From e4e46f2a2d92129a15392a4a4056f78ad2c9ca3d Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 8 Mar 2020 22:32:47 +0100 Subject: [PATCH 01/64] Update wufb-compliancedeadlines.md: pencil edits **Description:** Based on the newly merged PR #6165, it seems useful to make a couple of minor edits to improve readability slightly and to avoid unintended capitalization other than brand names and start of a sentence. **Changes proposed:** - Remove "For" where the lines already contain sentence starting caps and apply consistency to copying section headings to the link text. - Whitespace adjustments: - "Trim Trailing Space" (remove blanks at end-of-line) - Remove 10 redundant blank lines - Add MD indent marker compatibility spacing in the Note blob - Add MD indent marker compatibility spacing to "Applies to:" Use either the Rich diff view or the Hide whitespace changes feature. **Ticket closure or reference:** Ref. PR #6165 --- .../update/wufb-compliancedeadlines.md | 62 ++++++++----------- 1 file changed, 26 insertions(+), 36 deletions(-) diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index 41edd21e70..67b6e07ec0 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -6,30 +6,29 @@ ms.mktglfcycl: manage author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.reviewer: +ms.reviewer: manager: laurawi ms.topic: article --- -# Enforcing compliance deadlines for updates +# Enforcing compliance deadlines for updates ->Applies to: Windows 10 +> Applies to: Windows 10 -Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions. +Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions. The compliance options have changed for devices on Windows 10, version 1709 and above: - [For Windows 10, version 1709 and above](#for-windows-10-version-1709-and-above) -- [For prior to Windows 10, version 1709](#prior-to-windows-10-version-1709) - +- [Prior to Windows 10, version 1709](#prior-to-windows-10-version-1709) ## For Windows 10, version 1709 and above With a current version of Windows 10, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and above: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings: -- Update/ConfigureDeadlineForFeatureUpdates -- Update/ConfigureDeadlineForQualityUpdates -- Update/ConfigureDeadlineGracePeriod -- Update/ConfigureDeadlineNoAutoReboot +- Update/ConfigureDeadlineForFeatureUpdates +- Update/ConfigureDeadlineForQualityUpdates +- Update/ConfigureDeadlineGracePeriod +- Update/ConfigureDeadlineNoAutoReboot This policy starts the countdown for the update installation deadline from when the update is published, instead of starting with the "restart pending" state as the older policies did. @@ -37,23 +36,19 @@ The policy also includes a configurable grace period to allow, for example, user Further, the policy includes the option to opt out of automatic restarts until the deadline is reached by presenting the "engaged restart experience" until the deadline has actually expired. At this point the device will automatically schedule a restart regardless of active hours. - - ### Policy setting overview |Policy|Description | |-|-| -| (For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. | +| (Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. | - - -### Suggested configurations +### Suggested configurations |Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days| |-|-|-|-|-| -|(For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 | +|(Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 | -When **Specify deadlines for automatic updates and restarts** is set (For Windows 10, version 1709 and above): +When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and above): - **While restart is pending, before the deadline occurs:** @@ -68,7 +63,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window ![The notification users get for an impending restart 15 minutes prior to restart](images/wufb-restart-imminent-warning.png) - **If the restart is still pending after the deadline passes:** - + - Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching: ![The notification users get for an approaching restart deadline](images/wufb-pastdeadline-restart-warning.png) @@ -80,22 +75,21 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window ## Prior to Windows 10, version 1709 - -Two compliance flows are available: +Two compliance flows are available: - [Deadline only](#deadline-only) - [Deadline with user engagement](#deadline-with-user-engagement) -### Deadline only +### Deadline only -This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option. +This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option. #### End-user experience -Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to restart the device. +Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to restart the device. ->[!NOTE] ->Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update). +> [!NOTE] +> Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update). #### Policy overview @@ -104,9 +98,6 @@ Once the device is in the pending restart state, it will attempt to restart the |Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending restart state. It specifies a deadline, in days, to enforce compliance (such as imminent installation).| |Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled installation. The user can dismiss a reminder, but not the warning.