+C!n-LowImThqk9S+M#wJ?G;(30r%ZKRl)WlTkN1f*5+-9ga-kBkQ8Wx(UOO3BNEjG=U6w~o7O z$4^5z1Zcpb^ElrLW@QP$OiBDTnpJ6}MHl0|JKNRU`x5qr^>9m>y5jC{V8=gsvFO)< zLJGI@-ZZ4@)8OyHL5ZFgvrAiG)FcwhN+ft+6eqd)7Z&a?sQQd7^?)MC15|DR)@SGD z%uGyzx;GqHDIV=cJ`uE7dAj%1evVp(Yx46&vG%M0l_s-cr5kpk@Woq$*R&#Bw0P21 zu$yx!sl;i5V51n9!)rIsNJ5Ag*SFD-^+a^pqqA`X8PTIgk9CyHc6-$^PuD|eBqblP z|58PKF@}iyhK9g|z8$5N%~ebZ(GN^8Xf_{#1!Csp?fzbOXznNBE^hOEXmyjMpyTcy z9eq;fAItvf><#uStiijxJNCaTd(4Y$c6MycM7m$&;3vmv9$TfCz@s6Tl%);mPhbU0 zely+o28d`HZqAET@eAG3e7bbOM>~WECr|E%D=4T<_3Zyp`f`ESmll7L9bGH zY&uo9w6cEw(kw|iUk6KXp~-oS9y#`O$8taK9Jp>tu-RD@SiUbT5MA6A9|lCHfZ&df zMT{I&?->DC+smy*bcCB67BIvT6QfGi3MVWjpFgjrHv0$-8%*aRP}fK&yf~Pljz@aI z4`?}Xj)?dio<8|LK1&LsCqP4EF>D;4nl7S7{V*S2NwB<9L8?uFMrjw3tH^gird<9{GXwS^l=koz7`D9_t^UT zSi8~%hHk-0+)QO~&==R=6PW^i)NgUpM53k3!!rele-_+)YO-6j< zb?|d$=4trlRB9x78GoAS*O7vV+$G z)lnfEO8|xQ>{TYZ4)?M1p*9!yhOUCaB+eS!m@M5)* zU%__8-@nfZot>O`0n(^1U|?*qEu@=oBR8?IpbT#|@bKu)mc}(UHU_ivV*FWgP!NIJ zhpenj_MdTaH8#8Ps(A`Vsa@V>zp+pW{;;vJP01JKh)4m`88cHH2eg>AArZv%UsgT= z-4vimo$k%NrTL=Y2O}O98BE5A?y7R zYQ|yUXaTRd3hYm8@pKvb32E`Hvo*??g|piLEPzWN1gD7UovlG!!-H1|7n{r!(-&Jf zII79NecS~C7|4F5(6o|rbX z&V6idFJH0CwHYC9YHfTa5?;Hn%+?eE$Nh<}d)%JK`b-XvG$@L%>0G(=f z9$X$qgEkkNy+jBQ--gnJYU-+Rd34_y87==wdJEj1(uYwvz@meXU}$K5E2V53}9a%lLm9o&C_Sk zz?0tp{eyZ1i5aL7tL8u8pD%6yW{RUyQ&VT#r-FEbnm>3L3k{B*Bc0FQ<|@wBxt3i; zn^?=Cg+M$;^NHRF0wX?NQ*Cdy;e+qvcXYB6Mrr(}C?3-QUwdBeP?kb|-Dj8;YgpZ8 zZ8el?x9oKKpAudiUo18{%eEfudgTi-X)?EYU2_C1k9MI7xbD3R?qYXnPkNgNTsA(d z$v;TXFZ$PKQBM-s^xt>j*3o@@GG;7!&X%F{2AHBLBceV0W!fzsH`N8ZQzhbv?y7+o zw3BnPH=h{RHrMxOT9^d&ntI(V5gzaqF0gU<#_N%7Y3T*>lq`FapI^&Xfw2fhONm|s z^!CDr$98_$FzM*@T)e4%^O2{;Zahnn$4bEx1qTOCe~)kn2Ck-glqPV$0;kPvKV7i% zPVd2A9=pImWvI2A3#pR}`{qJBP{Y(FYO+`;O#r@sBZt%Pk1!}O#l%?l z6{84;A)U`2Tfo=l>xHR1c^cad>XuJ9+u=GcnYl;E2UG zyQPUD&Bb-~Sef+>r02!O%wXSeHXV2#mfP^Z2OE;YKQ_}Q+1VBo_Mq7HF;J}@{KpKRbygH1}hx4Y|kvL@~8`v77| z_~Aes`-d`92>%TH5x(DoO#-mK-NOy^Z^Sw9Z!Y(FN?BP)#|BWifQRD;F7V*TKEY6Ap_Ikwow@MT;!<9iU+76AQh(#>N|0E>pB_Z`W6=l=jY|rc7q7mF!q*w0bEDR%YG9< z%6)u(uAIxH|1*_b#HUz)t3Lt2_SqIsf_N;m$A=Dk5QC~kj zKF$d;Nn!D^u{5-_phZJGb|+Z?Qh~_*6CcM{f|ti4MRXcX?7>Fq5?!92FfznUUOKOU zK!#M7tIzzIR>EMaL^x32ugXhP1^D>*Lp+}-osWz>%z?DS^M|{hv+c1)=l#*b3Cyke zg!p(268<$16R3ANXQY!=R6HDM(M_2w0f8v?oz;DWq3^9?GkyTMFxovZ`H?XQ|5@b^ zh_?HM$!=t}I$%-`rt(Jsiw{WN02-b1JEN#hnsZK0YG}QnyIot2{Iq3Y3ydptoDUyA z{;I31L|(er-9&<+)9&oV z;9zaBoTu5!xz!Yii0lH6PDKme?m!{+1T{^3WT3B)n8R)OAH6d@rE_(y1EQ}Nm}?*k z0hfu7i$id@;}qWR>(-Tj|MTY$$VFW2jp#cekOtGb^Z<2)9gXEFVqqLLf_mlP>>Lc3 zw=3)4-LlqsFidIc1!__ZVA6{-zd%Lb2SsNt-Iw1Qy0WpsZ?mJuY_jtG7#+v2sK`o7 zE0Oc$#1w!sDXACVzHvrqV!o(%+>GFS|8LC3z?k*32_G)iVLlNBrvO0{MYno2SAfPS zGTYl9BaT7r%*yH5&(H603G;nU`bodZaa`b^urMHofRQ3%3XTUXnhG-C;7y`PsT&3& zHO|4086Ne10CA^R+%~g8@ZmbeL*O~0Z!JCC9=0NuZx72kfCZlJeG{CB3U=iQxR@_p zslEi8>+0)yE!NiitE;QQty6DFfzX%%$Vhh5&;5_$ux;6u8yg&N6OpZWL>+~1&tjgPZgz=D znwgpg`1?zUiTy%Ur;|JUDbM(DfQ$@H0?-1!1(J8fGy$OCP~b{YhvR$z`+5ES#dUO& z3IC-UcP(b%pI6|=4_Af{twsnPNJ!)DDRB62?wf#qL`f@`%)1PZufcL_yIDDXxWDz? zU(9Lg{Z(D<6n7w-=;no(NC1A!_FSIp5ZQt;H1oLF-~U=O5o8?NK#ZY4)n^;z9>KeH zC~Y6VvJ@HZ?ZfMb+-;4(Kmrk`U$Y>D9VPf>aF#^4n0fpBZ&I+*z5c}W$J?rtQcyHvWnOOWmmIGgV|b7p>j zoOAD)bLaX8Gsf`Z`+lCi*IsMw^-w;w{*>wGM_gD~$j!q;1}OCE^5UH(4ry3?oNUrv zJm3^lueTrN9etq*08*e9ss@-eq?7n_->k{X$xS93%I7N3g;6E5dnBxX*Mo&XDDO!E zW?9m-t?!*I=P1EJKp3ba4Rh!z2-rdK)OV|2+Kewh(7j9O45EK5vuZir6FQ5j8iVPo z?~XryEG+2Qt#xabxhm@Dq&h3HadHl}wJn2GKUgJeV6Xzu>dDUB+rqR(i`IWk z#Qw8?2m?JmF`r?%Ajdy5F$oEEHMJKnUT9X^uE75We%|u3GCLFSMJu0V)9weFFnbs%Pb35EK(P zwNe00Bh3>bgvybY`$0b{%;Jv{~Mt2|JPq>{so0qxmXjl z$}b%Nr)Kp48oaX~D^%suJuSK6mS$?6Ffd5EF7|16hHbsi`j@7ZpK0^xkt-^&gl@;1 zlw796fjF(o1u9pkdwT2l&m)X;+ukWEIvoB4AMzxtX1Ot}`CpuDwKl=$nUQ^sfkp8G z3fb)&q1MT1vai@Ix_2l`7KcEmeShWH(XpbUVsPlts9zqjkdbW!`10cHe4}_n4-VGd zJIH5e&nG5`p`9?Zu@Utd8W_^j(GlU}2g(hv!?ZOxD9@n=RUS;ONO!*+9@_HQBL z2XARmP|yvxU7rbM!hU^v9XtvK4n_{Jt@0WJKrBft39sJTvVOW4zuy5n<4YibiQDz* zk?8O0mKPLYtl1?ba1f!e=M5O+qlwANhQ)kRdma231%LnkQm4gal^m((hz?!^0*^KY zbq-)2%y*9n$)B5pnPCT}U`!JJpPikksd%W(f8^3xHR~Q4a&Yl+IBk<-w6(Qiki8h5 z?lwPImD!rAXtjRVFTfExyDAfJD4p!FysN|PxtrqUw1eX6<^tWOST6tzwy1ea*fFu@ zZc5K+1v({Akxi+zs{&4}x5}V}lXPj-*x#q*eKfGWw#H+*8I$@79Ij!Z2*}mlK92pw!>oEeVlvX-m#k= zR_L}p+8BWcDP8)Zj&#yf8{h%J4*F*zT>{D?SR%}x)}0k(mcQ0*x{X6OGc&^xVjkFg z{u8GaoVLqLTYiM^-wy%hyfss{_G_uLopA)Zt&R0`jSCm;i^x zWgpz1he^^x?ebI7RDG=%Z|udXGY!-HTuh8{5jLzBQuBqfH|EQGP;KZ0|Bsadg9?NskB+uj$4x{UUy*K*01^u zPX7^An;z@?Gx5iTo@ms)43y)9m(2@7q0Y))LiZC!vys`1|@rYyZfB$f3 z{A+7#5pt%EEMIR9>aL^ZY`G+aIaTSj7JcC3(6;^4pMk&=(-Hq6>~viuf}~mN*mG>5 zK7gQlu6vsKhDeMC>)sb)cy|QNb9jH0!w32rovIuIcPii7CcoP#GsfM!2^25%K}&08 z?;ZI`czk?ZBUuji8XV?*bTkaSJ2fu6u{0d`@E|3y->@!e6a#mWS|%nWL*&a~D89wo zD+^B5UsGNAKel^2&kk0DLJ)22I{!|;;%Kijr~ zQu|&>U{Dd_;ca=Y+Rrt(e|}~k(b$&%FcBXgA2`kRZ{NJdMb$(@#n6c!xoG=w6kOlM za>>cdlfuBm`634ZW4k|2@MqS+iN7pSNsUB7=1dN6XBE{9o6iC*-O@qi0!It5#@Cnpp4m6+I> z*X0G6vVGO~VEEDUh@H-~qk97gvBIn~3|?kk2p{^+%Q?aNweF;P$1T#j6EFpfN{T1W z);hiI#M*)$)^Oc)B}XG68@rEA8x|be-Ui;LxeB{Auw~v1W2YC-c}s5KFs@HxBFkWY zRqOG3M7DsNJvOGhrkWZ!+84oDTA*2vhDY-x;kg|t-eWqtB|m>G%5uxCIH35jsRR|K z`MqAbbjJ)#x;+ON$_y&wm?y#qR)$*clU!DU^Cygg3xxnlHC4Hfl6Pp4fr{#;8FaR{ zBN$%2dNp7r`WCxSHvWYH6xlzksUJRGW7T)g)H?Mf^I#*W1q3M0?%-j-6ZJoYxrwq) zkUaAk{}$`NJ21^{d&uvy?>yH~&!k*1UgkCiBi94sftz(1u!nIl^JCv{7Wrhn4sw|W zvwJOy!R+L3Q`jyM0m%EjhLex43k~5ilM<#4*syy6)YqR@RpE8YC>LsY)p#5iH2&!V?euVbfaaV{-dmcM&-(xzT!3{KS)am_ zwSO$=H*}@y>6uVo$jrjd7ed8zd}=cUBz&=Y<>~Moa zOwrPE8z7;Dg?WaJsg7r9+XE->IQ~{ zkn`DLmQW z``_sQ*SP%kFWR*}W;h3ank4kQZ=Tgw1EyjTRgN z1rZd<_{&iv0Y0bGzaeC>ftUC?QSzU=OYE@J%{Nv6c{2=U z{HLc9U*#19x+V9n=Sb|{YBJtzD-BS|gDRvhnR%^eRxW0p^t8y1yFuUIN=-_q;_21? zll|7$Cy{JnZDg8W&O{s&5MCvffulDVG~9rb_mz>Mziwh_c;C#bULStQ#u!3L41$eG z)@P*<*Ei@)F(q;4IYmYmtI81iH-k{|TF-MjD}Q3J%FC^E@F==WDt|674Lz(6jW$s# zLOi58O69yv4A<7@>6N&8v5^dK6k{l~vtoQ492<~_NAi_eRqLDq*-T8xBplBb)YTQ# z)HL)-HkQH5p6DA~+bLtbSb>+#&PGm-Ym+dl|4OXg*|S+3{^aTQ-wR)&qml>$#jBt; zNM7LGk*;~F+YP!q6{<_kMj>wN72k8aUiwTNm`b^2FV1@7dB&QXslklT&dxr+IRT{H zdUa*`fH64*1#CTK+MLe-wW;F7V3tzWG9QMF=salY!|LqX&(GL1})CZT0ZUewzd>bKao> zWdINgD-F#nQqQx}s;a7*nwq*geroE}l!sI-+}t;Y0|2A^o>z4*Q~QTsuh|)>k*>1P z(?3Z6#IVAtYAY}AqUv7E&BcWmv9i4Udg(A8@FMa2U zIVL922?B2`h3~sfbooDL@~_Q&ysDTO_O9n(tf8Fvoms2DBX`z$#)nY04r>kB5##Vk z!Q;|jnkGXZ2VEzA;qdl*aQwK-U=$NkS6M%OA%>$iZ?0g2%{TFmu03IB{Z8U?@a@^- z4P+dg`!L_2Vw3OgzjzW#)^Ge2JTjnntJj;3v>+cOCMLE8V8OyCuo%c3`{pra;tm@8IB7Mt{SzOIJWmHRF%18shxCGV1brM}JXm2Vb1N`)3q@ zcco{wc|A^g8GgrxSiB3>O>ZqpZuB8r-N&ET0UiC{p#LTJn&ZqcLv% zgsD+FqDX#eL_Piqf#Pu6ssfg++}&*BJL_;}ufounF;%mD3`(_p^UCv9#SB;a2qj}E z@!