| - - - #### Suggested configuration |Policy|Location|3-day compliance|5-day compliance|7-day compliance| @@ -129,13 +120,13 @@ Notification users get for a feature update deadline: ![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) -### Deadline with user engagement +### Deadline with user engagement -This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active. +This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active. #### End-user experience -Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time. +Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time. #### Policy overview @@ -144,15 +135,15 @@ Before the deadline the device will be in two states: auto-restart period and en |Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending restart. Transition days, first starts out in Auto-Restart where the device will find an idle moment to restart the device. After 2 days engaged restart will commence and the user will be able to choose a time| |Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to restart. They will have the option to confirm or dismiss the notification| -#### Suggested configuration +#### Suggested configuration |Policy| Location| 3-day compliance| 5-day compliance| 7-day compliance | |-|-|-|-|-| |Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 3|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 4|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 5| -#### Controlling notification experience for engaged deadline +#### Controlling notification experience for engaged deadline -|Policy| Location |Suggested Configuration +|Policy| Location |Suggested Configuration |-|-|-| |Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled
**Method**: 2- User| @@ -174,4 +165,3 @@ Notification users get for a feature update deadline: ![The notification users get for an impending feature update deadline](images/wufb-feature-update-deadline-notification.png) - From be13b6ac1ace4d4878f3d70c5bb08422a12af3c2 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 24 Mar 2020 14:26:12 +0500 Subject: [PATCH 02/64] Update wip-azure-add-user-groups.png --- .../images/wip-azure-add-user-groups.png | Bin 21512 -> 33671 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png index f45343107002197066b9041bc5c7019424f0e16d..34c89b37a9da52d2b5df37e95fa53ae28a60e4de 100644 GIT binary patch literal 33671 zcmcHhXHb)G_%4d7fFKA2ks>V=Y0^RI5J6B71hLSIfHdhunm|yBfHaZb6%|Bk=)FrX zqDV_1)F37Fo&fuazx7}1oS8j)e>iiTahNv=FUiyHtKErssB@2+l7;fzxpUN-8fuTu zox6ZOckX;J#YON4b86Qp_;DWo=$`7i;z71$a6xLP@<8R>Ibhn6qS4WP(_dKs$N9S*8PW<=R#TZ z;%Ckus^LLT@BoKx5$%*A15N@E`$>Z?Cz-&@$cB+qlQ5TO-m+^-}dx zeZu%a#MR$sPt6Pt)(ES(>H@8&MaG`lbgC3wArRFsp^yH2e;Pl-`0tYYLBen-8YEv|jC|vw`k!Z18C{6KPQmpn{C~e%Ey(2GJ;QHW1=MII-e6ec zNXzh^_O+dE@U>n3^;Jdtl`NsbPdl*_*Z(0-CJkEUN@+z)vqFB>4DilF`=W zx$>jB`_x)iPhTlB?cm{yp599}vvTcw~=^ z_VHe{W3lN?Kyr!k>1Jghaj`*OzszMEZV2q+EzXV&N|U7o;Q;fV*VEfuhJ&5# z{th1R@62p(I8LNEihjWNkZn=`j6Vd8-)DGcbGzcsKJ?h>D6t&M;~kN$MV$}eqnV4Q zJ9HSC4fnphRXKT3`pFkV`=A^(ee-GTsoo&so0HaG(>g@W_LLzUtykS>d1KVkVa1!n zD(!UT*5h1{q=BX5^G@{STfH8K)=#c3?T$5{RyzFoo>+S@?KjX)3uEhGfgenHqh9;C zTjA_r_|#M>yBMX5<7eA_Vgny|wF;l2f9z;B&9;Z3ZeGA$P%ddYe(|^&5wP=1ODy%% zov=wCXiT1>cVQp>)Aa0Fr;h0$qV9)!z24*lwOwoE|ARF`6B z_{|uutkM-2?fCYNylqc7YyUBAR=MTr&&LC8U4t?vOik(KXAc$19Z#%GIuWW%l798Q z!|VfCG4pDh`khkmF58`fd8U-if~8ajdVH$u86sk$-ubiAVD9XqPP|xX01Y(LU+nv{J8<| z6R95G$~D7HR+g{xF61>9i$qadt3ku4S#9~RemTLMon#v|_#lo5YLSq-L zdksH?>2CkD^~TjoJl7^{dF)Ygg$T$FH&5oQ<#wyak9R6E z$ou{pOspwSdfA@2O}wXuS-I4E{NA_4e-|q!!wS?l@1;9T<78xWc_x+t4tIskXPX;qbk}vC2yr$gRNIQkOxOU#w(p`ucko2qqg*IIL#in@qB&eN$3qS8~7AJrt4 ze%SerL1^vEg;^t{mHOjq7qfIm+J8%cuB{@X)NUxt6oF=waU3l)L|tQ@)X5@Da@ZcM zPuY%q)02iaoF1=YH`{5ebABe?vh8P1zsoj<8Pc6fn4Mf2WUV12Tw)7O={(COupLx4 zpA6*cbrn@lzo?d*PCW0Dy`Sy3UW@%>U=dvzAz=uPr$WT`k#&1W=q1%Bn0DV2_lCK5 zLThrKOXJb=`FU9{4$RWqP;9HvdlLtkz~%?uW85~sZ4JbhQf?Nf+Vmy;a4vzUhA#-> zPBr*h&#kV{1)AA45zOWd4_}Q>=x5lT9aURmvT(KsoxI3-#CX#%hk6J@C`*k_kj*iWcehJh0erL-6r( zcYNVy(L{0B#6Avhd+_Rbv2qN7CHyo{oRckg98j&tg{_^Hoh>T!l}Jn`h&;)UJe?bi z<7wDY?o3==>Ar+ty-Z%Zj0{kQAFF)iSm9CTcb&Guci~YXXd8wTIrWE}A)kMlx>*fi zu=Fxyq>Q8YmFZ9&p|Pzw$0rAvCHYZZTJjLuwp0%~gdyC__)s?F=7r&}p})rpjjZP( zdag}JxgxP;`RzkXs!y(oa-!*Scf(%)S@U{HP@$NP_R>+W4?J`NEQHjJK~DMe^(h{PKyr18FCRqnoT4S922{%+U3R z#o5_qDHQGoU9eG1F8l1f>E_P7^n7QC<5w@-WUf)Ut^POodhMXQ%BNyCIZEQc2=atS zZ%Tg&)xQ>(+nNac8I1e2Sg=@Tn3SJjBQjqvBQg|0vE3P7oo&XXKPN_hv!6ja;N^_S zijQgF$=>L%o6eIJoP4exD+Bp~CSFspwQ1WIS%~<2k0<2imbQZ)FT5_JWkafjM&$VH z6r#rNDetg;ej2|~9Wa$9(y(=+vyfuy{ARN$EP8;)Rp*sX`jnUX5gZrxYi(3TF%OD3 z{8X92efx9x@rRn%Zt7o-&L>}h#kNPVP~;u`jCn&sK1nVs7;A$nb*Zy%>ym#H{x#lb zW$V-B!uZ>$@vbYV=D@R>(WlM+^%=V2#(iUAlgqk(JfGdh8GOl3)XW_`6-B z{JjcKdlQO`yVj+6%g>gvP)i=h~>$jm4hSRE!5ocoiRYj@a)#u8%(RoZ8vw znf5q3>d(aBpi%JSJlILk^j)ara}Ckq0g?n#el<21sKxX}YL$RULDpA>Vv2m5Pr< zXsKq(dwP&9VJ@?ULCab1B^iIox+Z12fZ7+QFeD6}cf2u|6}Ff0Z5MS2;1de2!LfaT z7JuX!wqq@^K2`4xDTj8x^ZMoWF;iFh=*tvM^8CI7J$J%sO%t4^l%^gT>s<(4;uM{h zl{C+=_MRHHKpPPpTN0PSJbey0>CH4In^PfhaXNAq4LmPHYe#?BU*_fI~4F;jkJC=Foj>hPn{Jrx-54?0X zOeaNLVR_=)%qFMD2Vv4;;okOK?_Q#PCwkO&g{sVH;r_j8@U=N-0)}Zd- zx3RF(nns*X%hMp<&6bEO78#tA5G%tIv_v-I*g-qw(3joiEYZLmiSkzlTSR*B&8D4_ z+ZZEsyUpA*dd?>$JXdZ{6oV zsjcue>tz;T`R-!|!fiDOKaSc`Y84qOPi`N;uxjG%G4q);(u0G&gp4tR%bY zXbj@=py7HCbbhl2tKQ(gaD2FGamG@={#Ptur{sKCGrMw(VDHf|n!=RH)q`$ikam%;|o$7g?luI5&qIylNLf`xVAl3o{f%nPbEOG2yo43lu!1v`}p7m-`I6$6Md4K?NZBkup$b2rl^7cNO= zZ#?W>!>=n}#cdY6opNmW(>5M{{c>OdPJ;^`g8vb6?&$6|u=K$1tFgrW4=az>aHIOi zw&U(zuL=E+kMn#jZp3~MP`r`4s_9z=uiEAO`tJ!y=9vT?(V|>dISG&_qu{6 za(ti$(1G{)@2~%V(E96(t8T8f%c0L!Z+}+`D4Ha40u0)7_Rf%cLK@5+rF+9QQ?;TY9$|=YL_K}@!yFys&>gVYDP2~HNL7m z0;h&Gtiw`A`RMshax>uvfe2}jh-;+d-Af|n`Y|{JW)cFfq@J~$g9D74#&zc{5yoFc zhA}3azsmOoAa)?&U@CdD@@q2*7&J=N2zs>At6g!ihRvW8q!QQ_{nL$p1EWPIMV`$% zney1bpJQn}u(mtc0o(b`Xd)yVT}c*oshPbfq_En_{dP(N=2EsoKraYC=~!~>1b-kC21V3>5+7aZa?5eF|EAOU&kC2R$%gG- zp?&gOl!ddf5OKDmW_`3 ze8In(sq1KN(It6bVZ+T*8E?WKlDgom*LQ@Z12|pDKu7vK)bW zOA3R|YeY?8m3#dHd}%P69V{FrDHpVC`SYF+rq#y*-FU###@^}m=4qRfxHRsKa)wC& z{w5`4P+Vbi07Q=dv|D}H_O>CfYL}^?j9QfDHH(0~!~w1BTnY#Xy!{^j?5JpRXKT!&w{^b{ zVcok~>I{5loV4>&24R*qu=HpyuHW$3H?Ba#-4>Jlx(HhLvO#%3{?ZrNn#4AAeoYEcYF$hdzsN=J? zkW012wPaL`DX`P6*xJEJ1^z%h3bS?)>^K#@1F9YS!aKfH_qS@OtDVgp-+s3qo}6q1 z#s=sL#+Q*(vpoN8h9NYQh`Y_SjC=Ear(QlC1k0=2^nTQg^6BCH1F%jC{o2T({*Vqv znhxm;ON5=F>Ld?D!;z)(%D2z`8-Ztj@T0|A1LN5+f{dQ@GQfVPz9M7prZ8aY`b-R zqFI@fpEc#8Xg=9D*#Sz>c!U66dtATBn1L;m_4qBslU_`JbC&S4+Qg;y2j#waxF(+_ zp!;P*_r(XbrQ62ru0}+`RVEXdTrLFsU@#beB^W7TP1w1zL9E)DY;FVYqO#r#&C9vz zPJWSd3Ot~A!8L1VY?qsT&i57`a!W?He0beb7O1xz(k6PT#%_p1Nb%A6w!by=G3BDP z&Zw$ecA1_@)Y$?1sV8)e3m>$CGUT2BfGY~SYkuLVH$l+48hM*LY1(&*J)KD}^sjnp z!&WD&wCLr%IllQ7EICx->F2xDLVN+?Jg~M@g5fU2&rk<>ihs}4=hv4cLR2!X-U8(y z;9IO5mRTqvyuhToIN%!%l}8v2yHo1moUtK<|4`I=xbs5zSGwWoLzSN)cr0hM#7B`` zdZ=0N-*Ke1sE`P^4}Kq4g~`kGN~@g-qFM_H-D$rQ;(JL*!&bPK26A?oCG%pW+r`3r z%Cm~PB36-kqw7!V6&s!^vRkGoc@9FF1 z(DwOUJS1@C+EP%3pqRZ7#-TWtDAbh+kbJ`A>1J~pxG;A`iq>@-&!kqwWqWP1TV3f$ zIbGm~X|8(T1y$WP-lKIu9_6>n&UEdW#ZhmZLkRT6ttwx{H!q(-#J=6)3WL+;JSE9o z@Ow(1nW!>|7<#44V_+$QKg<4iKmngW&=dFXF=wc=-Ow+zhsBd=u?109Um=|Yy0X1U zR)wG`pK4f`YUYr9AGZ~?8idVvAx?U*6&DzYv+4cu>z#($T4{9UhZCY6zCS9Tq{4SG z!N{=mk&N@?h)z_g6G;y17OoIS@lm{R;SGxH=g^o%;1p%vi$C8dyc8f-6h7M|&bF87 z!on5#uKI!l%Sz5xIGH`$5rSrsl_C0?~EKpSxW% zs3vn8Zj(w~>Wq%4r;cdZ(@>&#vEsQj-^uD)5#UMNkh}A5@t1?ekNql*5?zO0n+Y?1 z!2O#-L8o4nU$@F0^Z3B$@z*vNc>9cwbm;>&2eLO%3sQ#ah@&^!WCU@NHflWvnnC&H z+x}c^>}YN=0fOOUa@tqi%1Eaj)oW_^uNtbi7Yl|D3xs#gt$!S-m}*s4jnxf-B05I~ zNIBPFrVztSQX#2PbC-67^Yi9Oci3m^$zSh{hcVbetSxJ3+N|Hy#P+hPOIr6FZFYTd zyx7Y8^kOj=g$u{k0j>9Sk^LL)Cad>OV~1ppQm-TZw5{gSdlIOF@Vi|x#oDc|3lJp=+2g;uqB&sOPQ+eG z-Q`-VkEE5sEwatY$59x1wU4p8FgCSxwxxa7~dbV@{IrH1+EaUx+Wd#YyRGt{wHskxSGXmU%wyAh?rJ!VTccR=5wa++e9M&vk!&z1P zRo8^jB1cMax@HIUubgUsnW0NS(v=zt1qeyG*UZ&uGIc$BdT(I|!s`Md?z6Y8zaq}5 zU7jk-RTz7$ zxGA&LdT+9&rq2ChXOP6K{BBom>4MDQvOWEnOuQ)H%Vxr&Snznm>>w#nXGN6JG@a?> z(W#KU|2Ec64@E2Wz3fMroAUeNrrZks*v!>_T0BCW;d{a@>X;$P2Pi(f(78{NF0DL| z=w#21$C?ZOq}$X%WNU<<^*p%he_xJcww+eUiW1o=@|?q}!zxYqP*+Ou_DosZ1)=Y1 zO1q&L{-lS=v9IW!>Li4!d@=Q!u)%(gRW8Fd03ErgGTY;B6f@mI@A*|Oo48m);rQ)Z zVUw;eq=EK?&@GjvPtx0#wV!F0lFc8MYR}yd(#TyCcd5K0oLP7{6Wn6?CuR9}o{3(2 z$GfoenUSF+1^jK%iVL1v%dX@8im80m{~7#13- zkU+Si9GRC`LU_kT$d+!0l(CrrI^&EooTd?yL(C{g@zVxL@(CA&k3YX`*c3f>x^z#{ z`Wo5TWk-b6V8WY94z37R3atr=ICuxB%RjUcko0xMhm87<&sz1+Os7Xffs_6eu$8ux zwj%)^L%J{8)8R`QQd|*1NJ~xFWJJyLU%hIt5kH~ke2Mq}8_A8EN%kw2Iqg1f(YG5G zuUxZRnN?_$rqz|4m}jxE+QFu~=HiHTA;;(84SbiAMX9r^5L1$f%nv4E;nl7ie2Rw4 zkB|0XDR0hX1;-U2g_EmQBGuWJrwGq=lMQYeZBd`COR)9Bc=8_8EYov%UC&ZZos}k?c;A zFj=|x+GlRNt@guzv|JCZ0czFat*r|Q=GBMbskt~xgDd~hZW=~GCbWX?Y3hXM{g>y= zP3dD|4kqW?q)8f8I?uOT+)=k;di15v!^yrBVJkn-$b z_0_50F-;Dlht2caC-aV^$YIVZe#OmHqk4f2ChQ@nj#x9n<1ui)0Fv7v9snrW4$+c7 z9LoMR0nt(y{C|E_k&ZSHH7L*@Xi7S&95a_%%Jj|((Be`}Z86#O36Kh67m_Q9Y(6{1 zKL8PgH3_GkcS~-{ZtlQckqCokl?!vb`s|Xy7+uVTqIol_Hs9?5N}eiWQZ-&Jz5jQ( zeN?@+;R3#}e6Z}~a3AG5fUCy1G~w43Oiqau@w-8Z%g**_Q}YSVRsTzU)gz7otn9y8 zi!<(hQfRn!`b>d0sD75cV);ybxT(tl`5p1qLCf3XubQDz(F z8_h}EA+yb`mjG$YG4SlFSWCnY>@^iyUF?Jn!EOa0GnaKXxtQQ-2HIW zXK`u;k_ApHqeYIBRnCqUhGzmZ{)9`HFZj_+6e;zJURd zd;pN!et_!>{}w&Yi^)7EE3s}r@-2?25ICcbma<*Th7xN5Nq1IsMw}ik;r3sjC+P>Q z6t_CwQ|~^1SEygcb=qllc^vuKnPku0qlee)@?ShCpD#of8dTGp+zbCxw?wYh-tSQe zw16y&ZsWpM`%@6`4~!^fq9JzSAWCXb{6X4H2`WZmibwnLiHSBpq!=Bufwg2L?D_FOd8INezi8yGAKHAy8c*j}3`AJ`kSaD~x*vJ7t@AoYGP(6;Pf zrmMKlLX`EJ=DOJ6+Gzjf*JbXJ=Se-ypE*P2Jia&!efs7<_HXCjXSpU+b6!hYHU0Hp z9foZG?TAX|ooi${{)EG=(IFNpaiNGOV8LoAiL+b0K&wDTYFr>;hXM1^GTb}v4Yb8< zX7yeVUWHy=f}a3Z{AcuJ+Hb?i@s_7t^QKS3W*gP0MP@@tkYdGuah+}cMcN0zR3#4P ze*EzNWOd#t{67kP|0lo0-TFToq@XA6mI2OM;&u{gln7O~*I-f-<<)>?K%xJP)@Cy(D!P7vPo+5-;D(FbQ?6ZO_`2%PiY)Rs=wCV~^Z z)$sn@C;IxMP0vsXH=f=YzrhSUS=J2}0UrQp%2uU`9HJ-7ytagnv7pA_;BtzhRLK#< zyAStL-`&!VH|b1c7gClHvN$P{^J=*u)YAUG1Tl86ym~+ND-R-zUQq4r$7UOD?OrnP zI`uaY-ng7Y7frWF?T;!|;i8!$xydm#t?ToTuJG2dFJS5e%8ibU&p7XHD!n^!Y?428 z;r(#$D%*(&z2!gk_D8r-Ny9H;!_t=B)v=-Vp%jVsw|CAH$_m&6kw(h729Wr9^AAjh zt>u%ZHXxqD(D8-5({HgiQMv{xb~&NdcfmiGMA$*EmH$TOdzW8R-dvJIjkkmA5)7-A zBrLHyR#N>2_vEaF=Vez6JL?)d+hnz?Yx}3$MN$X{ksv>BCrYdBu!hxKn8ORtLv;v! zHVFRQ^irz1ZOZ*}9X*k?QRlgu)*4Jsj!eB|%`7IH^UG8tA?GkA@#P_Y&Y~ngZIibb z#IBsNgPG}@2WlPnKuFBJyEV3*URTi)98Y#HMhhKC@IYL3cz@@*YOTj&P!U0s&sFip zsH;ttXa>g`?_iP`A8$k5K!fj&)mX>RPj?2?namPOHB9SXI+XJ6vJ1)Q>SVI8&d-U@ z(hn1*@^@E5hUqeo@4mh9V5pSqM)dpeZ>ox1IgrPVuW;TEX6~(|ITje-HW&=J(f(ZG{JcwkESsF9i+OWKL!q&yP<+@ zijyw`F`E)w_G4Ai4kO}ciwE6zrrX+Tmn?gp&!%`7^@!2S1{}XEx9Ma2U1%g#KP2~( z(L@G&TDuMe@u^dwKDrEH6gC>HcjQ+s8sHlicPxd(FWg#5X?uOzCPH7l% z=7&2rOKBE~Dmbg&YCM>h;<+0o4s_K>GyExrE{=`-ft!rOuMT1o1q(E>>e*2f*IQ4& zKe_ZMk~W&l2 zDRb{evy57eeAQyY&x4pB96n)_JR$1_>*mjJ3%VxlloGwv6{biySLrnI%UBDkyrsl; z>&26-#gKgcqBMueiu{3lrywEIwf#sZUD{cDC`-v%e(&J#Fi)~TM9}=nG3;o8eg_nm zbfUEBe!ll(F<2=*>q|fSjmpb^*vBiX%Q!4>xw?OL94p>8o-tO@xXdihX^Zr_e{hrS2g->fCq10? zbvg-uy@WR2^FRHkG{rlnIOYOKfQ`GyfpiZ&Ld~5yE6ztrtsNE_BDuYAy6MsbSo$9L zLsIX0FI+!^fvIH{Ft$==5J39HG5rNe4O$Og^1u!VuF>zH>P@6DeZC~ zpwPm`(RE}^!Rw60<>7bZEaWT&x=wC?$exEdRbvqKBIL76A=maw%<852(msDY1$z?( zy=wq-hRV8qRAQW^NN7E*Dci9kW=f9zHo6$5be!VD8bWPWt2Y?BDZ3>U^!uszw=b$- z3;lq;7#%?oLiJBtds~FD)PTn)H4G|Qk-4vQV!E0yng-|{ec)ZGpAX`>F%YWOy{dri z{1u@(gYVokdXHfVQ5X}l1Qrnan#^wT1HQY1E6Q-Jw!*}7ZFh22AI2}IYKF&(1uF@X z)b+4*`q|;lx}~x+F@^)lT(~GnBxiJ{3B& zDH~Bk1$M{-h;@ICdSri}ShEx2bZ24gvAV3eTPqnc>QY&L>q50Aq%ifO)E@XWKTaQR z{W$8;MSLj08Gh|HU}lcj60N;H9{INZGJ*Nw0hnh&p<3DJ0^PJi^tuP1JFA3(HS_BO zqGNB2er^ai&_QgPEp*WwKF5SLJ2aJ21b=IhuXLMjc8Lg`&J0@b1oc!2wJ5js!v)vpk{4uG&?NC3QMWtrqlQofJp}n9lu*1{ z%DGgxaIF0!gj?