-f!F)=a0;wDpG!&A$7kVLz_u_6#*O8FzeM*Ku2V*4OkJAuICGLnA#If zdKm7VM>mi%SpZ!wpF5CxR7nZc8nEtmzQ?BI7oLADCCzWQdblb>2G3#)FN=)Z+634N z9!M%n)*$D$PoxRK=ADf`gh`V+VY5cQnAy`GvK zhin6m5WZv>vje%La5bOYqUND1}cin7`2^eTRjn*ltd~5-IcB}CzpF| zb_4Cini*YBTAG^@CbIu?-V(vbT&P~@>+dhMt=Yye7)zuS{Z~MUB0FdHju^nAeaT0y} z9#i}?%a4bA&j z+N}*fhoGq3#0?hrf?FOqVoS1F5KEgbAiw=fv-(0LnfPOiBK_{98x-3N%a7S~FX>?CJaPhHLn)VeYxI1kK9lo#)KY`tr zOVigVQ$H+^_V&JX{C$W7+sItJr(QQr!u1+7y5hpZipokM_sO?UY0ZiS3c7#(%qb|~ zFR}6z6}?MJfYv_AZDxznV6m{csB2(?@Cs;d28IyG`}>2hR81z1Ev6QA_1d0VuMf5Z z(2}G%WP$=KjC$F4+|j=J^q*|o-v%ZxO99+hvgukO&!jQl*A20@OCg%q#0FIQA{T$h znFyNHTGiXq1q*U$&w9W{Y{fJ3417hW5~&6@w$Sc^Kl+IYF?2Jo>m+K!&79R4c^z9W zI!im=l<2?7{;FO(NVWN?dfasI#z_EdFtf2lJbAO^AT5nGp`tEH!=?oVm7IsW{ZnCR zDC}JrOG`;>)SD_A8q(sng1P{L=zxm6e5qs4MpKh82j=E@!{v1Kts8#%)2A{hKd?D8 zS!-13A!ogKYC}Y1Wa8_Q37soXss~B}Ay3WQ{%xBp&z*3yT{n!p-*Hr7bh0NFX~b>; zL=I(9QR}!jo%j=dl<~v2E>e{6x=# z3?&)?ZE7=C0}owXPp zFdKfRCS+4HwlE;Tw+D|CnAy2)V=;!}<0ubyt%(jgI@?(igtT%MMn^{>ycGQx?8~6S zb|HiQY+W_*+h}!U&VTxw-Q7;|6!O4I5VP0pa{(+5Y)<5jZ1nf{SKApat!&TK8ky*P zcR9!^D3JcHe_jES~JDf7t&j# zVauvl6OQ}6bq)EY|M43^;N!_)5CFEdAN-4z<`W^fVYkD@t2GQA7f)esHMb~;GLawK zgWODPDwN=bf^KOi9*8O1TIYHG+~uU`0~Qw6;xj++T2YQSdS3jnn4Q(k%$%%U1dkk) z)GCW9rMKAOX^+-fD`R5*05xMZQQ9s>^j?(a5``s-_}$XlMfP9stJanV1v_2)^Y6ozDAU3&NN1#^a?#+*gf*B_D*SA2>lS!EPxmz!DPh4uSC>7^4UR-0 zqM3Ia3Eo3ml%*# zNPJ|Z0wkXci1cIwhGS&hfV2r1>=9vMMFj~<@=6$ynvu6Et}AI7D^6M*p`_r> zms>9No+v>WnJYHZ98@|vwj=ByW1(%ETi0~Tc|@5RiEzrUe)xG} za&qw}fBw?^ytau6B8EvoM)dISWf7v8F3otPy?byYi!V~rMbUyKf|C9>!02om#Sa$x z$Sar;Z9C$PsCoJM6ciLtaLUTc+TR2F?I#F(Zx_0HdYM^skLy(g*2?$2>K0c2_6VeF zxNy88%}vkCS+`{3BhY*ddC7aIE-Hd3tZn$%cJCE(u93f_W@UBE%ut*`YS;%;*E9L_ z0e<=cY*y(ex0wO;-F=qjC--^%yjBaKeGwqM$GgI>3#66ddK3 zQjJ==^!Y`J+xh=ypYEx>L<}D?ia~f1D#;6P7-AHvM0$f-f;`=InwaL(5bt-e*8 ztNnw?CL5URzABrpG=g?o>(mE<7oINs;D9eLSHPgLij9jSB)ke@ocgr2^bh7etJ-fz zHM7@H2xls7GrqjwEkb$T#nwRxk4fc{`0=*-WCrnr!nlR}kFRv;i;GCMvvysBiL(Q4 zjcF(k0E;RuEnQlg@d~-NJm<9<-s2g)&M=_z5ps{xv@$0^26QMqKU#ZN6{}LSEuS^g z%8xIWn=5Phoiu#7W#dYAUjj5;BYguo2c2q^`+6mBh7i>0Dv63|9l~M`g;}dlG%4xK z{>2x`r|-~bi3G3}mb{poZ^e>M7vj@P?8+-20!59QG1pi8RQ3(k$&BFWl?p4_=`9IxftUHfq3!48R{!n?iwQkiWgzYTmht>9Hzw!M)Qf#G5=TZF;`wRkCjS&FnRGP!G&tz8dQZVZtS= z@`gO>6UO1gka|_CLMQaz6z`R}>ez5UQluU~34sFck1656s9u8|5N+ zL;NQru&?l?nsD>D6Q9xL3bWPB*(8$&catOsBz(8io(XGPMip%oG(@hGFdi9DWky02 zavOq|IbC-<)*eRrA@@PoaoV@XQbS`x-%+7zt}ZN4tKC8%UG$W^CC9kZLhQ1@it=%5L+KgsMzkI@y+NwQ9T{)%?Aw z&%#G^Db@Un@PvV@@4YIQz`Z2OzHPimP1=P@Eiv#FQE?Q=Nhju{i#%9pPh!4IuuF`P{z zYO80yODiK|{VaOMDfA&Ef=Hq7@cpq<6|IStR}cD`;>_Kr_v3(VMzJnZRNIrDELW6v}=M033l&ZFUE3aH7NPY4s|Kp!3+ zEvkt@6g-GePsGXm3mJ>-ArZW$WI_3AJS@F+TPzWB=KadGY;3I)(;~`mR+Hp5g3(4v z-0kg)zYq%wkvA?GK2zf4C`Lo*G&IWF@3m1@xg4y5yS`l`MJa!P?pfUe$CD@RVDcn& z8Hp(0&qSIGZ_+~bJKL?-z_=?)pjXRiPxdLVznAk&Is=X4udexC0P2!l)PUs~dt-JY zv#6?GQDf;Oq3>|`aC7T;QZ<)r}YlEJO(P$?+)jTlmcC9 zh{;#Ecl_(%(6-we!uo59<#XlJ&1&b(&sk^AyM@vV0~Z;wyphqk9C`CLhsteR^MYmz zv$M0GrrGT+w#UQ}n}|B~0C7Rirvz7oaQx68Qrt4D$NC!KQu1T*yy2b9u@r&(9vR}v z7V}qYVr|rOiM%VDhq8}R%!xKm4i3={Cvgg|8rZfw@{=QV&eKJzd706fOdrrk-!Qn%1w{013y}M?BOR$%->A;MIy|?cboV8E3II_w%O`j zS4H~D;ScwWOs1=!_OuNqcYoz?4Jwry{-PQc`(#61^2w_Y1iXSak#WdtGDniFbI6XR zGfUoI^WsqVIWt*t(9rx^z{t<;04YbvsHjjn-E7!J#Kj>c4fuN3v9?d%p;({S4qhe< zKhyZdPa+@a{kUe|e>$0n^*LQ)hBZpEH6y{AdV>0ev6aSW!HdpyGC%f5Ww(tK55tde z7G6r*cy=laMhW*}xN8hdcmpMCzi#a+M%R$+^G_;4LD1-oVc;)8>pY1X?{9%jsSiHB z3kqY&SYM;lvKBQ$&b|D!f2Cbkm(~S*C_TmU9>2qT06yAaBP72q*bVm|a|36yh55~L zL?jFTr-(lE0iT__(lB@HeBzZsHsJPGB781E|L|u7QyF28@XF5K$ZY zs$X_KP&q)7m6_{Iq3`$T)c>Y6`Iyau2+w346M=LeBT5=WNQ$AAOhM_x-{ZOmU(jcq z28#0fwJVDoBiE@iUxulAa^P8MiB%k%UZ)D12tkgTx!D)|T~luySpJ`$naRXSg#8`} zI+28yWCSZK&N#Pok#_{K@(74HA*M9}gN2_!bNJK^(>cDw89Xhs%;e90rlgsL3H<1q z*9)x99>Tu6y7;j9d)_ti?V%GV({n+Tx_8>P47dN>b3ztBnf~qaL06cQc6Lcf!`A|FXvNRbFEf99WXq%;PTlsQDVA!U9K z_qmNgS|Lna3SgML=Y4P{TC8AWpi&j3@S;gFthDm*qyGUH1IJw^sm{N+tr6w6hsQyT z8QkGLxto6vcltB|wG;zO zsx}$QJ!-*h(_@n-&y3E_x@R3Z52Xf9SKCVVUuGTAFmUk8u*5raayLr*T&|PL2S$Fv zy`aw|w-UkTBbjaRn>>-L-j%LdzvP!LTb0kc!VBGqQ+xc=BWzzpc0V4%#HY(jOU*4T zW6!GkI5Bi{t1X%Rg<;Y4f?K-|q+s zJ*d3?@#B1v{soDW=LI!9qP5k2E0cUek4iKAv^}xx6raAvU_c&0zcWae(1z7byqqCS zD!fF7`${twrK^qlvG{i@8*<%P=i)}8B;K*Nh(?^{s3%wJfn71$NsWUGCL+3;1hieu zqm&&GQN@GtFdt!ZXn2}=^gW7&KYwQJ;B7Wsk>QsUYFxYV(hxO&*&(`2vsxm%ZhCfh zcDKabIuxmz5RX_K4K~&fix48%6pMfF%h(Ukiy4YJsmJ!D|BFZ!4!F6b1Z99tR5+`PUNp`U!1fe5Sj? zbbj|9=widIS82f?cV-1RM11(D4)*s!>5hxbV_^xMiHKr-F?Hym-NvBcRFL=9`OC$@ z%i`U%`pQz^*3r7S;nt$U29?GuJ%RU5v)xL6Ykr=;40IiW*#GW)EiBP92`{;I+o|TJ z>B{Pk5_(}bq*oZp2!*54=(VvK`G5zXbf32=ekqd2mN2RuIP!r~(bg&8I{vG3XKg{I zZ*(R)Z*6PKeQT22WO;;->dRwk85ymUd<>N*k>V!HigA-_qL0i;9TUgBriu+{wsa1Z zKYUzygsF5TtX)*aXh$nQ85G&F;YcVMy;1b$KA)BT+dWx4>XBm`q`_M#vmZlsV$6cB zwtW-i>lh{t1eKNM?~TnJR@^4L z!cgjMWfsBW?0+&uJbM=CLue!739|SlW6w9@(GS1tMiq30#YCy>Z?^NZ~wm$rz zSifhgq)Zm;8M&ch&w;iU5U|+q!#v`yXI-j1+2f15v->FFlH+@hr*}=3<9fAyLa@zt z#~m&YJ7(%<67j?+yuXer-}6hd{56gZ@pz8*L#*Vu?3zz}0qKGi5U%`ubW zQCF3*un;wDCz8OkZfN-S&bwu(_mQe+nV$!CMs_yUbK7MY)YCq^ZSzARBF4~(B24aa zULibt0T&)Ta9YF^%!511(wKHg>f1dHbfoc&qXz2!cKvmJzjXnvCMpkAl1zXhGc z`B`RgXhBBavD8Nd41f|0E6(v*uGu>6Zq0I&6sGYxI9nDpe|2i-A2$ z-VzK3wU(#>?WM6($cqpZAN-{HGXXQ%IGofnlHp7OI-4>EH!w>!TvykgqDz~$d zHtStWOSn%f)K{K7R>0hVH>W?al%*kmkx1_8m454-UI|98nZdU}cUzVQ{mYet#;srh z3RT}bw%?L*<#y!FIY#mLRC8++2~{&7`5W$=Iv);h#Q8FA%|CA}5pz$PwVjl9Sy9I* z4LP9sjtj{sYJSjDM0D$gGnd@O83iE|;UfhFh4G0ASkG%{rl2N1+TU;S=(sD72jb*S zNZgvNf`*NIg%_j4mOqm!W<$OI``NE{BsqaO>VFI|o#axIgSh7X^HmppZi(p}!R0~e zAKqil{@Qa(opcqbZJY0vpwBIsa9|?iN+SvzGS-sVvcP<{8!9LGkZ;8&?LT6FpMiMc8)q*K zvcM_tOgxa+*yv*{;uo3Nn;kaWlWaCWG4raDUZ%41@Hja-V%@(FdrU!K3{4&%9OQiX zFy)sUC9;8B#ln>7y;$3+qfHdaJNfp~V+S1~+`k1326LZEJDyq=8RZ;LV*Hrl=d}vV z*Y)yzfs1?W=`-ifnAbm_Lb09!)9Bdq4DI4=sau1$D2c0z>0hl1{~nfMYUVROsS>VZ zSkn!%ArEp^d#71;W;%M0sNFXr*O~9InP`U=>%-+m82u^mIzgCVDLlTbk`H-&G1A`*4CrgMgR)0l5u-AjuILI(lM4LP2366~FUm_!Scq7`Zw> z|7l4n)Afl4E|@Y5Yddz?e08TMXseqmcRg8_??=`wD%&CYwXq>86%`qIAtdB|Nq+v{ zYP&Ug`SL_(*Eev}8~9!9ZEU_*R(4_?o}8>%p;h=oa4oD!@bU32b5T(x2L|3-zyBz0 zZn-ax7_QGFX*WGA>c9VrjoiJM)@|2n$LpBMFE{i$pK!NE;M1Rn9@k$y;=z>3qoJH) zD5t9W>w+ASqxw%3&j+p}YX}P(u$-)YuzFz>7#=VuR+46(uvYx$=8DIia3M2Y`rJH3 zcizXZ@|5Wp^p`VH%448KozE#eYrAo092&`BG}8SS#&q@>$1e327SO;axOlBof*CV6 z$ugRpNjG`Fz^B5O|L;?O|Eu$Nh}OTYP4pktjUVFgV_Mp)#wU3dzPC7XQQ(fvTase3 KqD3#Yz5g4^v8^%y literal 31624 zcmeFYRZt#X*e!^=yGtNIaCg@L!QI`0ySqC<6WoIacXxMpcXx-=d}scushXRqQ*${N z@K!