@hd=Cw0+tN_B>yV?oDUXkj_b^PX-23m!nUf)8HL0jyQwwYP42lUu zRZH?D9hsHsWq$_2aX3z$6DB7P+g*%qwC(vNy$0H*~!5Gh#0O( zt8OQmxFAQZg?qyF$OB2+lWdq`pDoHVZ6x2>6d3~gx0A4PmS?7-=s;IJ3#Vbt#8V8aSkM9fPIkAC*)5b9#$*!n0Mv!rm1SGzO`d+?Lv zB&Muez5u6mfVK{Oq-gNkCq&&_zC*guFZRz}L~5Rx6Z3YN>ZL9|5-Tz-!Gc&>0{IQI zZmsUa1sO`MxKWctqA%a^PkhtW?p z{0?#aRg}@5woS%>@@@6(ke%1L;>t~)e~99y98y8L-HX7rz5a>4bVMcAARazJ%e@C& zysE)7!&oFX3qB~P?{>wWYD-r+b*GEPo9P}fo{Ijkt7yv^V$I|Z@6@JB#gmE}GR11_ zt2fSv^Td?m)U-)PQVo$lw`0qua0|~j z|Bdb1bm@pw#>t0#jAwJGILrsN&^hsW4cQaaM-oJaY#V=j@`j#w7#=$wwPgO`MUH>@ zC1v1A5V|)MIt@JnFuqHfD)$G=-bK+_FV2(J&~HS+Twu%Br`CD+jgvHmYNF2lHzYw_Y608C)3jZ2>6m5S7d@09j!R!+sSnmifM9M8v!ieA%`e`HT zywnj;pC(=C2@-bOZiKC_bl_tPg!gP6SxMeb6KIk}4ji;b;QTfk$KGvxARU7hz&B09 z10%El@aAyBs#`J@-qi2KGF-KM6PhlI81bi)X^JU)Gk_sMw9F;alP!ub^V2R`J9~~k z>9xfCiL|K*JUcz2w3(b68)Co7@3v{TxWSxF_9J5bWwpXAqf>z8PT9-&yII>| zx9*Q`$X>P%ezrVXl%8oSG3`_jPmWquX@C!T&YFJExU+fv#Vs*`CYYD(KO`2?&}40z z*RkW4r3GS85|(JW8N=<_?G9Jd@2$+($+nH_F3Of$+4mun`BzX)v@&m2DXEmkSjVos zaki_}UBob+5w7n9K*&8Fn&V==GME06FTDbvOU;+lGkJI@`Lx({f@mV^yUl-~yI6p% z_W|De0_SK7IAF)kpCz>Z_}lb;otr991^L`s0t!R;Ym>r-trXF;YGR_i6;#7uIVB$P zu#wFj0B^opd8)Y3tv+Xke9p*>tG7&Z(jhO?b|{hlOwXMguCY-6)DT%@P|w6}m}q#7 zla4O)#<%$9#(?8pxtR^a+&3v$;~DA?t9dX7=|Bm=DpO8c4Sm=t_v7+*u|k`4M_%^o z)lh*Lwy0(iZi#p3wrJKLv4~xs`sij>*g0XxuKTFM;C*P@?06(CS%2|_>2?WXn>W+Ybhcb{i%v|}G;?ni zp%QpRUY$LKseM^5`Gtj0mbsbbw?PM-5mOcas!$Ckw1fMYeS_OKOf9|dp*YzE}lS01Sb zL=6*7VMo?y4hK`lrQHfL^dT~$62$|G%xU3Tnu-Fk5vt?Syx*I_)Q*@@QLY$&xFpI8 zC}hVcjW~++m+x?McNJSru6EE93>%GlLX&BExhK_!z(9#@47uS_XmO@k;7`L{O?AV|3ic|YiX+?+)CYH#2y!ctS?W9JVWds zV^w?g9wc=PA^$=&8cM{+B87<;YOj9Yi3dNyZU1kRHUGab6GA zHA7E2pLZrabYk>`qrBv95hpMkK?(#A?m5Uu*-Puux>CbNxB^KbTCW9!7T|bDZIG*n2!BU|ofA6V$2jdiXM5J1hj3Il@ z)l;^>9Jh68*t)v|dPC5c+2uznoKd6bSF1%TqQn6&|98vlfMiG*n7W770%dIg2vxy` z)}tT=t1h#gZ0ey&?8;GnE(*pk;T)fK3dD&4TIwmt$e26P~}5%@!f!=~_oTe;pF)5sR(E%0bLSCj%@e2Ad)7XCHsgEDRecnk}i(!5j! zZx_g8H#BoCa@TTO6?}YmP6r0`Jr3V5%fp|;jzIFu5`-IhiMgSA3!oWthC#S9L)5+8 z>8EO<7k&VBEU1WNqS3GVnu1p$krz?(+>5!X;I&2pNEaX}F?*IPBl*}MD$!E?)nKyu zUS9`5vLHlXAND_*;8(FGpk>DHHFi+$f%1j&2Vo>z5ZBKIB*k`frZrdfh!P7T$Fv?) zT$Ci3YVoa(J;0f@0iO+OJkieDtxJ^&R4GkX_IkN$eIptH;Oh|GJvK`K)!4^+qi5PF zPl2jLCV>|;sVck9UEAcbVLMQl`X#<~jPKC+P>0{hQJM{!H7 z9ArUEYynl({+;^(SDPzhVD9^MqSW$^lW>L*b=PpQq)l%M2#1VSxdK8d9ShT;ktv1- z?8a3#;ce>bsYRPH(qrDed|3hLH_T(N_EsjgyyyFyU^EDmb_Z1oJyVUy&~#KXHLLVZ zCUc)pM<5U5YTKV;*-rF{c0gckvh(aP2x`(tJP|l|=R)UN0?+UkLWeno3S_A{h(BY2 z_)23%N$$cl1UqYB7;tUeOR9WJV#T5o>v;s|#VwGl(&?|$W`(qTQLlAO5VM$mcR*|d zQZ$@DLRG)od*R6I^7G@HfiTWuAha?ddtO6q+O`(rbtktS_;J+ruR>;J`6$#adhJq{6fq1IAUlfj zc2V*_b|#w?3xWKIPM~tJbGT#ZI^8hg5_SYYQ$NsHo~!#N*c8jQ6um$^-|Mmn-)%WY zg^Q8Oth$w7o!RPwy8gK4=za#qqjx89pQ2mTtgeHQjr_nzqHp*g7E`@8yk!&o`A zdF~XWYWSSmeKHxC8d06KQiuvP`PCY~vmh3(>)nhvS#$2*TOC7z?i6)0*n**jA=Ho} z&KQCslKsB3*|fK}5@nm<;SCr9R;D(IGKzbxoqg})a|GvMAdt?DTL<}*jQH=zlaY`* zU*Mypuu$VYQQef+yLQolTE?Me5)T53hOG~bn)HI_Bl-#gM#7%OO1|Z^B_?6&2l(+v zt!5MnpLoBQGu(Ds>OJ_iTa~ z;Uuhy5N?IzBxV@E2Ly~FlZ@3etnd6RurMO)pFI2C`f!G{o{G#2N78;Fh}p8?dCwIE z_Zd-Wn}V2DBj(~+t8PfSYoVJJi+5}T1$4*cDTIws7YI@6=5& zwd8_5bXhk;yKaLsluD2RZD=v=Gavm-Oh%818PhK-&KX zaSu2iSB-+ITlia_V3R~)qzSFG=Hrrs{Q8-o9k46cQiZBMT3qF$DS~v|>yXjAHiew2N$X5K_CV3*A!C=Gw5P0Ayh0O@d#Z4X8e|n> zC7y3X1vJ^5kkKve7R=RTq-=P_zf(x-t`x01BgenDX6gr5c-g`fD04=ThN#`Ax#Gv(|_1e=*I?*KWN?n936ipEGZKwfLQtN(T01*7>6t z#X7N@;uz@<0~spY?)O~#Vbm%c`}wFpylN`$7aTw?abN0MX_@MVf{WBVf0J$X@1D03 zk^Pot>7;&m-!){HWLufp6V585rwhPB(H&3Aa4Cgkdrdmn&UHi_QF;S>5E1`~>HyRU z%YR8qzlb-@&&pgF3{wMSXvwYWfXwKXDr6VhS%sE7E6TNchm%%Sf>3N209xEWV(>3f=LwiUAq ztAwtGK}(%KcvKd&o0OS%Je?unjreO^did_`{rgqNzYyCH|Y z8B5SN7QEs1yTy!z^7!F5fHn__TfAttRUIwZrdAuj8N_Bz+3FqKC2@M$LWUJ%IgZB`uQFEKfvg|(Kf$S^HY4It)ytbP~G+Bu&XX+(=L76 z=Uc>y_7Rdn^(wm}=h5MOtlh{9)^MjRmD!kV@K;CTAGJ~+Uf=NuBW7@mzoz?4OZMNW89CX0if&;EcDgn^( zp8^9JTBY6ha>Vd$EQbC4YZhb z5*xRpIFu$w@*j5rCrNA>iU;X*qt$%?=2$u?;!-!Q&xl>ew91Dq1n{OMNXTh!0%P{o zLaefHEC{PS6AP%>n2Fa_c3>1WwI|y6J8R`bX~1F^>jsmrBHtVchCDpV7C^4i94}(j z`wRdl{g>GQ<>|j{1_r+^@TEq#-wGUpHV_C~BC8A3I=|hDyn6ao!4W8DYwm`F7@v7+ zKLQX}?7r(4z1ZPgO9pKMu0oW0PyThC4=L_M`5rAM2QynEPF5{Y&=V@r8qV;ZHwrSq zAf?{_6^5q)7`9R0X+F!dgYKSTGGwN{+dF*YiY3UjV!<~CR5rasNSon z79?pOWGe?aW%<0%1O30bFPDE+T_)5si5Nd8b};__s6z6)7H*dgw0JLDkfy~FF%Mq# zDp@t!L#r6-M-Dqqo%2=%O)TZ03mJ}f?=qV0JNV|igWZ=_JU=GFAN2{y6SkP904zXq z($GKxQVz6UI0v@53Flxze`HDRe2hXr@vNzPxomauGV?QHK)T%Tzy;q(+LY&S0nYk6 zLhGq&JZndYp==n2*wTm1O?N2^q)lP|7eU=1rFRyNS5=D}+{gys0Fh(Z63Y)OH2euT zf=!J4ih$$P%2a)IrN*=K!GQcs4*9sTHuxWHkN(;twvZ`qwvb?%nh!%$L2f@9w)`c& z@JAt#|TOA~XI`^0IwL2g|BeZ#MJAAkgJRN$Q|Y12;(P&7wUIE2WYck}@C z>;VV}J0qIP{l^Zoz;W3|Y1d?@yr8tzL65tWK;hIh1durf_a%AbCb$2OcMQ1>zjLtw zMoR;dg5>59Iv{>60xH;(=)>Cr2A1nIQI`9(KwlaMV6wQb(q2Lll!`AN&XuFFbf61# zfw?6znTvl!tqv3C9h|A&tddJJW{|$HtLhI znhGdE=D-d50><103jngsguuNcH-uE#3=%*hHw2feys;1??IM;yg)j-xNNV#x zd->-Qmm~|~+1BqY(7;9HhR$p*9E6`$ped#9?M$^Vu5!$nE~doJya5OWquZh3OXNqb zYw@%O@9`VWFxklz&~0LZF>K0{!T6UmG=$qgd-1!!b&I~HCvqJspRE`)6B}P7 zHyU3&Kl=f6pP;{X4d( z8Rnh^wWx_7mp-``fA{QOHq>vF>h1{e><4ufw?ag+$vKVW7V1`u%Q1KOnkd`}1-=hK zqbXDdY+i(DpuxJl-bIYA@NeypP!ROy^n`)ky-@^N`qT@0CrUx0Pu$maed@mA zS*~A$FG839LvB|2Lqouu(twBNy|)iKpzmkSFU4{D*6pks535BVp8CPAmM z$H5@u*KGJK_wl9Y8q*8+HsbWKSX`KVdbvS0BA6Peup7SDH{$LvR$)hH=&%0w>-)TFV+F5%bP9?S0C*#bp<pC~$v9noAZe|!mJN(t%Q=1CqC`lb8*IpM}E znZs?R@1*QzaEqQPs+8?WXQw~%YCh9+&a9{31fl(bt-l7;e_8uyKqMTY8b~9O1h)ZA zkx>zSZ5vhZ{=XOO%w=0jkPEI1DjFbB;_ghZ?&GQ!dw|%=5g|Wule_QVdfPOqmB;OZ#d5q&>7uJW;oSg6%n%R zeR>%{tb9A=??FlR*9r5{UqAVH?z@sam!GL9?B&4c@d_cKas5=@#E%y#wt$TAj=cGw zx=P-tzjc6^8MwF##GDS7HX+bJ2wMrKgQ@f5+8#;yAMCJPBQ)tkfp}qwFECFfyU4Fq zc^~o*3fy@XU?8f2-lm|MFnAy4q;8m=Y`35IlKFo0Tp72e`wBRNHSbrle{P?esc%qm zn|Tz!u=JSZNXJ+f_qJBRUZNihl}G}T00MvFZgMOcqqx3j0;J~j9>7*pI%J*Sr~g5f z8RR6FLx*e7vC*%NkO6b@YKWHT5C$9_BL}eK2_rE(e)8kDw4|({L|K4TK&;H7oop#D zI<>Rdta*8z$j`SOtULxwUC{&?k4(U9{fbNO41dHxq?3^!as^ab3j*m)7h%NumTT77 z*3(Qk4(L`nxd2;?!Kfu9Kp}N;mtO}(r`z?AJ&pLVG4+-#5qW9IKI!E zeFl9~9*e7Y7?FM9BJl2-11QkC0PULr{o#-m$08;fR*E$2iSjzmo34yQV{M=2B6tdm zhZ>O0d$s|VQe>p{ zRQ_;qB@9YBDg`m(X}?w?C=oM`@0nn;vRHE zGp-5y0-&>To*+uK-dUU88fm(oD(=2$`Dkm|7D3gKslaC2`&=@Q%pG?fQwR(}TArYk z>>&R?D-&ZRS^-AJ&{)m&fD<<0vo{ZSQdd{^-tPr!dc&zb#70$|yf3c8@!Jg=lggs+ z;E0`IWAtn|%4Yc>-750?Sqy`yTXz7$v3fWnK&yHFzgjylMrpr-Y z-@Y^eq&)^t2pL42r>^syN;|2&ees9C z?g@iNv{krCh##)H1!8!8dCiWtWtp&1z-P-IBDtDbI0+R9hHn125lMgw7m;=mWMy&f zn7{rI@r+x4N#G!?4!lY3@Jf;plL6jin)@*T&KQ(L5WV5+#IMo}`#>+N{wZf2dT|U3 zN2nJ@DWz8Yv9JHwDA&$h=+c(#{Yp?PZ8e5&DjrW*&b&!BDShsU_M>u$4f0?ezsRqB ze?O3bw7Vmo-NFK$ta>=T*&+B_;!=R5kyO%LEPealK3N0VVy+XP^oLL7ky{n_zct<6 zIJD>|o{w|$27Ab;A4)Gvj$mJ^Yf0Q?xX`YFLJnyxr&)AM-oacj5utt@Dn-L`$vHs3 z#5|;;$y^G2A5BgEJuj~nu(bEjN2VdL``v!ZbhEC@xGkDwq9@hYAU+JkwNJ#|!hRTm zYo>VKo!z83#_bf2x}@%-{&&YP`J9UBq%2uS_3YH_vGVYA`3niY8b?Gv9{Y1wWSyJD zv{Sy`j0tjSZEence4P!0?ac8+*44Ji6e=DJB2c?SKy`ED&dzXL0Mq-_5_;ISdio}) zdZ}k#GJh`vb*~S@eD{Qv%l-;OziBV={L`y#F9o?yXQR|7ZJ85=R}!v5gxpt8b1EzF zq#{jra+C&r|E$a5%g131cape^d#2lD$ zldhv90ripIxyR0#_Ri(G^rTv3g=EIBEHYH|2^Tp;@m6NLEU|uW@Wyrh8pExmkdPFM zj~yFeK&{T4U5TWw=R8`KxJV?n^^+ zD9`ygaZxTuwwb+Os3cRL$n&13C%`f;xa6@T{tz?U+YerMj6!F00|gr)U>QZZfCG7roL-tYL*{T9Uk|TW-Q>oAU}oA4GQsM6z3%cKO8h~eYx$?!LA3h zHu1E0wtls9Rt1FwMUh$LNA@C*&?PP=yEl_e8!Y)}mD}=JR!-Er(~Ig66$^w{5{}nX zztu**&fvRRvg<}kJKMxnnd=Job9Juo4f76L0^!0o@rugUN&EA5q5t9Dklti8PvQwq z&)-k_Aa`#>l#?e-4}B0GOTod2EL^FH{902V9oKm7eCUM1$O$`V$*hoH?khB3s+C!a zn{*Xp+8-qomE*Vs4i0)oPbK>8g>bKrz2r7qV#OVdH?1{3WM~#P@2_aDsrt& zLZJRx>eju9=$A$p`kC&b=ORBnq^kTn;Lj=aK7TBe;ew9?)2WnSyr%Wz8SJ6QpWGTJ z&V7y!_A6WmoBoI>gsNZ>h?ejN!I{UeWAs&LX#-?s^;yrnqthc?Gd83mh>yJa+t_Hw zGV__4?|K3^L+s#>=+l^H&68BNB15h*%3n({Xv#XrFA1oxf7JH^Ly<8)rVno9C9?jQpVaH> z^dq@a`Y||5LQO;>Cp?vL68wHeyK+JD;i}Tjlji3{o^fy3kx$(~_ir|BPjjAW5$el% zOn72q2Te<95>Z-wlW^|iI_ug^E4C?A4Ehi)<~ffzT2kjT`3cP`4K2Ef7tmG>b&&6?D1AyR*C2pIC6OXG?0Lm!F; zLPs^7*wLH-JQ)L4>>U<`pSJ~YJzFw9t3nB)??p;**wz2w&KKkpcdYl54642!+$@M0 z)vH&dNHlIQEXe)+{EoF#!Fc3Bvhlh>@iS4$(>)t%l9=>K>SZ~G&RHmwm&yCk<{Pfn5$8OF8r%U*`y$p8E za;4Q31_tcc4yaD?PUhRGIWIl=c+G%v5ex(Zfc}&ht^FA$ci(BJnH_BV+hd4E6p)Ls zrB(%$7$qI+ULh68XRX5=Tvs5ftblcwz|1FGwac}v)c&aJvnksHPSOLxk#zsL40 z=XchZVt$X1qRCzt_V=z{6c!pU3hb8g5+q`!MZ&&h^|$k%G~5lM`3Tg&7ERUT6Aci% zr2#lnei+%?pfaO|-~H;=|LP)2M3Py{2?5tJm5qGN#a~4HbFiuIyn)^42#vR*Qdbui z5wX4+2@pGViv7!xG&Yw4){^{GT%CGyWi=|NOpXiQ7vGB*^+5GND(0X`gUCoHJ#QZ} zk-mo{1xVV-AJVUQjW6Oq+6&&u>gK=+$~!R>FT!-OF(yLE=G$K_fxpIZNsspSy%ca? z{BA^!U@ljGmi6EzLU>2mC#JK^E6^c~IpF((q!eis$crr{w*O^>B2g>ZoL0IG*wgU| z7fBF*@_b0|FoE%ira%8`Q**q2>%`rO9cL$0`Ip>idXZk~s|!pqEgvwt+_K+itpCQY zD9B#)2&CVRdG}1-ncNoAM7lNcwI@og)a?%2F1NHw6o*MHRj&%kjq+t|{FYOQ-+9~htH^3TN-8m=B>PlGy+Kp z@|gcao&rG#gpAD)A@+yp^EvdBVjiXi(4HDTmGdjERgo=J#hMYJWBl0^L+ z>d*CAXM#o^Iz8pcH>wfhbnWO8^cSB~ko^H*A2uzL&N^h$GWAsXMcxcsYKL`#6#h=H zXW!1Z%q63GVxiH^EcHANaA;^MY5S9x^UT85X`XZt;P#;V9%|pa9p4* z9UB=lA8i16h6VtS80q%Y45D9S$mdwzwMWw@=bdtPudWMuQVK~?mJt8K)Gu;$IXoR=$bm_fvEK@G%>Mr`om(te)=93EU+xhd` zfoY_yYC@%0P#k8l6v$IFEQv1ehHQnl6d1N&f~EoV53<25=g$kIj{Ce(FrGL)3l4@n5+n_y{6`FF25Pm8W3)^=xK zPMgcnYKhaT^I-2bX1p%lfLW$K*l2d&XIU%h93W)wr91SL+k`e#Xs#={YF#?KvR$^8 zVkL>NyvyJlvHuT+=@c)E9xhso-Yd4{bVep}*+V`tF2khlC9APl_NB|a2B+VaNO^Bq zO5E^2ERR;ThC=RY-26UJ^^)gfv@vO1#3lgrQGn92y_U`I1wjq$8WRy+b^gCeahr-k z{$dTt=nzR{D;W-SdGxiWppE9~C}G+|LxM+4DH~TO4gT~rCm}-+hZo?aTZw)O9O!s| z#c$b)q^U|1VZ8Y>4Dz3;Vo$I|?*T&JJ@t-(lD=pnDl?B66gtaX)Oei^`sUFpbn+KB~8q$o$kyKv9znUI)x?cs&l&(=$nd2!(GBsNI4pI#YU`6h#?k4$pc6L#!qs2 zgD`E=7R4v8etmzRNONmtNHRO|qaV-ZA=hN4r{ecTXwxw`8@&=C%ZmUA3D} z7B6oL1E5KI^r0Ng?=n5){4q*bamLE?%v&Rd#K9=Ag~T(Aov$a2J5^7^oDy}@Iz<6B z(-vAUSdt=O7C6zc_#rQUh0{% zOYZrJ;=YeprXcj0_0{4jr*V+j2aC(aN&-U?43~4vTCF80BQLXc63Y?ljwyt2%Tbm*wTmp<>CXis ze9VvQYm>Xe6Bz+obHeQQKl~ad7_wol1Atgl^Q2~L_E%~#qEAC?vv-CZri@rgnlGT3 zocE9LIgH2;mGqUvwb}?s1%~wGBuSmU@|)w7masE}z>b3YODXa5;cB zI_Ohf)@ex<7;@W<3Ms*l*Fcf#Z%EC-TTk&W<^Y9RoIhJhsaPo0`zb_NFeb!>bnS9! zIboiQ7u$*Oa>5iZ!HgrXUH21zSfojXa>M0h4(9Ph$)mh)Pm-v4xl*_rGxMhGhz}y>{v3(7~xx&I!o&M zhyczaa!w^@Lf=M=Nw%vpQhDv81K}J^%O`xgQ}!jI(NCvg7`kz_ z|72zQXT1D!B91EDlhAFRh;=Oq6wkD65pukwJv+?wIlbkL1jVW(#bO&y!=JT;c4L)_ z=>wn?!Hx|`i;urIC_R^SOJ}hZsx=|rzo}RiHG*w3!{k=EL5!Wo=qCx+);p+AqbFrz zB(t6G5umM36&O~LnUhJEFF*`a`Pi_rXF7mnddoJFR9~>Iqc(#oG^t`oBbC+mte*yM zk5`QPnl3oklGAuPm1II9l)#|f@|C=*;bQO3LyBWXJntv(ETVrPc|X#W#thekH_mvP z>FQ72sehaC=!0<G6;xT5K(lLKd65Ss_`1Se% zbGkK9l_S1%2}bb_|0CdeOS;rqzXz;GnvTqPnJIwh2J^CdJ-<~y$H1u^2;y9XNCZaL z8Ul-df)A@|gSh+i7iE4fH?)T~9N8*u>yzCE-g1_Xge%Aj1pmB*v%&vpypW@ZF1?Jj=#=-%~7^c?Z9dhNLPpMBkgzqmdihbZ~PzovEvlC6aHa7>@{emC%Hj8prOEbNEb zk$gf(L%&q>Q4-*;vg~Jca&h(UOS*1gmOzzrd%56c$JK?&nrJ*`35L)yLv6M5=BeQ) z9QhDRJzAcd?Sl8_c_(uDB(?}X@Q@qQ?v{L?1j<2JhDCScZRQpTSW@8zU*fzO{`Lkl zN^ze%)uKcG-1nKa_Md>AiqIK3%NiZ8diil3M~nQpZ-{GW;*z49+~s0`KMn( zV|m8rTr4_D3Vrq7wp1ehqELDg$%=KJO`F_dwCT%;T9NjxX8Ru{y$8jsq4)U3D0;)} zTZGx15h*H2I>>e0u8)WdMp!)rIH*JtaP&&HeuHxFTl8~cl#C~}7xVLgy}H3CLR&fc zXz6lo^v#y4^I0mjk7w?iCXGdcye*Wu4HZbyCZur}#BpvFNGw+0uniKcRp#gJ$0Y-3 zkjsw6W-FcP2r&_LAUFEYVVYZSiObQ_^K;55jj@@=690YfF)5=3XRBMx&Yq7SAqq}- zPOOknWgA9pd;CH{%~;LreYDU0(*BjpoOVl|){43@Uu%B_69^_#O+IUhk5Ug`Ej&TA zhUhdSMDeXf8PlxJxJ0RcK?DiZ2}BOOAE1}e(BPKHW^%niX2#$VbRFMZ)gL5g7FI!d zsX_-E9jmo3M7fhU?(5x7eb*dtzkjvJG`X2M6MQU}hDXknuTpr-t#`@o)INGQ8BM)D zl}zll{jZ5gaiuw$=gXc04_UDz*QM&2@Y`zy z2KvqtSz&i1v2zX=uehJ~X|qPnv10C9&zlD|(@aeypOA$OJ4-O`60bN$&-_*%NvF?