@tcfY$IS9}l;gI+k-KDy6DPckLf4r4b#l5COaaBrpLaVVV9~ zkNEEufu9F3xn`SKgG?w8LMRY9;0_3%pF)Qr1mK^aD9xk;f}fv3Hve-9{{P7-?h*td z*4EZqTKFk$FXpzk67Wr;8#D9kztrY5mx?y0D}>5_{LxsSF0ne8&Y)UZcBIkzX)Hy* z7M+}o6)xKS)dRLlIp*HgT8da{Jv)rbyw|tM>B4^omCRg<&U$~kBN9u@(?v{LrrQ&LtjyS=(SKH3(-nxbCdoCO6geT% z9Z;Ye)4x=CtMW^ArBaj7&z{Khz>`qu|Xbw(`ap>adb^G-#xp3w?Le`4ZRD2cRAzlN<{&yatrXgpWLyoN1T z)B2{a-uJKo9}}A5%3)j~ryz3zGm@(=gr4%QvpO25*}qU*s->`&&-;<>uyHmWm}4T* zJ^T=wcm_{f=UEcJ7?=Jm(pB&hAoa_gX6Nf)-G5dRk}7HtNkr{RL}R{rs{Y-_^Q8M? z5Ab+RPPWkp^+PJE%lS+Uu+K?Zi!VLjur}4ruZjR z2G8FsB)z5aJ5<+o@(ad>En)&vhC@QSyMDO2w=gL3cjQ3+X;Eq%EaB2k) zS2r3rKe+!SsVzkqt0Yv5e)-sW6_ywn@0@n#5Q{FizOKLL%sJg%izu|2;{8{46cg~i z0ACN8Xw&#L)qLc_?6>c(EEoHhRBIHD&kRXT_wBUlVsQOJJ7-HzsWqYHSS0qlk9CMn zn*KyV18gIFGzxWNtG6(|1thaC!33Sk9ls{ahLh>u8Vh|@X* zvt0jzobyIQ7&s0?RH~4#F~vTkvH2i10P^U?|08f5{#!+}$#1bK;CnQy$7K^7afCdn zC$04O!8NOydA(1Qc^tW)#)oHWAE`KOfgX(hFtiLw#TM3Uv5L4wi#2@dJ!p$qd@i+o zqF|cS){MS4Rll7`ly%v3#kKXdDD9N4(I{-xnVkcz?LLxqp{^ zbEt@~nty#GHTeNPy(q)Wp(O zX|I_ktnGRqRs^~-mZ*Q3RwG$kRNpTMa3prUk^kttSgi)IEy-xKoDq_f19` z0CD5Zl%0vwnF?Se45%Hg$rtN#R*kGCY*}}1aVkszfs8Y{$v2gg$K?r~-mkwwrk)BJ za`7U-cG%1zcw|zT;10o){~bSvUtC_Zf)hnC1QAso+Lg$(y2w4) zbqK+;OO&VmE&(r{ffbzTHWb^Ty*;(#D*5m@uOv$b?&IMpy?EZMl#+pW-XNyyxzCJm z9=48**4=6_zf9NPRIY9(&q%~kC549mw-7}zP*YfzLJr~;LkWQE={FPlR(W34Fwb=f zd!rU_{7A`c(_JF8%;ib7s~L;$7J|h&8D*I#aK&A_1CA;BFDY8BrnL>VU~R@Q(#78kVy9w zk$TQW$LvCF+e($4%IA(Y{Nz@Ie#p5Ihhq6UHaLZ2NF`72kd=T$bt`d8@G>?gsh7=` z;3WX`7%9EEy!>ouAoeq^J5t*15LR<IN;AbQVu%=pW**(H$Zha9$=jx6~E>Hs@T_ zAw1jPAZ|$D{<09Ok>x^OvvKL))74JCY}M)wO~&Cl}XRn`esj1IX@2>vN_#npWF+VOU>9T+lZpFqjY%FKe%=Q%$EiY_*$< zy;7SuB+0su#<&`u@6HnaV;(`6wvin;PgqxMdF5{M-^>FgN_L%zlt+x2rKLw6AKmEJ zz(a*c7H?q8@5Kd}@O#V^YK6c;e`9xnir%E|H(`jR+e!CP_YBMl;9@@)N)unD+DX4P zIC71`<^=2E?~CL-Kqu|1)pdWl<)9ZejW5Fea+{&>eny*=YS`n$0oQv+ea7WpVHoGG zps&hj)f=LumAFi5E1SQ+hl{*Via&BV4CIHjS``aGsw@C{Ij!U@@S zMJ|38q}1Pjwc52Y4S=}sO#gJC))ZGSN!8iN#Y5-zt^nf)F$*2z@+>apL_r@>1) z{0KfT!DFV;q!&}orO~(CoPhd`5mUe4h0RaEi5q|Q)JY6L-2 z2D*pwHJ3N_G7?n&6;u}91xmYDhAg(1w-K(Zt@z$Tq&GJ;xf>dONuhw*cD)jh5&CDP zm4EQQRzkCbycEM@&O_88QlCXTC$LwBc1p?hbq8q?hNkfm=cCmu!^x#REod*p)V~zL zOWo%%Vbyj)cPFX%eTidObBp@?YiS5ByY2(ei5EkLTCySuQrHkd?F?;`;MeJj!rWZ2 zD^V#axD+4Uupv8XYUR+sVI^B=>gJK2x5l1b_kIVSLW5x~lvwHUKkX%EzQdfG1dhRp zDLxgqVAkja(V`#T!yl`!4i6vCdB@;WX%3buoXOHA^GcKsHPkXeusvo zEwU-MQ2a7Ihk&!W&NrJ2W8GhEB0NS3<$elcU@o6T!4Dp0dC-DowB_Q$7xmpa0qtsA zzb1De1I|C~ouM#z4fC*|6N-zQdw#ABCH5!y0ONRasF6Qzz--lMIcP~J!%&IQH{+Ns zFVQ{%GnI<<;W#9f1}U95BQyPPsS!rK4&`Nt-1)d)!8`*;*jLf&sF$nqXcW>gLptFQr12W^9#wF+FwSGm~^y|llp<(0_yQ_5UNN|NFy__4e!^l58L zm*J#8I6?bV7vY}ulEzk1cmIq0>fq#Avi!V>(Me0aylh}1FKMh`q-2Tzj+ol3oF}~% zO1opJ4_b<+f^O=%p{m2UK0yw@7J=OeYj2WE-6+XUw=;)^odDHr19US zrFW+JHdDU6&5~e0Xdiwh|Co_>KUH8A1-m}VM>4^IiNb0uhQPE(AlJT`%qbJf@hPJ1 zK_nFVP^TfXiK$?*jYM4AdG9Om1Oa{c3*{d6Z&Em@HA{EY#He-bnthdqj|Y;uG#7V^ z&8Fq^B3)lh1{*X}9%4EUa>r$=$V@x-`1i{fw9F&v?4tni#U4ne1V3TY1!)?0q6#i>! zEs{Byv8vX2wch@8KNaCKPJET#(Re)FW1Pu9WVDeeVfdmdJ{EBei)}ax3<0N*=3kEB*mgpElQnb zKGG9zT7xv8fw>i+Jh$^j`&OY!TJ8(hei9EK|sRrME#W@ruu{~s zhaX7<2y~&C@Z-gLdrH%5E6$_>0>mGO0F3_(%ZF?67=OMbn23q}>7V}|MXUaz*&)D> zH(7jG@^9HaR5uJ$5!AxAo%YFqAjpjdO2@GmpF7>j&_&*^ZjtH}77`vn;VZ|h;r>=4t*xuTjC;e*KLDwY%8-l-p+On;If9R9dv17Qt@QEwXS;@WbZfbHJmCi4 zT~kh%>S1jwb<)bD3j(9B9l~0N*QMfspUCe6Fr5odRNeM&i91fHjN)>GL-lAQzn{8M z%4fkDQgUGrwa%ue4|Pq#YpC5 zXnbI9>iMNN*Q*n{0^YkaM~Q7xyFq3DqvU0-hO?r?q%a{agJ+!S63@UJz$b-aCU$L$ zQc4`WdkB>NzNT;I+0(<~1!CIKx}pW^fl@u@gb6qfj*eHcNU|B9^C{GAfYITRPPmiq z(&QRe)gQ2AJxv{fqcFl3* zR!qTB`TFe+}k>g1)OE3b|l8LSBGJc`r$xDcHcrgt2TY++Nmq7$E?EftVj^ z!Av-XOii6yxkR+HutP{C3NaG==wT9Md%?#pjA)`6Cat;;ly0)}GWXZ2s{ci;G{Nt0 zgkvSz|}MR*c175*f@r?x~NKHoqsqrR4H#*MXBH)BBk}h*)(oUK%PNK zLZog0rS75X>+yn&0X8tNoPr76V%hHE7(4Wxo^Kf0!OVEYb}cfPUdrCU6Csa+?U-gb zai4j~{gYqguTOo5s;B5#(fMJ3n@uL!zfy) zu%f_3!Tj+w3*4=l>y+=qg@|sr8+m-~**^5mm*yl?O1(wpvG4hy0*i+Kj0=w)!r^?E`kZFSQ!rm<&xV4 zv{T`ZgB>&Kww%5Em>mQ%9KHbC;D{o!00AOR;3FyVUkgjYZvo>s4>VIZ@-k(? znHHH+Am-K`_>h(SVLUm9H`>8_h;V;$y${Y5=iH;pyXY5Rf?Aj7?b%zG=!I_@@dhV= z4s9w-TpKEh>UVqJqR_~f%}U-NR+@=$xGwFu}B1B6+##~ ztvxd8GXkg;bmiv;vOl9%{;$WX>E7%~(_}IMCb!7%_G7M?+!Xe71EjBK`XPbOCI2jK z0)+;y?pfi$FyO@0)zy98Z(J*20^CH_2bn;!ip;qB7`!099cxUr?H>HP-9dPV9k}eN zckP}dgN~}~<=w3@@o_IV+r9Y%O@ut-X0qB@k=?2~!M7c!5@zJ4C~_kmK#5rK5pMp{ z+k7s!mluH-ZB%0apmD5V_?C|)^opeNTScS1eF}W#Z{0|nlp%x+wD7Q9o% zdTo!M7hhqs?0pG)>-*n=N`{Zoe{@0Fsr{-P_4Pt*SuXslROKmTc!4O@xUfZCi)k;H`f!yiueSt)6!t(mYlAo&a zjKF#^nBkBPnKv+Zic(3(J6Z2HopFqft-%Ds)PkcCZX~fdmMOuwsz{D^2PWTM-XOYm z;K@xfXVda6;CI(RXE0-60q8YyVD*?BK#CBIN8P!LyGOcvMVrP*TeKbXWSVy#d19VA z3#lU}{7x+!ho-s2y(IYIv^VTB@|bGf(7T8Yr}cIAl4rtMT!V#PjG)@UiH%14%P;(a zS##MUsKrEhd=538?py?}epNb*Im5?`jsawh;G;%$iDY=q1UE$I&{?xiJ(=KMp91*E?!piN z+cur~UHonPgS(RT;NJV%-T}RUL^pKf0!MQONRb~U=gGy8BT>7t#|>D%eo ziPJTuuW7HnaQ|sFy)VNTt_T<8bea`y7J;MZ2?wx%?6dvm|NpJV^Z!CAdP*P+)TW;p z9`<;?E&i_DZBqP8ihOli4-ifIYin5v6f7*hr4;PTaeXPi{p#D4_W5;vpxZWahMX@WCVUtE>9R31j}DFR!`%sriS?aoun0U~2GXb@sLM)AMhNSiREZmO53Os%7%gUz5B#G;_5H?fBX zyqMmL0&Iewr5ZE-#{~g_x7{7zx0{al6XK7ji4VoM_jlrtnEZ|`VznY@Y8o1B`rjXO zDSDl{l>}AlybisWzOM%xp@@Wv%F2VxAHw;6|HcxrU7u96*Vb1Xa&h)w?euSlK_L>v zB_#APzu<+7GJ8L>riWxbfBa5O?f$>rKZyov!}sBAk~DCkLaW8-rQUj_e!IbB#PpSe zpFf6X7F>Qt3?5rhuR@Q*kV{4;x{_qFDS=YX2{y)^cResHtbx}s#0ZDQW0phD*Tl$r z%)yxXPy0J0!PKvwP?BBR8f*(&TLvmxw@Z@T;^Od;<3n?6YhYQQpZ>mk-k<&}F5YtZ zFHRn&d16501?;;YUteGM_f28)p@N0SF^~PvV?b+bYhfV3UQ?u9ooegqaB*>wh*<5e za>X$B_O#EnBwYtUvNt%tI3cB+^Ce1sJsqsf5mBZ6sQdRXW<(`Vo~lyG8vj3;u_H~_ z5g~y>7J!o4^OiS?1DA?Ogxrs@AFnUf1=6W__)TRE@hRLP{3b6kXT(026?3Jk-Cyi9 zKC@_Q<+jiW1uj@yb%JD^o|blWXsEcTND$57svGjAj!?wY(^FDXQdJe}r=_K(NQ^r9 z@aX7jmC*}!mM^>S`YI(XEEm^OYF$NkPL5FLfsx+RlY3oVowg0--QD!+>gwsK)fhZv zpD-yLHa2!mKGZ2pmxrpUspJ7QD}F|DR?5PgNf59S669#%cA{XQdd14sKdhysrKiwN z@si<#n^t9i{`?sc5n(s@SaI(MdQub>6@`dDZ{#YC#ULds+r5?js|-y!EhDLK=SugO zd~@#l=B7%CK-1EaCS?Wor=UP(O{YUiX{kbEcDA7BX(*5rZoY?X1B~v|qNZTFLW>zZ zY3$Ynmm?E;K37jcS35byaiw}GbaO5U4ozMw_2pSU*Hb!WUWYDoeRuVT#q7Re!)xth zz-KYIqN1Xn+|?Dq4%XAyf3NRWgtm@O zp-jf}*n-|Rgwh`KnwW!~o4YxiB*U?Ao!%lG~$b*@z7yLaE_^=z?{cq|^Q0s*@d z%q-qdXs*P&*P!>^A@q-{ix1D;ur2ug36V=agICV)WTFqpnBWERmS_avnqYGr%&gk2 z=A^BC=}R>fGUuBPGn-w3*;n%CxHEr+mhJs!3S|w@F;7lTwjAECvV5~R z4S2Dz=rlPE9~n>2{}R7Etu+UORen2|$mj{l6OZxx6>yoS_E#>=<9^iQmJ}|X)8{pE zf@?U4ELL6%QI+a^Ly{Aa246u#hug1ADV3q!$LM22g7UC?8@VB__E#(0kY z(Yu69%x`67mH3?;^c^%#1fxF$Sm}dt!p~4&X0u$}m)8zj3q>Xt{@w00v^_noxLYJz zwF1HqZdsw*=CL+eSyU7kJ%NpZL2@mQAz*rYcsed88Wb8TM7xC(f{5?%x~Q;A#(IE> zd31Cn)HLNcl0siKwuPfwp?i16p@&GsisJM2@ZOrWJtv2smlh%5?M_WkFwoJ_QKRm2 zr60~jf|nD}MJ|GbLpq+X9UJ|#vsaRmk~sT;7*^L*pH)`N12HCwzc}8`oqGBGdjQ4y zcZdp&+V}htSNcRa$RBg`&aR|2B_(k26Q^LD?