}k+`dmx!GY{;_6N<`WUQeo zZfrgvIM&U-@$%{yk~S#2ZM@Yx&YQ2;Z37?!4{J7Q0?o@daytwTmm z^#iP?!ZPIN#7RY`=EpzW;n`21Ln-<%zGa-{63q&y_%i_eiOrIGeNRiM;>96nCZQbr z7*?$jbjGRmy&D1gRw1IpE5-Y&XQsDGUXmP*N+v`Xt&7&B1Qqp*8;{Fj{R zRuQqalV8&4CK)JO&ffCr^Zfa%&`NWzc{{o0D3ZAwEkZ>%9v+vRhr`B~k*9RVtSTZw zL3PE)MIP%t_`5fo88$?QJdhYdiKy(k_;{Y*{F5SO{iofhr?6+gyD8j9hp!T=cmg$H zgfF9`!glFHZ6)Y>dR&zkfHL4wfj%QiDMs2``Ic z#5d&&I7<%GxsJQ9ik4voN8};jSS(q9Yf$?t>3UcfCrFWBqcnnK>Z7#DMv39Yh&m-L& z-rdQ2jtsE&Oz8Cer>|KKNvWSDyZWIAXQ&6I8=O|^g4_G~$70_ycpl9RVy}2SNk3n; zdXb@dGG2bI-}?zCAcbpYl^HdFY}Ej^$-zkWx+UVxKt{=rHal{s?v~#-8-Rcm+oxoV z5BO@AOZAx+0ja7$oNAiN)#T@dT5=)Y$xLQ;1?aA} zMW=z>=mO?sqAi2AXp3e(sxY&LdN?K}6=*QR_q*~xDA|?tw@G<_fledh8Q98&;2f1q zeR`0~*-YF8ITIDbr_8`Dei9k}IqgE~hTTExSg-lk_QB~z4w;$A>J_kSATzzDMZU8E zHgi{n5FP@eCHr1vBbEm^8fK7W z((?KUYboUz5l5#3;9PMpn}OakH}?P+hOYfbNr+=D&wdCx8IJ&q(x+Qbs+q6bXOaNunYD$dGSJ%C&M}&EKpLn*R1PFH}^H+_9 zuR($g>Im1$2#&=lDLuQXaF0P}R0h7{H<=dxCh>+x*k{=M`?F95C?8%c%ZYAr9|F^Y!aO3 z$#>3dKk?!PVLkyRSr!1Db28mid)WBD`Hl%H&losbI{S8s~xiS*T*)8-lR6Q5a zN6io$kDI8FQ^&kDCaPKlOCR zmTvB&I0^2bnXShv9&;w{gLecQF$(Y8s$Q9DNTQ$Y<3G0aevXAPe5Olfb>jzXV?#R6!cl^ znx3!LP3bGx>NE7g`7aR&9q-tQN#z26BcY6wLZ0E93mTX9 zL*Ix2ZTMW?ugs<|W_OsbJOkdVd61O!4#K-pElqKluOY|K?j{w&Y(j&qS%v0JX~lpc`Da`M2&IDa!HUIuEA# z%FvPe9o`lDl}1bU7TSK$GWNhT?od#+xUjMm{baNyi4h&F~%QP8S zblRY_MG_!nS&cohv+mdn$?)M!_!QqK$MB0)_wE)ai&In)$>XE50I30KmW`;yY_n_2D@it?(m>?+<2ao#;7nTY=OSF2aZe908lz; zgdxq4&bN3_Ioq^EJf1T3zPH^*4&kEXt}sNVH?AJ3w8Tqh3P{*rs2NdsH)a9Y9h=`*K?5A zJ?_W=)%Oc&zmE{6<-vzTbop+1@dCsTUqvKb$;KWAyjn=@1wd01fp5f{{J@JL+(S4$ z@>-eviv5T{D!B;h_~jZyp3WB}Ydr-64O8XE$RdUOY@TKF7u z*8_?dYafm01PO~h(KJX>uP-LwDz_cz1};Vuv=Phxkan`n7>LvoKfNDd=e@V>r!O9} zrF{f(tq%LYOtUSpJ)gFYYTne3i39shtNqlT$C_i^m42L@ANQZ_Npn_Cj+TraVD=e3 zB((pIvgU5kqX|+jq=-0~bQ5|*$wboLORz-~O^HK7&8bm5$I9fVo3C#MSh^Lo33M&9 z&WLbA{36|b!V8J9#CYhWt!7X~GmOP3S2Kw$yqW;ayY%qH-nD?EgOs=}1BeFFD8ItA z44T%FmBh@A?9ZK;JwbSeQ+TxgYt^-ouJOxJPrBWymc^W&A|gzZ>n7#P8&})#l0*NN zza;^pVer4)jTBs=s&73@`q6Fj^C6xH1#g>K_6AsCWlD8D@co3on(}@nGUjAVda^@M z>7wl7?hc2t0I@rqyDKU?4wO@>wEuyZ1ddszphk{n6e-5}g81J(f+N11)Ny1Wr(ic% zM{{#`MG6SFA}i7rOWE5NS$`Cn=yxGrJ8qNq~CjEq#Bv#Nh( zN18icL~_yi&hXu=FWcBtnDYTWL&0^vFq*TZS3#Z2SRE?LBSmX7pMjP`#L_QgsWC|S z^JulpYnqPF(iT(r-X_ju2gLIKTo@|E4C9W8XI&fhc}!F;Zr-9&nRLzX#>z6<1Q z?vK^g&-~5;&S>bo=I)fjLtrnL{r&G@l#5qK;@v!PDEp+>*V`WZS8q)~GK9w|TlIg| zqyuY0_Vtb_8J2MRFUIt4`wzL;KT-~c4HgS1?67`FUo*tggZiJnMXA&a-DDdRYHbHN zQ=c+lGrxB5n2kliz`c3ywaGzK$&b?2TIZ=52F@bi?;;>68skHkD6ub!o%B41eyw}n z1&ty$X@_KVhmh(#uDXOUa*I3lzPl;+-ZE^>OyE35>=e>pRY!^JjT}S?!(*_UlY;6S zWJs(0-IH~@^2Cj6`DM}XPEOj;$4eC}S=|z=?X0QYzRSFN`^nAL0@ltqxRg>5W^%=M z$GJx80ukEHD;!dLv!b{<$t{XIKIdVI%0=K1B) zW^xt(S}tWv_R3KEA51OSjfTkOzV-!j&3ZwFe-9ag z-Tr#d5O?7I=zh#t_fB}xC^r8xCno7`wVlT@lb*f&=wgM&MCQ14=TJU#3-;T>rGkOd z_|LDzpn{#G!kb@`{y6}XBe;Ce*=e+<{i(4}0FgOK9~^*U`<&OnoC(CREJ`ix@g?WM zzzufrLgWC(pp?LGMW!-_beS)DA?v6cW)#d@($D(U*hPfhj@MycdFlDdTo^NAA?!HG z*fN{zS|gOJ`^?pPj3+>#w*HVi?6PE7D=1-`zUS%jhY4am2F!G$v>{2n&Olq#mUl9qy<8)flo=Lq#y;Eh62;4&X1;0TYfCv6s1SulHV;k5=st zufx#lgx%IP2dhivV*GmC-1;ucQD@D5_GLOD(QD0C$;Q?%MVy$*blFOgQUSX?ZPzBu z8?>koJP}+-2}Vwq*uqY?{p#_&q$Ar0uU$h-8de+}nME(qE*ksj#a#)Y7y&s&SPkFr zg@N|&3@M4^Yd$alSx&w2!BHz$;N0vTZPzAOv0-H~{ZyAA;4xKJ&^tI} z!Wy&>;{+6=P{PXOYQdR^I3i^q_#(2!*0Z{6h%W?m4lVffR>%<>50{2|a=}zBruPCw zw#c3sZ7`arSHz^(J*TIOA=u6Va*Vx zo_|yxIrDm)^Q_hiK6tpqhX`ZVTP0Tr%OigySR1j{nIrw+_HWU|w)h+IGEC4p2tehI zc&1o;;HL9h>2zvaPGqGH-62a%?fL4suT{XUkIuL>ygIctL&?PdY9dMAd&QA>o@@Cf z7Q8~x7URABibmZZQ&(5y%tkBhk`1bz&5D!h^Wz?KJB*gTnIJRdX=Z6kqmX~cj$%Z{ zUGo8hHZF~ndjt(-&gc(oSf$(s}!abQNlkYNdC~GfLbra`;!?hb?Bx&_=QEf7d()>8#b* zDhu<%`aSd%N@1crUX?%~rjQr)4IIc4X0B{02Wj%0I^pQftko4b=Ix;NoN{4JU7I%Y z?l*D039N0}?@QIGtt9kWpZ=ynM?%V03S#a?6GsXac=JwgMO7?{+r3$BnwC#osnI9!t(nyeg>YP#z+37nRrtJGxgHU%ncV-GlpU%i|A-v z9>GI%wkMHlNnzFr=tK=>Dh^3i^RWV^M55{Nq}bHpo!MtHOux@ytRx7K8F^MG zOjWvmQ>1GhH^goQ*(x>Uo(q@lG+xk{w#Y4LiUs}&noBjG{x&+<+EjWu+~D!d6A7H> zc9VMNOQQAn07NOUqT|VN3Rk$#-qy_Wox=ad@28urKgB&)?5imA^ra|2-iShnMj4*` zdJ^A9ay`}5Kw7`};y#4d!U-HwLw&KN#49{WOT0hUUj=Bda3npEsi5aUh1e<9NuR+N zQFZkrthDu%yq`#2QC=V$bTZ!0l6TF|JUxPn8^zYxiT>n)KAOG5t-R7&b+QZmq=XnYZYb?7{1a(C}KHNwQweX_| zsx~f8AlUU1?cKiIwpfF77)ra@~efQB~;dl+g&^y|_)&y9{T|au5VPc0v1DhC6@@^GM?c~kRHTM{woc|#^c6RKY zG_FNcbzyyxG&_-_*@ni_DNZd*Zg^*kBDmk-8kK65DW zU+kp+w1Z$FFx$2?9jby}SFbsLEHe;bt zX7}jD`SuK|mKK|K6pi&lwN3Yj<4?5EBP3Y;f3z2SOh~Wwp7U~GZL>wuOKF?RtLf*5 zh|IHJKtR_yVVfG73Ff1Zc93MFLW?D*LA;o%{$;^E?`7YxL*yw#&(#WVPTz{|W#hy2 z(T}rswUE96SE?mT=`OzK`^)s*A278&9o}|qc(w@U_mcl9xu7XoZTkux7lM;t@mw+5 zfAJ*>IqVmai}6S!sj!g1!ZJ6rl&r2_Y8mbgb7|0bJk<-aSg_3`r>DvIt&W(RW@Ixv zo^1%uw{q7xwKD(1NAwY|U-5<`eq@h?go|i*5Xj|1Eke%NlI?zSAwe10FWLCPolRZh zOo!j%0kC=xi0?Ikcy#!z6O)2y2;nCNR8pr3?^Z^MWqCa7xPI46A1tmg$37~y>Ap5> zWC5Tq?J|bYGXfk#9e3}P1WV9S1WeK`nste_@847Pv_+y{DN=*nq*$VbxOqq#$Tr*< zT*?P3LbSGw&wZEh-k8;|J>1xBQ8b_Jh%c#}vs!eGJlXxB2|eIaxg@%&z5M_mG#bic-$q&R-Ay3`6-H0F*M#S588@Ts)gF0 zp-v?Ji`0*e+`F+a`Ir8j-VF%o=?3?!{rM*9C!atuG{R+tI1p|mfb%T;Q_;K+PSe{E$iue|8FSDbw`% zTtUA+PpVNV0XCL_4m={=;Q$rOe5#8!kPutq0^?0Cw6(tD(r%tjf4ZU#*>>EWCFcRF z_9$@+@$$r2)OoCopQA70R$=c0ccuOI3!(|%%^r_2%6hW#YUK2?jIp{sgr*2fP%oh# zC*uv%r(#`Rxp~vsVNF)SOtbxE#7z@uSmIn+h%WQK*TCJe@6Y*ygC>0<4Bizx0*=hG z3@*|+tiM=-0u}8Qh09as=5vo;-C4Gc@0;t{D{XvCVfynCK_R0P*Hmba$3yyPW?H>w zIi9Mr$5Jn>Pd)ktLWlfSMhTDd#M27LIjV{F%;=ipzmHXdaHF5Xoa@iUpB3=Ny+F}c$-1X0B(}`bz`3P zEz1lejYM92H8Mop+kcpnx_Tv7*UxP-sx^K((@n3{#P=3OT0=fw7F=)4y`rh9y~oVu zJoF{OOZY2PVU|qaAv?BA6R(oe2L#0 z)whn@Q{3%nD!kdoz#FxG6wOH5?$EC$qQ=|L@NS%uu)BJw^}VU5#x;?qEq&caa=d0^ zEVL_D#zZ?#X`){17%{X}F(&n-he-SF;R}9qcAPW8cA&~?1fH9z`>EnK#`YS!5kJc+ z#@OTsU9B{pE#JFndU5^=@mjkgQLW(~l8#HOGf!xAQ#2!V8=imbu2!}1%+fL)3)Obq z#l_Z!Q3DG~^YTVU^)OdA*%q;F;?DNt(2ca1G-V=yTi5Mk|%iW=Er*BimLOOat2ga3ft3j%nE#mxjm4vtqEUp z=O$UZ;7U@XC@!r{gI`kQ9dUkA$#$WmsLSm)e}Fg^Ud-SkyebmXLr)i@L@)x!R$w<+ zj#QmdIR`kP0z_ss_B2tqjyIfcmFPNFMG3qeF0g)-dApByyl!B8`-l0ae;;XghQlP` zdo~iL6onDihs`Wo`nw1&&Y?6_qC>=Y;V!YI4D2SQnSXt|pGic&{=etqQdLYZ0@FB;tPhemgIr38Cnw~}{ zIf!DK7E43;($F;lS(ar`R*Fp}B@VV?7HbfH8<=_>K31_bE?XWQIxJR5pV+uBF0nD| zw8N(vHbE>ifwN|&-QFCWB1Bk~mBVdfLv_7<+uJ$e>$jN3=i_|#_jdPM-Sb@?(O5aO5Fq zw&zQ>HH*|X&-WLj;=mgpgF_K>z@$=A%*w%(PHC6X7 zM^9-VPCay`0-V1lm5PdFymZUH-jq%c4(()v2oL^L&NJ3@aClu?X*Gihx*z|%{-v1C zYV5aYkxq}x?s+kQdxCK@Es07$l!?x5G1QnXd5X9AA@${1f(9pLGFlZH)n$LW;McET zwY6+o4pD9oLp8pSuys$@=W7Dq`JT$&eU4S-AI~iwMr9?m771d!t*2T9l}*kxTT?yn zCwx79ZzosPT|*bgP#u<>%q}2(wOXNjr*+qetur+qUhdXprKOu3*NjpLchCIayq%mb zIH!b)MwL76R=q2AY8HHR%Qi^7ZHc)=T4e_$`~PEC*+ZJuK(+U`#q`%i9@fY?OJtCJ+x>x zhhBjBP+aH3Znmd?nRAiQ%SeIk-towz#@nS1tohRzbLWQjeAnMhCA_CokHb^_z#nhI ze(rLz$2klw7|rgtRl0Z|^!5VG_HhJLA08fRx?kHEN&DSlDpW~%2vIUhcRT%F9?#Fu z{a>&01U*hQt2x1*vU74`Yf{&vS-X1DEwpB^7J6qt*01~=xkmddN&GVa#JVU^i{I+kB{~#kf6=M~!s3SSm_hW%$z!0=wYj%Q;x< z_P4P))OYL*b^JW~ht1zmyLof!rD*DiVZhrgn545c-O&7yCT4?8xb9}0UHD@76DU&8 zvlbV%quGBpj=?2^teu{)4+O7&_hl99CR3K#YZg}gu86WOa!7i5qe-&Okhj=-?u|sF z`u1eT{+FVtSu)B^3R~$pHmbpmeuhd*o9)1fvThmihyQL!Y?R|JJ1!uG` zaUw6Ld{O&2Ro7}9q$*tKrTxkybe5{2c-O~7WF&T89GER^n&z{fsWxY!(SrgFD!lJbjeT#hje1F6&tdtDJvX3>DQmhO z8HD6YRk6C`a0$a4B5EEsq2O>z9d^LFjMv=e4ZB}&YD6FRDR*qv{Du?A+jz;8J=ceb zK)R0MmfSfazFx}8C`jY7dLy85VRMglaeE)1=e<1tYT?Nu$Oe~*EN;(%x`9epL`YaE z3U(E5)w@$R&=%WQ{1ROzy+*hP7I!p5`t;e2R8ESXv_dI}3rHo&O;eN0jF{UaIbkh4 zOMM71f+&qML_6Pz?F_QjjUIs(8|)OR#nb^}6W^A%DJY@71^?p{+?9*{zTSn?b`Cyg z=em3J+VY1RjLU`{+z-F`15p6lS->Y<^bqgtf? z`bK_#ryXYY+|(>Ez4~q@pY!;!9jp0~Xl>Xfo&4I15GG|EPb2YBgn7|&{i*H}oBNX7 zWZ!P&{O{4vw`Fa*$At~N9LQt>G0h8k`Qa9>zbrT%fM?GvX^A|X?o)5%u=BdMSFeZg z&AidB5eJiY7U(OfC<)9Ol5 zij>3ZyHDgAfjsGL=AB_aeS7CfBu2{z(T@5j;;OCSuM-kGlrkm|C})gP2u=;|MV}*| zzyDOo%Jx8joOruTfU=z?7;@SCbIYHxruc{)hAg>{N#371B)#n>d3@D7$68D&)P^vm zP;q?$5;^?ads_Ju1}#aO1nDvdm?xYe6x|=Xd z^6;4ULGca65!<4`Jes4JZ-OEtz~3I{yXUI(VfU`4M2$5ysg!?coOL}_LuL2UQOd-~ zDJe-&lo-f3c0c~9Dc(p{5&3#G!5d9VDrOaYe{?c!x+v}!rlZ8i&yW8hA;Khnn)6m! zAd|s6MFKyAchbbqL5(HVvJgIL?3ttLv zFNR2QY4tV~`M>QW_j)bWQk(oLmgj4}?TRs{DF=W!%b#u|GTJlq6Ls~QP*VeBUUd7%u$TjeWq46ionDej8t z(uA-n?GTKivjdq>Eg?8VD61E1=e4@Dbf`0bUFnbAW3nfVt$=aa0P^o&ckhhxI|^zM zU~JaB*6p0k@UdxE6~A+D(AH{DgfBpIf#UkZ*srv=?cGVbSU#C2UYi^d{#HYQU_;e8 zH*ex2hV%dV5#`37b!lFk6Ax~bN)|PF+`wD&IfE*$_@13zv+A*hox0mSK2}?!k7!!k z4w=AAp`O*sK_qekI`ZMum0G9qg7M$hhxH6|KNq+2mVs2ZFW>f7oYMF#9QX+Kb;b0* z=20|B*+Kj1J6n1=C{V?^Lj9<$=D?_Ta+tBPV_8Mk*xpINlO!E1GXeD zxS8ZC0s_Lc!ncg7Tp{hxnL=6pbApUQcPlP|ZglDJF@A3^cl|$a=JfZb@>rFxBkMpo zY~e{s7+P!zx~5EcXh=>=Z_n{gDd$mJtPRr4Qdn2vu_nS=3#g*cwawIEF4MFS;nK>y zHaTmMyO4<9Pq!y#EiAY62i7_Kd>J(>Yb}>eyUIyg;rNzCiGDm- z%4+p=hSvA;Fc211R3MO+W;?Xe^YMLb{dR8qdD*4x729}9e2OS6x2KXH+p5wQ`l(#Y z8K%3u57e3*RRZhs7X0L<4qdiO-cD8I){W+W0VX`f`u!&F=NHi|K}OdL#0}@NwY=?n zEn)MM#G`O`?5ADRzxm*1MfyL+%pk}8TP{Muict4&X07{>>Ygf00y>Xy%^dD$N1aQZJ3AP!Lhsh(yVY*2(fyfzydTa|JFK`^)QKIUU9>(A?iHJE9Wtq2c0| zj@|?sPUmS~4b64!4KhuDTN3_WMr-B*CEYdTz5GZHd>&ASpEjxL*vs_>4eInzE2c%n z4!^!UMI)=Gq^i|ZfJ^e#ctj9!+oZ(Y?`Atv@CRci%6U8O7=hL1M+3m*rKU3o1i?=F`XY)FaXRx!8#qwn*$(f#g znP%%RE2E>V_zU0{QlihEuHUI4#aqavH^CP)F8Zgvk*|LcWK}FI5aSKj)dibV=kQ4# z<~9ZTg7Br12_1fl3sr^sR&YqStcP!vD}}m}2>-k~y-eOjN8>MZlr0iBjD9?R?G!L@ zb||fwhdE&8Zw?Rnt!QCEeYvm5(h60o+j_V)Io8g)=BkN3p0R7f`+Uq9ZkpS(a^dS* zW#VYM;P&QLZ0`KJ)pC=v+g8vT{@h7Bg>o6bG2NeAf7lQ#(9^>;eLE&A>EF3N#JwD+ zXrJuUaX{yeS!6CL`7LPvlHnNp_AeI&lEP?Zol-wrJ3E49gp<}{kEz%G^aYg!jKq?; zhbH)ipF2O-k30g(-PEV2VesDDKjVRuXJ{slYV#l~d)9njA{-}(pVQeNMJG0Y)5E)m zkF>P^fH`BaTkze1@Z$-`G{tkDW&b6nOo0NScks9Oc40raY(O9S_C~VZfXAg2#0%nG z^SJ`jwMrHjJsq7~>!IWs7Lq+=Lsjo%^$(4$2_7`UqXYl9r?q6a4gk8VGn&j8*O?9E zc&sk=u21>DHoU;5Dw82~np$h@2)LiF92`ScYF8y~)CNTl3Dp6hol6rM@^2)H7;Q-I;^Y*nD zr2lo zGlOh8{!l#5X3y$x6!#EOb?0%@yoHt_SlAv-YOL3)v za2=34(;Z?8>c&%K*ks4_HqZ8T@KO-n`0TwCEoruyu|CZAP3lYkw1dB{9s`fSkXVIF zdvQ7S>#tfd;e^2rVu~<_pj!?EFUh<|=D<2O3Zy445Op)lZ}1^TMP|t+GZ^C{gb`^_?D83P>#-^OH_m)EcCFQj1fkHMx*@W6$6aS zT3%k>%oYt&vjC+5wiS-x@a8d2@H9agt*8Wg5yK2LM~2jEW{&a;QtzPp6IK~V2IuEE zKL4lXwZjp`fOS>7Z}Udp_7|H2hj{p6CF4oK@PgN2l=LKDL-mRxAEpmHUHS)e#FqDs z&x*bmR1HsAF0!|dnskKc-d>?a z75ZPhS=Cn`#o~l~?$2p%O+ul-VN z>99|O%DzuaTu0;q@_Efpw1BX0ANRNTW5~s2XVSMt7G%_n_Ie^^uCF)qzUGrhG3eAt z%gB=LeU!pnC<5ZO40tQ}_EW?sS9ie)t{=RtSp`6K1L$dBO7NTHkQ<*i&?1e4!MIWa z!hj`N6vyttQqYHUW+gpy?fA* za%bWKR0n@ErKyX$TUys63()oEQMed}gyv%9&xggNhT!MDRqr$gOpgFJ|Bb#-XMdyQ z^mJao=X?9*=5h{xL(8e$*m-)5?{am>94@;`9+qk#Hv)k}<}W;K5}mh5s>@`zh`yYbisJznI= zW+o>WPwfnmCH2*O#b;+S8r@<4L^g50(Ju;sMy=1nUnI=U%--8QEeBz;WM`1NhDPd< zYh*+O9>*s*tthmk*->4rH25EUk&%%VD+<7XrD94H)1x-5!;lGaNJ-=8kqLPWJpQ_= zLTEYZ0W}|0J=|3`RRwo%)@dUYcN5#T4NE_9O5{l?W_)~{bNukjLU3?!yW7$C(N#!y zBI8mDN=mIvw7ky%4c2sOKKDa+A2Yg!fmhmPOSpH4)StS7=Mz~_aB9y`p07r;DhoG$uHei%Ee(=2`}E zhOUjqN`#)|WZoX}D8NYSfC(`v)$qSFxD4p#xfLQD7~fIhvX0pJJut|c;F2kx zo!!wQ8z`H^@;JzHdV)pR1uV@Rts648#3f6=U(~Jl(&Om&6_c+bwejNZQc6b5Z_Ob3 zs)Mp1)Ya9g48gK_?346-zasNYe*oc7$#@^1#EQ%iK86HtF4UQqxWB!=a3EAnOD!Gh zecl!z3^Jt*P0B4%2!PF3QNrjPF~kRvEewFcQW+Vi^oLmBZf6XK+yo|d4qls3A~lI^ zl78Jr*DN6AHxqN$^-6n5f{d2CLVH9zKv4@ZCS|dP2En5~*MfT`R8LD0D2SrSLXv3m z=jF`G#8t#l$ZqYV8>cat7zy!5>Zn=m-2q0e82N))m!3x<{t1~#;6Ec9k9QLFBG8VK%u4tsS#SVVOktN zdI1pR#Xi{jG!#$IXRWA54QA;Fq-@cW`{};f1e0Nga{z29s%bMCLeW8llso_RsU?!D z8+pH3%Lv^OsB83uX0a*p8mmW3Y?SXHKDgjj+k3U&z7P!HRxCo^`;aN_QegV8!>d zCu)4(E84oz?;~2fFSmAPA|{h2D?0K#4i!NO@f2isWwilCpyL|*)GZXr#P->$sU>2m zWCKVc5}lZsIm}=!fziZyL@`0Sptu-B;>rMvLiDlz6Fk;65Wv{+21m*58kVomd!meE zKW#(jfxc5g&5EN3Jd<2oMhUFu;NYO54-7FaH)+M=VT<&wtOj<|B#Lc6e1!AK838*XR*w*|9rT zho4)l`o?