%NRLzFXapsd$-u(t%YkuQzgAap&uZ z5=O?%8eU$j_2pWNaYJV-{$=C@J;1>havZEQ_R}RP_uu^d-O)cYmEN4(G}6+l@t;LP z?z2d2rep!Vh}mmV{uNt*9B3qe?Gel-GW|=0G-fgjstCl*%@4DMz+0l2oa_;zj0R$W zVj)q&*tQZCL=RMSXWwupYHBo@0Elj?N&?zWP{D7mXRE~u8h(3cEA?HgqnT_8-VIff zg$@Yvt^{hcc~q)V_6M?uexM!MXc7|8$v50FIXO87W2tkW$r12$15`qFCPb>(58;}v zQuP=pX=!*?tLyymOF>%bOw)oZPxJ+JqrAlMyd=4lPw5Ovy2 zpem?Z13}7%ZU7Wrrk}fEL62^#2moQ)P44~FXBLV?q<=>K36s!02ABky2V!u&U+&L> zAP%Joe5$IdEG&wDgcm3tUF)R?U7!xv$gq;si_fl`5QzZI3f=DZ5OucF>L~uWggW_& zdv<eI@}siU+?nWN8IB%gU3}L zN#8^MqsDAvQ8QS$%JYF->B1|PSEBfY1Hi5z)O%Y6j%q~c=OlsQ-o z*Q?y%wsRcOFTZ~M+M50vNh$N2(R|X+b`Blh_r3T-?#=i1;ecNR;BoakCq$r-J+60Q zN2WlmLmF_{oxU4xE0L?j7|cf-3= z5AwMfgOQXh-+GIk5PAl40&XYyGo1Q3qt9SBxajw_m3X z6cKMfPlXcGYF7%rG@_xSLnGrs5NDs^{0?pOy&xKy^24(eO`w$7y?Of1JODCK<2VpQ zk9>jpi^W&ppzCd|7R6D1;y~9qQ8MxM5x46^p?O8_{A6a?=#9{Pv9l&4f zl(ne3y06tn8u@W))!O+V(-ItdV1W?K9b|cPyPl^z+)=U({bvr-`R@(& zDBgpcLMWSSEiP5a0*nqf4u548`nEkEPHn7J!VM2b2N+OpCB*rS`*2d|b%YTEp%J6P z!wtA9c5q5cN|I@HVb(G@TxD&};eFHKN|4b(E`r&!(V(F{ZGxY7)OcL2Bnt0=yV@zY z8()2qab;>A_p-9>uoFW5IwyfTG|UK85&P#&obe2vkx>XPs8917eA^CA`^$Zr0-1!m zhQ{;rvzw=9RaRQs31DDSmnX9Sc=yxu31}Su%|A9a7Co@@_3PIz@gM1oKD&dcFmHNi zIGuB)Y9z{&req>L>FMc@kB=!n^my?ur-!Iv#6R!vu23WU07O{{4`jj{0IlDAPZ#=_ zNDcr9cD~%Sb2LKd9qqq2u)xy~NqoF)-K6*jRg# zXM%so?r;+{+N(Xr2*jts=54lPV?ob{3CM70&z7>X(e7?AH8r)tR?#tF0IC|w4TdKc z6H7`-`btSj%;)8{dud=^dCv=#UEvFA1BJ-W!7?^9xo)#%_I#;WYke zZ$vjb#=^qlE+(d{o9Spe_WC*_S1EOK{Oy0%Y!ioGcQ({e=xz(Y*7p;SJD<#dF%-vr zUFhw_QQ+T&n})v%DU{7(r#l@d{J!%y%L_rI^Jk#ZVztSQ1hG%0;gf^)z$FkW_u5%1 z?ZPKU$U0%+?z{jBDO!Hm@P>~bIQP-1pIseAu-PeP5a@89Nx=*>5=7E;c$zL)sxi&s zql(HCG=h44P1v`V%yvL1RTbjruw8aL-j!4y@q)q&?9r(4!1Q$Ma=SlW0;Uf6@Pc5- z5r3n_Hb=@B^Pz3A)L0b}4?=>|DL*;>_rtUbl^W)&o@-!|{Q6UE>v%ihyqn(V^Z}eF z!rSxVSZ`8+7Bei*$K$KWsFlr2aJdE(n)!#NL+`^bFRyOP&wsU4PapefU1tGwdNk*A4*~ ztim?`{>WqnVEq}f@yq3w$S4y?up%xIRy~m3lIWD9zxfe=RSA-qo0~7zT9B3bMI&PW z>R}=f@UeQV%mI+~`L+K0R2~&X`y#;$GYiYy>}p2P<0J6=*@yt_YjZlvRi~Ael?oBU zidVcR?jA6MyyibQyc~|xfufJ^eak8sXMnXb71Uj@j z-kYsXe^1e<(Ym@gl$0oX+ew0V-vaO#a3Xb&%_Z%1GNto5LP^vDgDQOj`pmSVK@t|7 zHlxicj$1JLKy2T@fCaCr{N&l)$$|`yfKAuyQ$2hA;{3vZ*=>UNcJ`=Dry?L z4FEEEJ^FzuookSz(aXKJG6$c-rpV)pE9N`7a1DTAIPA9}oG93Xc#f{sdNsAQVhOl- zy$<8RUmh$vX#7(rGI-!e9Ck0a&V8f*YlopnkOLsmDR+Xd3c$=O(eC25Je~UtzEl(> zUAh;MWH2#X=Wpn|^op5H{z8PRj}LaA2mv(tH`k4jwWb~id37aS{Ai=aCZiVdafKw8 zG&X&SA_&Vm#4(x}81s1t3%W_ovS}x>lb^E_y#DOg!~ghhjx(q+N>cp`MVcp-O4Zv7 zCI2_pW#A0ypjsmoku&EBNzsJ+@97Qz;v~i&XmTV@A~F9LCv&*}=8VwQC8X#3wg>(3 zY&LneqOFR|%Fa%wUAejOe(<5*VN?F&WaNL-Nbi^L+#%J~(=Dz&7eOJ_0`gCAfPGci z%S&EfUQtm|?grw&L4NJ?qMsA9P%Hl~4sbu1fJwyvG8(w`jVxEl{k==D@YOUj)*ZKP zHG|dS8~TsW)34ZX3S)$*FyJ7-=%*wBwnRv%OIjd&@vpL~s-}iU+pU~=a#B(sz~KxG zP?D2p1n{0DX{d@Vn* zDv3uVhcg0jffkpu=~qc{sC=i7_ct~+Htpxw+}hgP>%9@3cTuoL02_&Nv$C=RL;lhd z7dd&5))f>6CZE6Ap$rY5YEodkdTm88f+I{4b1&u-fxd)JUl#nTaAj!%iCPeG*cSB z5(7yFK)o{ykG(Xwuzk|k)DE#FbVeE?A|k7$iHV7U0qB^n(NS71u0JOCUy7bM-kP9+ z2Y4i+|GW!I#jXrtU}R)uaq+iWi98h{At8BDBcq+;pL4{{qhn)tx3^A?j-HpBpu>TG z<+4moO>=ST=T5oF$a>b+*5>BeC@4bq{DOiYb|Ijk3|9cAEcs7jV$d>4TdKeiOzif_ zNn~5LEE!o|bv1J`^6|;Z6prY<_OqCSgF~g#EEYcgh>5ck1_nkp^{#}txPyjfi=Z?S zzZWoo122^=26RMMSGNdSfuE*gYrV~Le0<#M2_U~X(*g4}C(b?&ATzUzQbgpKP0!3I zDJrUOg@lB>JX}}`+zIwnV#$cP`}+FcOB5-9d%(sZ1{)-8Z*Nz^YL0Ug>q{)!0<)5x z9V624%1TRXE5QpKGO~cjEfsetAy0ikj*!yM&dyQ@-sWp198a6`36`atq~s7lVzE*N z@a+jT?2P6H+kHQzI;;6Kp|^s!78}_)IYotqRo2u5YLYbz?&wkw&OrF2>Z zVB^%W`>-D{M9T6nu{>sGW_iNwMSk5yxbgiV+f$6JXzP%nvCOU)>tYmML(%vgmwL5J z)6>`W&yI1NC}Z??tpH!vC7Y9KhY)AYiq8(2CU{W=5*j4Knyq=rs?|>#6cSR+1htPa zX~8KNR$5ob<^l4j$iMD>Do?^Z{9dAXic}(oz#y&DD(9AoKnB;Gy* zhJCHe)`1r*ueD2U3CjvO7)&kfuSOhyvQ_z}oR za{-r#k8Xoas!6CZCD=nILsw49+q8RdcxdQQ`Yrxc|NSbH(}m7X5b7A&K>Zz25_FX< zeFcGL7#HZet0%8??0f9etx=L)^N{v-es&2YFQQpO_)3^c)I&!rFq#mlNO@g+ebr4OyJ1#2FL@Aba4m|@!4lM?i%D=X8$AxO_hgc5ke3x- z6CN}~P&k?7ei3pOBOcb@|FnwF&=CfcKtxA}5dQENGAS}Ftp7b3*!&NEK_q2dZdYK+ z|4w3z%+pPzKtuulWgwy}Pw+7(j~15183>6Y5gQwNQ9^$<_Jz@3qM+uaKShG*FyJ&O z?qk>iz7=AAYio-Zy%|2w@7fNbD5tOx3bCJ_RmQNZ4XPHA8%_dD$b=c;EyT$0Fn6XB zlX}2sN^Ft9vZuS-%gbxANZi}Itr-dFcWibxNqtmIU;Cy7psyR@j51~WmZ^;XmoGLuOO|=BoekU)Bniug@}73R!($15!H&9fmKbFfKVH1nLl-H44+k z(J_$Q5IxcVl?1xl*xDMgDm*I6SOfzE2^wE>pR#0WuNuf80L>I*(KG|Il? z!MMf5hlCMHP^u6Nh}O>O>FVq(L@d~z(VwD(=-eH<#T`t)M|=s;C2{lfqoX0_D)=y( zr~ttFIbW_t)j98S0F*gSJNlduE~rx`8k&>gBpTY8jSb?KelWaPNOPA5?k%xNE-T!B zFzYa$5|(V+(cDujRzBeD1O6f-3Z$$=^!|Uq2{5#=mt)5zvTB&19$_DeR4~{4>V)0r z3xeyK?mxYA7f<^p25lc z+sl$5YwQ4!TnXRF!xk8HTXBeqk*m5i0YGmBRy;m9D999s)k{H7k7Nk-%}|a5z_pGy z`!Z#SKxEO9(uPnG@wkkxtl!+`*0F29NX=z4u&(P<)o&Ml}6Su4t zDv{S=7se&%nrd`kokWT3{!nF}oYv?D5HhMHQ$`DNZl-)NfVR!x84YQvqpfX6@;$fI zfO(PB+*cp`9lQ-21qH-6@SNNE7-Jmon9J!9h4+grL@5M2SPbYGJRF?xO(nzWFFr)l z&#XlJ)Ox9i@%uwf1-~y2fNWxt@Sgr+XZH5?Cbd!*L_xR<$Ys>%V@`+YR-!cm^=GRO zIJH;?{{YQH!N)&2I2hO$1W6QCk0lt>2cJciq@q$rWY2wphSjIlw*+#?KfkK!jf9dC z`VS*jYKb7g#*PGeIcWTx@zc@QTEqjUrCQ=EzE{LuVoTDhBHXm>Vos`hSa2WV79zhG zVX~z>boH-R!6?LZQy4u8BKcFM$+I900J(&TiyQtv`vX<*g6RcvlA1NVtu|NQ*T#S1 zphkt0%$&CwMgp$1x1V$p>NG>+s~ZW1;587uR_THw8XC9+;AO~~BNV?j5x6-yvk^H> z4%OKg{l-J31(CDk0XXzt_`nN5zp#cZ0A6`RIHeThfs@vm2J8~Ynz9pz#l|*NR~w4w z#8y^S`JX$$(q)g~t=t}fO>~Jf)cONPped+N_=j|P&mFS4sSiY==)H@J3yiM@$;;o) zovTSG_Dg+$P~$V-Xn_e92J{hES6AzXe9|vpzz{dle5vgaVq#)+#Fc<)WJ=n1+u{rG zqMj2QW|{n!mzMz@08HH?4OC{C`j^0H8nr2ebAcYeWJg%<=yKy8r(v z!20~3uFKY1enCM&Rn;%)PgvWFKhqE+RIDs6CdTLWSgEo;Y|=&~BO{YSf6T+f(@^djjd>;9~ zafOd~@BuKE!$#d#LGPp70by!t3LxTk(7eNA8y&ya8jjSe{ zt+p%xYLa0?g-pSHNW|QY_B$cOFK_zBZit$Zh8(uf<5?UJvy!LxkF~{0`Vw&#CKgYCTy(L~ zfX&@tzSZsD@#=Ljo{_x2kG~MzA4SCGIbQ}~mi@iG{axc8DAH#E_wC-To>05ri}ekD zMvX2>_(}d6UH+mHrTsXcwbEi;R~J|vzDnP$ngk_4BH@PC9DxIvLYwv0;`(~5?pDhM z`U1sow${PL(+e}6kDLB&ZENQ`JO&J#5tSgmelh`p0Z_<9iE-Jfbib04>TEAEudf}P zO>~6tf5^x*igLuGp*Ps90h6OA4==sVYGXlM?` z|5#fZk)@2}7(Zj*nvSKDCQ0SE2)r#$WZ`QTW${^3SV1Rum8j65p4XUQoBajYXcIG& zD)PiMx?4C-IM&Dc@-%+_^+^SMe9PHb)$X!RIM$Nz=xB|$pI=A)fy~f`PpkIpVdCKE z0plH*B9o}Ryd6Sc{MHD;iF|u}wIc!SYCb8L1_*5vU~B}jf-qhgnE@XGvQn)AM_&kk zR$EIc@Ei^ik%^hPtfZvd;bG_Q^3tzn3+?CRR(VF>^z<}DRNa>O*aBu{Va;((%uiVHa5P;pK1I&VhJhtZqv&8t=Jb;pT z3fbJ^uonRdzh9wK(+upU@qhWPKo$%*B=SsyPEY3lbrET50ki8z$)AC^v@{;G`?7F! zN`P%hOir#IUH`&J0&*4#!k|-)lhIkoCtNbs4XF4frlNp%z{{`@i2 zvxB`k7&8$E-5*_8z=n@OLOS(wcX!V5J*l;aG@AObdr{C+0E@jZvR84rI!kO>0=gBX*;jj}&1DC34rfaha{X>nOyq#0#| z-|JETw&+*bjsk!~|7Mfu(V~6BfaB59+U+sRW{d}zQ@`P#1cB>MH)TX1c}9kYyaun2 zT#lwaf_6=9{`|z!pY2z0t zhVvP^x}FE=cGv_#&fZMBa!hKPnf(QPA^4rXwe_ZEW<9n|&5gXC$;t8Ytp;!0>>oQo z;sf%L7#~1-dEKAlI@r0~-j3(tYDS-qG2ws4``8isz~ubAkN!tHU}>Sjf}^1xzM`SW z`lnq*V8E2<$43Za;418U`oJfwIA#Ve`ekad%IHT_^e^y%&VC%g;t_&Cl<#h8zZI|! z_^6hY!p~!bSo%Q*nycuAu_F#GBTWRFAV^SZ*dWa{Or`K zLYJx0#u%bNEyV*imRJIaNr&)E)JT9u(TPt;I0Gtm`;30UUx6OjvEk8P2Y2_UA@l)0 zUfxMl_6tlR!;yU%=087lRD<`w{5KAvJ@+yho0`5}-^l5h4rypk8}&e?LtjLJG#1MMFa zXDzF1)eK=}|NCbH*bPe6DyCamx6aSo%^qxOn*as$Vx13YW8pDALG1XrxLy4@AiPU} zAPTJSXuq32EnwE!I?72Mn?wg74kMy=E#hSbi998lDS7Y>qrT&%f^Hohny0XFWbrv_ zvVe5%U<&9*ez;h{$8f?Q0T2VFEJ1}r$2j!a zQjMpYxj9v`(09AZKQn(xtJFh~8=X(~0msbzKOM)bT>h*Iyf|b;SpUtcVpu8w*T~es z1GQ%_key6WA`Q4?!_U145olz=j;eZW|6UJw2ixR;)Z=47Q!gwiM#3#cA`EC-vbC`( zxq|Lo8X6L}Y=!6p_Ef0n$N2bpuGE-46f03)thM~b{d0MDCB&cR=%>qV|H@fLq;GTkNt=)&0Rov{;%@BGOWrj+Eye5RHTs<=?*E8 z5)c*XZb|8GkrX5ZRHTtoq*GcNq(i!6gLHRD+_}H+oOA!4d+z;r|M}p?$Nj!*%{9lE zV~howFh7;nPvXN*3DoWbL2-jI&4LbzL}Pw4Mx-hD6~HJ=PKOQIvHP!BT>=~6mmT$W zVK7tS2M@1a(icovk$WH;96y1I4J;?hIXZ?vI}fUc@4ElEk#SR@+5lQIy-AbGV6`V55>eitYQC$lg-y^eZaTSvQcxHdGr z?6Cf#@2c4BFbCpOIMyqoVq%V(k7wl*1k=*f{kuHx2!@P}X;M>D1Hm9BRu8;^Xqg1^ z-NBNmh-hpXJ6VVnJujZUEp|0@1*3KEi{aSWH-E#UzTU5>*6?cupam$)esva|pPJii z3`z#@2$gK?bBr*4sjaDjkq{8<)Q{X>nwpv#8a6KPS0RPKXuA;u@Xvz?G%8Z`QIU_2 zg@uKZQh#0TYtgHXK|qdt9SN2Ac4Wwe4(-h&LNYRtnnNugW)ipp;po@EFY(7uX4EXMlb49N@E9C=TpCf5Vh(e*>&n3jx ztz5+XyyJ9xR(g6mWPyy2cQnj7)>StuXAiZuPPDYdWxJgHctvt}Xorbmq{T$2TWd78 zu)vNVMnOq|kB_e!?dtr<9nWEFN^9uDr%&CE;;&x|@7?4uxP`UzjvaKts%~wH1_pK} zCZ9ox{0XKBQ1_l^e4@WkOA80*IL|)|H|n6u_~c+A68fl^garIM4nCJP9w~3mLIMIr zr0({gy4-IDIZf{uUVu39_k(VhRs1k^x}JK5b#MhT>C49Y%PPy^PEgPsuOFlO|Ai4> zJnwg(0|X|*(2$9NI1KvGanOjy$HzbQeC=_uJbQ)ux5-ggcO%xoi{Etb4~XT?x33QE z)MH}CzJRW?Ip|irnBCU<)xjs>6o^%X-zS^r8G(U9EE2^q$2TwYbOU6tGEYi-|319d z%C{5Zse^>r=(6dKApZ3eZ$N4e(RR1`;jK1JohKI7uN^lZBNeh5prdeX!2-4GcZT8a zmY)d3tk=aMz=b({ZEbB3EfZPYt6p4O9L$uvI7%#xq!wPApRaLhJKC%F$1oNp(iXwwkG_h6dk4 z&<##i{m^8MevVKEwdXaR4+)=mphTeni2T*iFg|Xv7)q370+Iziih!sn6-!H&*p(F+ zP0Brg?yodAF!ox!0ajZT@{38-I3eHHURWQa9O-RIQ2!Y)yr)iyXy3rBe#NuJdJf~lN1vl(dgJ(AT0kH|=NQATcfD}8xd3@*W0)Z&nr8iSxA1c`WL=E$ZUU;3J8q$iC(<5L5F!W)Yzem?6=X; zYB0rs|0@$SbCt(F!+TJHuV7(gW8b>9^zY{CMZN~uT%ey21g<=0)7qx~^eh(|3k`L3 zS`Y9D6xN-14Yr0yMBM6?m*29r#oGO4lms%H#3^|q9M zPCJQE>C&c<8pTecuEBwU&aSRO8D+lA@?sT3<$#`RDDf8hCa zE%ktYm5lAFx_V4iJhQqSR5`}BA}D@mp3I*b+S_-2D2R>MSQxvit9y88Sz12#^nAEy zcXrm))}6#H!oq{^LM7~p*6}Nh*wq1-o11$FO*cK!_(O*YOy59F#P;l;Q-umBFx#oh z%k8W6SpZTEpMFmpcwc7E9?wD=5f+Ex>Ze~RK4%@U(Jn!xdo?O{xj&^fOcwxqw013) zYxnP2E+Q-=Fu3N`=L+|f+^_ODEXb+iwq^x4m8m>-w8w4K@tP= z+`7{<*&)v8=O56}Ptk$)@Uv(b*`Y}BI`=Eyz4<3rL-oAcnt5{i_N-3@sI)3Sz&@E)v4=ye)sP(E!6Jlawe*ac{^X7uX z_&?4OSn6qvFDWbO^@c`9IO4<<7Dz93p-OajcW-QLY)w_|pX@FG$qr=-;=?#l|NXVC z-DSa`(aiL8qsy8qsC^#f(5F~ffS7Uj__*F<-^|_pWOB*{x%d0SYBnR%YHGYjy2${L z3f-6FQ~HQ(U4q2|E2g>I7x#d=97FGU_Yddlf3n~)N%?Qan;q)^rzE*29R~*o+lD+c zmJT`D4L**8wgzuH;O}u?GM`i9xd*h=oNR1=)X#|o-<%EYE!M-BlS2+!Xi6}6ziK`}bHV^^W=U!p!)_GZU z#q|91#AlKc>+0?Y-PWlx5>j~!9MZU^4)85bxgqt}-z<_&O-})~`Zd}n!?T0F z(&OKdMJ~g_XD?oK?-)vgq<&z?LjzMen-D4LPAknLbld3c#QsyHR(V_U4%9v^{9iOE zc-LdBEiIcaCji|oOe6(jfD`cX%Z~Y9!E+$e z{&I4_Y~2WyI8rVBa`Fgi6&F7H)%W=+%pqayW8N-ny&D!5;d3W2+j3 z4PF?w0@oQ4HB6a7!_-2sjI8se}eliNkdJoCxLJOXj9zf%~*^5 z<^-Q+dq)QupJU5NPa=LY-J{n>*6T6sa7M1qv%(w!G?qoazP@1Gg4PP$S`Aa(Z0ziZ z;8p>FYNK?}bLc_rp&UV7%2Y^hnA#XCaKy-FX0DvWE!6AkZpXTflgQ&SP;R56gn)F! zrM?sra`Ld;!Ol)c&@>no$8G+DdHL`|Ouz@0DW78WjG8*7%E=7)zBnOY@JC$yz3^?{ zR8pn0U7DHE-@!hyb9E)AyXKb?6-D4|0y<@|_nGp+cIi##BM{gJNv_BKQj^G3EqU_C zRBr^eC5_NEir)M z5%{1-i6KZ~XhMTsp{b<}tUpQYT~-1rDp8kC6VVhqOQRC={_8yfpKv^v5u}9Jzly)g z*ejjo>@?B~o6q^Sx4+B7MfMGrYeQdqGleNp=bM|~-J(^Ll6psHjWXZx`LhWdYjh`g z*^))`m9bk-on8spj`>a=F3FLXwUN@`0n!(6A|No1G0;)reSO46Lh>qx&hv|?1Mcwf zu;7=r2&%;a%LoclBzeY0s#{m%+=0)~y+e$3{IwMAq`~hZQ$AT7PYhPnhYv4fLU8?UmlsH2Hzb-4xn+o#b+;uQ+ zOLcVFy@liSgE@-vM&J}18U{skZ|^ClynKXgESuRNk;*3(v%ZA*FJBhj)|bGEg5V$e zC0s;O83lD0^Yv>No5vwAcuVh$5(gY`h>|KK)9F^G zR=hgi0`^KYIM~-v%FN!rs4AXJ$Bd4V9zp9{<_wDF!sVF)ziyqlM40_?o%P=r1oslA z36KU2Htrst)z#JFHK?f9H4SZmKG)ULjSF`_7rYzI^^*k;tALyg6lQGAg@VGu)MNG3 ze*u{(+kD4Z65l>Q9n6%6%@p+RT^gU>VV`~57W95yxXy|KH^Gl{v$VY2)5Bw~e0zKOU1B*P2YyTd zyOrM4Oe;s5FfS4m98(b-%{<6AUU7lB(o6R3>Dn%2w-~m2|nceY!QBvA{b;Q{nuW0=8?v|*sT_px}|MTAu>~TU2VBy zsY`{6sjr4a5MC@((<+&^7``{E>>Q+Lw5c44&yf}u4B>$`Y8&)zaO<1QvJnut4vt3F9RPZWDIgo}N& z|7J_*tDoXTpd{59?3NjNA8XDE%kfMkFj}16jA&#pvt3~4j{W`1*n7}jr%v-sJ3`{h zaPdrs_MazsPHcO2W<6EeI5GkqFh9VshS~a@oKT%(Pp0VS!oolO{jYP#og<*n5+qd? z{UwpgXYAL^SG5I6OEn4V9MjKi)w%?N&_7D+Ws0AfKFt)uUelRSRDq!3+S;!rN*|Rb z*etvecb;g~&TCmXDao;RR=GV4Y8~OXZo+=)WX-frkqf!2rl0xtEp-;&mOOLqqm(rL zihuZdr2ZvM(LJ8ryU{`YYX5Zn-k1t0kH)J_ofNcD*I_oQqpjTu3AmsmWD%)m5N)Q?&s*u5I*v8KTD-uiKHBShZs2 zMXc?C%4PyPld75I@Oz>edP9#x&E9XCALOpF1x@j-OyLq}` zeWKq-*N$=-fA}@ugLeac-7Yk9Y`+4dW@`lto`{$_Xl)8;DB$5W>qJ>d$+u_{CS45ib|B8 zu-g{M;woE<*XyQb64Q) zaVyv!601i9LKe0mu{5=Q`^Aal%qxw(D?QHT`Y-Kg%fEEl?k}U(Cf%%%vf06*q=f9! z28FB&?}%1zrb%HlL1a`ff-A?gQ`(kZ=Ui=mGf7uqtY+m-VYbo?Lspcm&cvgEwK(G) z`KW>;A`3`Qi<~d2f!#;G(S#6QLWv3SqyD@NO1$|hkw`JC4kmQS$*d+Bzel|MmwM81^K`h2*{erjyf^+#&65kU&NXytD(HgGFcIx_|z z_9Y2X5;`YBO2ym2KuTd(LL7$H){&7BHeNBYtKW?QaIo29#B%5Z=#esm$tvu;mpqze zFO7^gww8#gsq4X!IyaX(qCR|$zq=DuAoC0Jnq+gUs~(4)L>v<5PvA*d?~?Snte&N# z*(+oR@Xn1oe_3Vu!~)?^)JcPf)6(I_=4$1IJM&bm*JhnN9=oM!=0G&DSIcX|qkvX! z_snPac5gAg*V9(y z9C}GD2EOZ~_SAbLwU6}kc=Ot0Fe)VN933qUd}%;Q5_t_)fgt$SG-tCg5`6voXLxu| zPhuV0kEeV`MVWvBGcp$E(J#P$VuFq45B@0)%UT=6%8I$ISx{i**cd?St+6`Ft+edo z)uE24DxvW_T&x>6MBTR7VxiJQCytkTm8owlZ#wEm>*=X+-B5%=(zJr}iIs5BqCWjS zp(NuSZw9S7hCDk9omD+Yj`_fNw!3Y4kmm%jiDYmN8a2o`KL&aQ8vDFiN~~%yxpZKz~f3xm6@VCq{M~hHZvy&%9+Q zy<_a>Y6B6qS>w6U&UadbjUuU^ASpbB^v^V>c>{yu1>|WS6NYRKPQ=UmZx@oN3b3r3 zbV3AM^bGCnE9KZf4|CsYYlf#MAd~tNFMidn4p{Z8&5|uPrxsx#d+EYR!yYVLb^$2=+w&5UF$s zI0mk^iL9lig^38e@&njh+}+)!o=EH0d9C^A5l1zqiMu&bzC#O3-#qSB1_;IKd-xU+8-Cay*;~g{fui-@WNQuZh6f2bIpGztbAy z_|9e9?u$vrzWN$uzYD^oXVecdf?kLI`I&p_BNi(%tY0)%>;5CfJ=tm(?u)qkYck?2 z?0wAn4B7jk?Gg_xN1!}_^MuWOibR)xT%W5yNNiFo>ne2*nw;alr~iJ;61W-D_27V|cI$w^#d;^gGyzWXEf)a|EiA2VY3okHaQbRNA63~zcU6uT8)lQWV@&%+j+5!!bC zU93=8IMs0F!K+ux;A}E5Fp!m%wX#|V&AqKl%11>uSG$C-hiG(byy_lu9u2! zb6+^d$#qAVd_2UpG^Zan3%(C&0@a7EMX(Qm*Alc=)B%DUUV0*$}zV1CcYaL}s9k@!M^8K*d9j9IY5B6L?B z4v1`9<%lA-y}r+mtI0xy+O7}saB)OeKcUMW-c#+z}=yV)mH6#*B!z+D?MTh2C< z+Zf-ECd#akDYn{jW@by#tQyc={sXDK@B1Vfn}4b(+`IF}P8BbCw!ySEIJMj*iT$=8 zP3#sLw!pB2;^_IZFvgS(sKHb1HEr$e3iI+lcT|pi|Mm^k-w*f>nKT|c$bR$!5V`YZ zFZr{%o8oHmPC@#>*aZKy(lr$bZf@mCGaI#uMqqVWX|8Ea?Y$BVl8K~>Pe`x~YRk>Z zxl2wy&T}5~@uQO7w4LHOhbH}ymjmCniMxkF|CO28ZdLGej{X}3x!JeQ=aM|(8D?&) zC50&p{qkj7wWRK6r3iR2!{4PfcY2p!9u-&DEE~FdSnO(5T7>rXOe=G9 z@Mg4sf~rv;0x4ZQ9zWBUUo%x2{C4O1*8Qm9ZhAWeai|wI6jsWMb|h2Ju9Diz5I_6l z!b4Bd`k*aVIB39A+9TjPPS2jJsSc)VWFp@sYYYpXa0w6A$@8^8eA>5#6`we{JxNT| zRx_p=qr8QJGp5KEZIyd#9c9V`apQr2(c3OKzL9f_8#T4H;Kl8x*GGHZC|}jm)i9Bd zk}H0M3~~SKR1u?2oGbzX$l+q)#Bg_qtIC#dMQg#XPh2mFC&i`n8s`sag-*&oDHevXsdbaXKQjcS08+Z2bh2%jw$IqXlrP4J^8loCn6!QbqkAq;fjP)s}$qt?A`&fA;HaC_4v z7A02QE*R%$*BJRm9t`|-btzzQ&cwnpu;rAucX04_c5wiC;>$sB(v*+ASgpayUL$I2 zf01M6w}-(!k2DOuiQE(*3y@lwe;`z#ugqORaoj#EUFu^e_aD`Ajzgw+^PT|zf_nPL zr0g~xh+fV6DqD4W4?7bo8uCf`UKEo6Q_;jO&c*R4>k*;$Rz{t{>+jDPCvnWiaDsG* z_1@=Ms^#|9ec-7e(n5hL$_ zmm2jkWMoY&ucf%p8J`M(sbwQhx2METDm}Cfir#tjcG<6Zy=tO9kluJ*n@H+y^c>^Q`=zNzhpk5YTSOa-xD z8Xa^erz$5hPWfFsCcLrUAkvrt8Pz1zIV_DzNk0uja&2RN;E^ZqHcapYra>wJrBz$Ky#D3{)U^A zPFaj~CH+7!_QZQqN(3K8^RmXC{A{84eViN}1S#M~&EPiAIiSS_>}E`KPy!$O#c957 zf~dgKqM|u`&b@C^kllHRRl`WrtwE(`c#q}>Roif$=(VgS$T!v@Qy$BkOFFyFxhN6+ z(T-Syw>2S_&N3*|ulxMs@zy2@C93D&wXZA`=m)RUUUR<|x4rmwLNIuS$< zAXxUXx>CmrMidr_6uL0eu?9dN(UDK-)M!elH#kLeZTr6Kut=MH733nuGjkSHJ+cUS zp`&(Z8g8<1xWU)h*a%t=-Nzzkwnj$&5sL%bXv+^MZmMkNGR`HvFj5O$-+xiv{Uh$z z{4w@jj0EC&9&t<{oUS~$V}&p%NDhRxrru{!j;v9WIBwUTe8XKVl-59$j{o}2OuG;nZt}my z3VDINt$VvWd;4ph+awPzt#wyoSeWe;O+HtA=3}D8CI{le{>?lKUj#C8-QR~~#bo{M zM9@e%sdv=VO)RqOehm=JH0dHOBh%K}>UiT&mx7Rqee>bHAn=ee+O3h&jA8jseOk9y z5%$XL7RkQl-}2bQM)%WtIi{lk^Hd|rYr+NZu-EJE!!77r<6^e6cufZ-W>ac+sIAx@ zE4p6L{Uk|#PQxSlzRRCoQFSo%!>tMpv|R$5Q#VJUQ{8pe$3tB)emc*mbx90!({J8t zuH#LPSQ2=w;=mc?or*uyy%!~2(mx`-L5VhkTDcFMcyZaaCSpRuZz3~^QBlSg79DW4 zRyobJtqzyqIRKr%Z)lFZFEqz{W|$eepR0EIp}MNzmy$HgHagLx?|dq^d!EGM5b#c( zo*HA7dX-#sEpua8s%^*R9kOe!Wn*(AV)PNDa}B8`)i^zLQ! zJa_(^_JODV1+!Oo+8j?(omrJ->6IhhXdm2(f%*amRo|KG{kLy);F9D>TY?B8Ff-~t z&UXd9%R~U4J-guF$}CsR=pJYM>dYaJZ_ldhM|}q$%;r~WzA3REZwM&)O(Ei{zRuke zlsF&uQLXZ+eZD1?Wa>HH-`GCmh6viQyN2Sgeqw!iM6EO)W$eovx2(N!@m?55P-c+g z)ZC*a>$Hs=-BrQT?z`*-Z^q!piC{owFVx!~ooZ1+>K}6|y zOP@4m)O7C=Gl{emep9(7g+KfVLlEQWL4xUZrl|vxWp0|8UqM7`_Z+TSP}s5h8v9Ps z3Pup*uwiX2%RUMlZ|Az7UgS_BLS0g^;F>K-yG&|?9v(Infp`{z+n@X`-pWJXvFVqvIdz zRzKb5SSr}PljcN&YM|dK?5$x+2w+R(ji@Ii9^-Pqd1E!HOCs?p*hv=8+6J|;J=a># zP33L#xXVxLB);29%sh}0b%YkJ)#4O^uy7c}Kb}uupg$YDmwk%^1)rSrGlKAa`4Zy5 zM(K-8e~gY1Br!An5c~FGUrKUj5gRQHImHl^`Y0O#n?d7xeqtI-t=hK*HRqI~QH8H)txizl*p1*M*s>&2i z@y6P$r%+R4ROvZ?%DK!U;nVAk4*_XS+NUwsc8%PeU#_aYMwzkWywg>TdxHnt`hZ|uG@m`oR=T*vbJ!HO&9~eTML#^czi6Vu zqy~9QR8F73G$Az(=eyycvT1TveqcmjnxEo0Ih*jn_;9nUq>B{Qiyhls2cmF-N0BKh z7-%hS`v&+~esI+cwEi)>d~n&?)Rc${{g0%#ueR0H`B>UC_o>|K6oQ$qUPU!^?=5Ae zf8XVQ^ej`_cPPAk-m1@7JWh0|=IQ>WC){GixX{#%9c>I;+fYqP6}z|>)4}NvUvlnY zh={jOd58a_-{P9IUk&rbB;s*U90`J(tlq)wW}NK2WwWN z1w%^c-HTq4%u1yvs_cw_Z)l4Tq7F4E17U zQ3QAFm==W`nEJo;sc^kf%2T$X~zD4OP(fRa1z2Cac|A`qeB|Do8 zmPk{BgC#W19#QjNYg{A4Fv>oEs(Fefn{4p?0aq?n(Se;MN(6lMR7s4%})q&Dv~%<8n#;N7x-xH}xZ77RM(p5ko82DP4i5Zbe7 z_0l!1>skQ6`2hdb0Lk}uH+)8G|LKlFPu2cBa~Y=X&#JMCY=5^r>m*c(5^PBIF8UWA z9SNamQd?i&c44eQh?|f5=(h)6FSa3L;_s0N&i6`rW>14<^3j4yBj70sPVgJ3&DDY! zZQmYBHQO?~NQ`T;QrLD_LDqlNDBO}s0EOT|{tk;o^G5OrWb!*c%?Sg>J9caiaNHf1 zSBDJ|nhZm&IElS8g}N*1Y?~B63{$`2-n@Bd&ozFA>Elzdbs`w`A8y{sqVhl3sq%j( z9bO+tyl0u>_VSJFBo_`xdKalhyPaQieAbprLP+eD>f^FFd_N=wO;^ZX z$%-)^NVnND=U67)ywdl+U(nsJ{zzA~{jK#6H#M(8`mm{=-jR)L<<%(;C}(t!3K5Ft zr?Z@Y;1<$3e>koEhjBWxWrX`XXb+vW-9PS@pBEM^TIq6LhI6$At)plNcT1Tl-PevY zm=5igy2TMd>P;{a@V!Y6vRopMaa8-Z71?v&_QRaQ#s-<$$-(>h0}LFb#J*lb+6Z=a zRw&ziUo#TMh8Mb~sr7rG$a}l79KWLc_#mJA3Oijz!w3b5Wmm-XqTtO2aF2xWGQ8{Me8Bz!)3!&$E8-SC9 zW>17C6vM0`XH}SN+xD*HaVXqhO8eehnKl5I=7p38+E+a5aCeL2YiDa`hwBiR1Vm`? z41_Ih&DKZ$w14_E_z3lcLzSOJMK;mEjP&6-Z$>cZ9VRCWzMTiw@6T+#n;&T)-~vr^ zp>)?HF7$U6@ru07N|1CBA-ybBe=^M|b@bCVw#S7~_l+ughd{70dI=u8%Hfna#p)?0 zk)HmP?_*BaL`Fh6EI5%-==3?gyINfB;DlZG-I))Y?Wya0x5O!(w|qOoHhg zHwSZWK3aqeO7xO25=^opY8;e$TX@WYXNwe?OSUT_>1W>CCrGsou>VO>jx-XARd%UVnv%Xi!c*YyN0Y9wwq%8``PF zKHy+-^vF-)#_F#ui`90%GmtjY8iKs z*qz{AuC84_~2GF!Ii3)e_b%Jv34(bHMc41=5Q zysmxV@AJk;wUCh5?JAczHIvHM<>jmooi{ab=!K*jG@gMFv6Zm=6i=#fN5cho$$^hx z18qM^?FSzJX>>_jv)$voRExApJEwm{4ZD}f58ceSAzNfucw1t9`1L?QhQW?NmMFoF z1(MDG6(8h8AR^y-BBz5i?c6It|NcpTl>7I8@uBzHcB;h+gpq9Me63W)zd8;7e^N^S zuP=K3pLmJ>>qhA(i= Date: Mon, 31 Aug 2020 10:44:43 +0800 Subject: [PATCH 21/31] update --- .../activate-using-key-management-service-vamt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index 124078e760..68924c83f3 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -49,7 +49,7 @@ To enable KMS functionality, a KMS key is installed on a KMS host; then, the hos To activate , use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands: - To install the KMS key, type `slmgr.vbs /ipk `. -- To activate online, type `slmgr.vbs/ato`. +- To activate online, type `slmgr.vbs /ato`. - To activate by telephone , follow these steps: 1. Run `slmgr.vbs /dti` and confirm the installation ID. 2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone. From ea7d5f4c05c0caa09ba9a1ed7b84df02b6ebb556 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 31 Aug 2020 10:04:50 -0700 Subject: [PATCH 22/31] remove link --- windows/deployment/planning/windows-10-removed-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 65c52cf2dd..7085ba9fb5 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -27,7 +27,7 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Removed in version | | ----------- | --------------------- | ------ | -| Connect app | The [Connect app](https://docs.microsoft.com/windows-hardware/design/device-experiences/wireless-projection-understanding) for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 | +| Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 | | Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 | | Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 | | Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 | From 0f2ec8a586fc9a52cbac8dc4dbbffa59e2e087f0 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Mon, 31 Aug 2020 17:08:29 -0700 Subject: [PATCH 23/31] Release notes for 101.04.76 --- .../microsoft-defender-atp/linux-whatsnew.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md index a35d6e6d1a..1e33d4307c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md @@ -19,6 +19,11 @@ ms.topic: conceptual # What's new in Microsoft Defender Advanced Threat Protection for Linux +## 101.04.76 + +- Added the ability to change the path where antivirus defitions are stored +- Bug fixes + ## 101.03.48 - Bug fixes From 5f757f9a7df244d2d8f908b4d78098580044ba97 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Mon, 31 Aug 2020 17:09:46 -0700 Subject: [PATCH 24/31] Fix --- .../threat-protection/microsoft-defender-atp/linux-whatsnew.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md index 1e33d4307c..61ec612679 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md @@ -21,7 +21,6 @@ ms.topic: conceptual ## 101.04.76 -- Added the ability to change the path where antivirus defitions are stored - Bug fixes ## 101.03.48 From ca22c1b6c7d790914aaf585f9372fbc481acebeb Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Tue, 1 Sep 2020 10:46:07 -0500 Subject: [PATCH 25/31] Addressed validation warnings --- .../exploit-protection-reference.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 90098c5590..a1ddcfd73f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -7,7 +7,6 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium audience: ITPro author: appcompatguy @@ -189,7 +188,7 @@ Arbitrary Code Guard helps protect against a malicious attacker loading the code Arbitrary Code Guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary Code Guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). -By preventing the *execute* flag from being set, the [Data Execution Prevention](#Data-Execution-Prevention-(DEP)) feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code. +By preventing the *execute* flag from being set, the [Data Execution Prevention](#Data-Execution-Prevention-DEP) feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code. ### Compatibility considerations @@ -316,7 +315,7 @@ This mitigation disables various extension points for an application, which migh This includes: -- **AppInit DLLs** - Whenever a process starts, the system will load the specified DLL into to context of the newly started process before calling its entry point function. [Details on AppInit DLLs can be found here](https://docs.microsoft.com/windows/win32/winmsg/about-window-classes#application-global-classes). With this mitigation applied, AppInit DLLs are not loaded. Note that, beginning with Windows 7, AppInit DLLs need to be digitally signed, [as described here](https://docs.microsoft.com/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2). Additionally, beginning with Windows 8, AppInit DLLs will not be loaded if SecureBoot is enabled, [as described here](https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls). +- **AppInit DLLs** - Whenever a process starts, the system will load the specified DLL into to context of the newly started process before calling its entry point function. [Details on AppInit DLLs can be found here](https://docs.microsoft.com/windows/win32/winmsg/about-window-classes#application-global-classes). With this mitigation applied, AppInit DLLs are not loaded. Note that, beginning with Windows 7, AppInit DLLs need to be digitally signed, [as described here](https://docs.microsoft.com/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2). Additionally, beginning with Windows 8, AppInit DLLs will not be loaded if SecureBoot is enabled, [as described here](https://docs.microsoft.com/windows/win32/dlls/secure-boot-and-appinit-dlls). - **Legacy IMEs** - An Input Method Editor (IME) allows a user to type text in a language that has more characters than can be represented on a keyboard. Third parties are able to create IMEs. A malicious IME might obtain credentials or other sensitive information from this input capture. Some IMEs, referred to as Legacy IMEs, will only work on Windows Desktop apps, and not UWP apps. This mitigation will also prevent this legacy IME from loading into the specified Windows Desktop app. - **Windows Event Hooks** - An application can call the [SetWinEventHook API](https://docs.microsoft.com/windows/win32/api/winuser/nf-winuser-setwineventhook) to register interest in an event taking place. A DLL is specified and can be injected into the process. This mitigation forces the hook to be posted to the registering process rather than running in-process through an injected DLL. @@ -369,7 +368,7 @@ Export address filtering (EAF) mitigates the risk of malicious code looking at t - kernelbase.dll - kernel32.dll -The mitigation protects the memory page in the [export directory](https://docs.microsoft.com/windows/win32/debug/pe-format#export-directory-table) which points to the [export address table](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#export-address-table). This memory page will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. +The mitigation protects the memory page in the [export directory](https://docs.microsoft.com/windows/win32/debug/pe-format#export-directory-table) which points to the [export address table](https://docs.microsoft.com/windows/win32/debug/pe-format#export-address-table). This memory page will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. ### Compatibility considerations @@ -402,7 +401,7 @@ Address Space Layout Randomization (ASLR) mitigates the risk of an attacker usin Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019) linker option, and this mitigation has the same effect. -When the memory manager is mapping in the image into the process, Mandatory ASLR will forcibly rebase DLLs and EXEs that have not opted in to ASLR. Note, however, that this rebasing has no entropy, and can therefore be placed at a predictable location in memory. For rebased and randomized location of binaries, this mitigation should be paired with [Randomize memory allocations (Bottom-up ASLR)](#randomize-memory-allocations-(bottom-up-aslr)). +When the memory manager is mapping in the image into the process, Mandatory ASLR will forcibly rebase DLLs and EXEs that have not opted in to ASLR. Note, however, that this rebasing has no entropy, and can therefore be placed at a predictable location in memory. For rebased and randomized location of binaries, this mitigation should be paired with [Randomize memory allocations (Bottom-up ASLR)](#randomize-memory-allocations-bottom-up-aslr). ### Compatibility considerations @@ -617,7 +616,7 @@ Compatibility issues with SEHOP are relatively rare. It's uncommon for an applic ### Description -*Validate handle usage* is a mitigation which helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/en-us/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). +*Validate handle usage* is a mitigation which helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). This mitigation is automatically applied to Windows Store applications. @@ -715,4 +714,4 @@ Compatibility issues are uncommon. Applications which are leveraging fake stacks ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). \ No newline at end of file +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). From 55d1d47942c1dc44f7d208f4bf082b2bc996884b Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Tue, 1 Sep 2020 10:53:35 -0500 Subject: [PATCH 26/31] Updating based on validation script --- .../microsoft-defender-atp/exploit-protection-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index a1ddcfd73f..643b87e9a5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -188,7 +188,7 @@ Arbitrary Code Guard helps protect against a malicious attacker loading the code Arbitrary Code Guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary Code Guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). -By preventing the *execute* flag from being set, the [Data Execution Prevention](#Data-Execution-Prevention-DEP) feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code. +By preventing the *execute* flag from being set, the [Data Execution Prevention](#Data-Execution-Prevention-DEP-) feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code. ### Compatibility considerations From e39cb535ae16b38e5c1fd4908388a68ebf422ba2 Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Tue, 1 Sep 2020 10:57:43 -0500 Subject: [PATCH 27/31] Removed in-page link to DEP Couldn't get any syntax to work for an in-page link due to the parentheses --- .../microsoft-defender-atp/exploit-protection-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 643b87e9a5..d8f35500f4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -188,7 +188,7 @@ Arbitrary Code Guard helps protect against a malicious attacker loading the code Arbitrary Code Guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary Code Guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). -By preventing the *execute* flag from being set, the [Data Execution Prevention](#Data-Execution-Prevention-DEP-) feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code. +By preventing the *execute* flag from being set, the Data Execution Prevention feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code. ### Compatibility considerations From 00de4c63e8a81d2b19acea2d7d2341ae1c5d3b71 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 1 Sep 2020 10:06:46 -0700 Subject: [PATCH 28/31] Update TOC.md adding microsoft-defender-atp/exploit-protection-reference.md --- windows/security/threat-protection/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 666cf8cb70..ce98f71d7c 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -76,6 +76,7 @@ #### [Exploit protection]() ##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md) ##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md) +##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md ) #### [Network protection]() From 2f42813c90bd5345d443aa2cccd4b4b7aae11ce6 Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Tue, 1 Sep 2020 10:46:46 -0700 Subject: [PATCH 29/31] Update device-guard-signing-portal.md Adding in Important information regarding DGSS v2 update/migration. --- .../device-guard-signing-portal.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index 6a2720e035..a3e5be63f9 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -17,6 +17,23 @@ ms.date: 10/17/2017 # Device Guard signing +> [!IMPORTANT] +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020. +> +> Following are the major changes we are making to the service: +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download. +> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> +> The following functionality will be available via these PowerShell cmdlets: +> - Get a CI policy +> - Sign a CI policy +> - Sign a catalog +> - Download root cert +> - Download history of your signing operations +> +> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration. + **Applies to** From 145209f5ffa4f7724144c508bf6f8284a950d836 Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Tue, 1 Sep 2020 10:46:51 -0700 Subject: [PATCH 30/31] Update sign-code-integrity-policy-with-device-guard-signing.md Adding in Important information regarding DGSS v2 update/migration. --- ...tegrity-policy-with-device-guard-signing.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index e0db1ee7c7..e0acead8f1 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -17,6 +17,24 @@ ms.date: 10/17/2017 # Sign code integrity policy with Device Guard signing +> [!IMPORTANT] +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020. +> +> Following are the major changes we are making to the service: +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download. +> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> +> The following functionality will be available via these PowerShell cmdlets: +> - Get a CI policy +> - Sign a CI policy +> - Sign a catalog +> - Download root cert +> - Download history of your signing operations +> +> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration. + + **Applies to** - Windows 10 From ec09beb4fb79af4b33dcdcaf76d6c749f52f083b Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Tue, 1 Sep 2020 10:46:55 -0700 Subject: [PATCH 31/31] Update add-unsigned-app-to-code-integrity-policy.md Adding in Important information regarding DGSS v2 update/migration. --- ...add-unsigned-app-to-code-integrity-policy.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index b343954c9a..24ec842c6c 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -17,6 +17,23 @@ ms.date: 10/17/2017 # Add unsigned app to code integrity policy +> [!IMPORTANT] +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020. +> +> Following are the major changes we are making to the service: +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download. +> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> +> The following functionality will be available via these PowerShell cmdlets: +> - Get a CI policy +> - Sign a CI policy +> - Sign a catalog +> - Download root cert +> - Download history of your signing operations +> +> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration. + **Applies to**