~tR{V~B%oQLZX$QBSE-j;@q9pKWkVGx3Ur@HUx7YvpcushKmN6D3;&-Mp zy1Ke5p<8iZwl~{1d_8gWXAI--y3i=H_F>|@49o&J5@qn!sfFnC^DpHTAXuxMA?icJ z+DSC@f?!zGP3$#c;{ExWJajh%=Wxgmzimt#UUqrA13#axwB9!ok|SIl&UJcwSY*E6 zxzE91A3{m5$1T7Qj+*MiBO+>~Vy>z(t`)sNZs4AS_s|fy;=`$_%^|2%HVn`9|QDWXFT=&>I9T(@6?N zA{g!V)^=2l2oI0m2{L<`ktG#>o$&#PMj$s)Xrc`3&upBx1rf>2C*BXLe30bgm;-p8 za35mugf^p2FaDKlAdD}XXdll9@N4c*`FAuAUu+%@D{D5jeoIga^HI@Re)!vDn_jQP zg}>h8G9{dzni@KQwYEq&WeMcU^GE-;JAZYou7_R1j@$hi$tV=7_nX;nZ#_2YJaXF_ zMva`SF=mw(e@qm~M%*p3w9M})4FbUhg}nYbVDF)qOnv1hRAxb;NwfZO12<^KJcUkH zApTlsJxk+*Eq0=%W4LoZA!#mRfjsatbWml&I)HZyV7yxW-(F*4kcdi3a{&mAEfIk_ zJ&M6?(gSAkhdgh?WA&?S)JImLInZEabaelb=<5Y4J;b%@nT}$_C{U41Ox!rH=DT09 zmBWX!ZdANxmI3k~()@aVW)nRNiO=4l>%p=^mY<-`0%;X_(efz7#oDf(tga* zK~c$egto1UU5+sMWbdO)^4d8X{hCpW@5;zTn&CA3PG@50XiQKcv8{Dwo{gXE9iSUphJ|@Wpi_Y3ZVGdsLs;??eVr=sK$DRY@TA{NCUqp;|`=c|w;$U~bLb9hp)70j_ zM?xUL{UHt-jmf@FBcoMP2gMOdqJv;K8Tl=b-8`&gAd-`3OP=!w)}uT#Y!(vPsefZ z0oLtO=VV$H?LQ$2bHNzWO9K62$YWDe{)gqI+x#ObDJcN7I)|+VfaYrSJLr@4WR3d2 zFyd)S8Eu}A`dg>sg6-Uo8J_1$1V6(eK=z>u00cm%!5j>?8EISq>nI-sIc{_<5mS(Z zL){Jy2j@1bw?eBjCHnoaz8nl7D>a!9q2S5ISO45Zc);aNP(;S(0F`+_>4g?6U;|J$ zLBpw3id;*g4+>I(`b`fN3$9gDa_Y=swPW#{Apls(Emxj@LSfJpf7sdCna+)7X|n>v zwBeHNJd4>L%DckBc+wgJ0I)`2I;7E2DH;1*4D@YXMb`+4ejyp8_q1`mAK+`j|r{{V}lUJ9=2%!ev4-YZsz+wIx>dPdAFlEX<1px63dCK zlJ{|i0O5#Ms6I`*P^i918}cz3C$+3dHs0@c@pBE~52Mbu`g(P(cbQqa@tag?T3XlD zq#zJvB)kqQCoOBMtuA{lt6r753^zdk$im|Zkiw});|mR+Q6Du!VG=&~nAj~he~`f~ zZYI~RHi-1pvPx;PoiF4CRdN8qCZMNWSl`g#_;Vu+Xlx#zo?xM%kcb6b0T=`HrWI}U zwJBTJmoSgFCybMvP#Ay8HE6ZUQ0az3agF#s4Wq@p-pm`v6L2f2h+)A&(D;8C3cS3$ zbokp=F43RQEEXQ2!vYN4tuaALOH;GaaZQAZN-7nZ<>z`(j-W?{ga#3yX&*OC;XI{x zKbPQrhQkmHr_V%3C*ZO|i#b_tiRO^UZba~_%ehgP8p9@j0mxVKKsK-I{SC7@pwY7r z$4M%ysHpH70BbAx@mM4~rV%29kfMBnf z&a#=vG@<0@_xiAxhYBg+b=tZYr4fuigU}bLvw#O}-Wvuk9JXD?7wpAKOF_c_P0rB7 zWId5m7Ni14E@ed?8Po%$i!uq~)YR0brlyK%EXgpW-ZoTZRf{c(Y^Oi=L?KWNK`YQr zKosG|M?g_Qy$%l#&lJf@hHO_5{M^m5RrNk!?>*~&Bav=Q`Ymfd8Iu30)9Z#~MHJk+ zmo9;YD?B!XS--hQCa4Lh&oW7z$eZXt5d8em6fJ;t#BSBy&(9~T zizgLj34_FwR>b|Se1r^x-6>AXA^AIsT*U~CNA$9q+*ASwNLq0~=LROx z1WazrnqRxi-XyNUm%ykm$lL0k1HaJk&k#q2mAGvUTzd)r*#k|HRCIQrMuP1rxZs>+UQ+kqR(V*=lrm6kxa zKihuR<^8aezUDl}JTo%`D1D$HKR`+DE27AP;19>6Q2zKh18L`Ev+a%&L@fi+=$s$f zWdV&=#5zQN=G2u^3drhjw{arZ`~>K z*CQ7Idaw$h-laHJV7*rxwkrexTx~j{MM5~xMfL|{QIU~}32p#YWu@K%F$xYRk&O{n zZ0-gKe@ZbDqv=c>vHG0^P(G|x#zGkZ!09(aZ%XMyDHHNT2_d@D_|98l?*VGnFjp^Air|zk>A-)_0aw@U+l9v(M0GQ9xQoP z+|V2Q`vmk5-oVSHnRl`6<0K?x-oQV+gW;POB31`IbqJMu0PftM=~dV%XNQ!84@ zEkl=xn3|UO2k}8Z@$cE(Lu96uNkR`*WJWe(3e4U)TMB(sQLHd!hroB!K@;b~^0xY3 zP8S66&YWOK%L#MwMl+m<(tRq;_AeCE!^@Sb+_?BhZYM8A{#Vle|HY`hwLy{Jtgm*n zm_Btt)aXB+ME!NSea*V%_w`T_nzpso3it3n^L>w@;aRo!MR_ZVX+p6jaGS_ z5?whdINiyyZ&FEx{kynxUP7#*B(T6Ka*lW0etRc_ZaV+G;F13(f6Zoh#~-osRc_B-LYylRtlBh%Y|?CG!W&dm*{ma*wK`QWt#e-jmvCyjz6c;vI-U`6JmA``~Tym9wi3 z7u22)%z%^g)9Jq-@cPo3vNLf%XoPkagdrU<^e{DoGJ0w0W6m1kAs$Hq+Ui*IuKBm` zaA64g*BN~p7;ev>Cj1rRtCn=*=8LqrM-}C=Kiym?|LYPPevu5-e0Aqfq-Vy7qAn+s zU)N3s7>{*cJseFR;IYN!2)9xbeE<7s%SZ+$Q4#MK)VveA%JL@MDMWar!)?^9=*>&r zBM*B)&+$|0;@G-lPuzdq)t6E!tv|oNJ1%K>Jr`qn!@6g@j=kO)OzTHsr~Y}ncb~dQ z)^6QT&&;%LSkw$eQ@Na(nH;sr2nh*UZ1`LmG?tIOIs#<4^78Uh_NetyqYV7l^i6jU z``P8Kv-AoCT)sVzW!zmNb!gn4j}wP^o`?Wii$_pUL;+Ai9%74WcJ{jFx#1hQ3pRhm%g{epT(@R@TEaG~cvQ>AGU0Tr z=HP+fR~AP^Q7mYB4dgM)*V6qJ;r7Urhb zxrbWFHxh^BvcsjN9PCmdG^et9ugwA9YNV6uQ5d-fgVwq9loTjm1XR>?Ggntv85tR8 zXAV0T8EEQgK;Y9)VkT1v!&`9XKI?@g1%PY<8<~!#YDvy+%!jBp{c;S#4*+{OKm&5a zA#oV&HYIm7e98UoC@uc2XQL{jrExJ>+p|3?mciQW6$|WYnWXuWN2%eq(8%vC*ZFEglt(Hl zDXDcgp!8ntP2r-7I3}>{!%`u@2&v)@XTK`&eZBm|-dMYViKzb#;#rjjAN?0JcrZFH zZj0ZG7apVb53!RhZd*{A8r%gJz~z`JWv~^LmBGQRmU$i>dgMRYYEz1(<=dET%@(XZ zyX=k!GOrC1iEulBd{`BPNJUm07h7bh*pu2dNbUGy*sN039Mjp^31BzV-St)KW~NH^ zDh6m@j4k$=y}slF)A2=K|z7Q7JIN1Y>mLc zj2WbSaP{yF0vQ3NRe5l2l|d`UV4-xhNwh}K9;q>>)>fOX*Kk?_rzuv%+HfM}jJ91l zb+N9HZ&`S~!QeCV2N4v{qP7fv{s7dJdS&Rf^WWL4_rKR&iWvyjxqygESP?VHZPyS! z(pPt{H?DmtrJt}+U3)x>&D3c5YeCy`Qm&2-LIhf#zi1>YtJioQf<=zuOoz?AhtVpO zVj<^&PO9{9NnMZOXQ}rx06kOJON*xEOfQLs&k3pG=O^+As+43FxgAc{RD|TaFvRA^ z#3%grv;c~7D0xBU(^6K+Jcn>w~ zQ8)d%05z=tBLfor?{Y$(oIG?#P!0w+9p8DDORyHWF{C%tk0sr%vyZ9IUbvu8=$y6L zl05D8eoS=q0#W6!U%vt^#q9SF$%Vz-325kqi3v2U8lZuJlJDOoRyA8uuEUrVu$9O@ zON?@xf#4S8=Gg=&N}>`hopQSgyN0(A@h?eUL_F@lVy=EGON~eBni`>o4dCq%`V6%` zKaV#}xO$6X3`ID^?Cmt$K#f^_c(Kv{LdI~Z_?6EKWp!Fv|H41-=xw!oa+^KjQVmDjt(r* zMA(TP1}P;aq^_NVV_29Z@`iq=yIDAf-)FUxRe0=<0IQv6|??ExL zY-VoG9+C@2KC!7{;czdHw(56j5Zs{#i-ecYfTSADs(zU`GBT1#*aAjM?L$!v|NLl_ z(s6PlJDwW7P+Et(YwLi9u|FGjLc8stv1Bh?K#k~v@?zl%cbU6D>n^_l$gM!%beCDI z(269r-DtcPEg?ju`n(YKR`T%~q*(VMPsDdH2ESsP#$Ef{@Lw%8*ZuodN-f_u*Zs9B z4Lhs5z`qZ?bdmG5K;H#;BDB5){(23TaL=s|%WAbgSw;0ycuSdcoR7^=va00b3DYf9$P_M|HV4T9OrlpeZe9`0mwp}-7H!vHD9^^ zr+TxXo`?EJ4)WdxdEx>cuh8VSgT=pU=Rb;d%<3MZ3jY68bEh%ZC_Uo;!3Qg|GWGjES{!_em^expG%CKwCn4x#{6SgK#S`6?Mm_RZI7)3@gG<9+;+T1 z-#qzw=Xkv+((=ZM)1>1eD0p|CJG%6j-LU4b>+y2bp`(neUt|8|EF`TcKE}`Mq2xEF zay>L`)h|D8%L_48WL%GzR&Sr)ay@JPhxSQM9Nu2;1+I*mLQEyvA0-=!O#E_(^J{1DjtHOYEf;q}?^&oVB|cItdb zZNueRupl{xq$tK5J;iibt@o1~o=cjjrP~J;f23HFFn8N{UDG~a!6i1+#Zcy#tb5*) zjw}%;-c!SiL6>5)i$=acV}yPd3oI?y%0_kgTH2H0kyiJp+S0CCXT4pewjy# zf;L;gjX@}0_!ch4NgfBwX)2}dDr+lmuRU=#0*LF)!M z4F$Xaa%DL3M?fCk|5KSBL+1xPhOWRT>ch=wR+(GCJN^x@wSz!XJ2zK=`)PIU^|l27 z7rmsUq%|GNcB>r^0H3d@tSqw>VzOfoc5VI)v#6}Copy;K0e1nv!m73o*!g8w&F5%U zjf_YzFfa%RveMJTi)Fv&l$DkB*lKEG)fWPH6^*HW4e&cX!OctjfDQi|64kCl0%8E* z0zkay5mK@EoG>+*w8|-kWRrjr@J=?weo_P4)iPp^PjY~0=|_Ne@Vhq{mXd-381Fg~ z3Q8E}izwji;$8JDny}0U$SR9;Lz>=yJh$cRgW1pH83hWfV8w_BSgc3r@%3&;+QpX@ z>t6w01(=foqYlqHJQN?mng9(A{qE#rc%qBOVSao(sxkIDpw@Co0aSP4x96*BsIh@; z+FVbG)JR@1`%5{T9rxXdY+C!q|K%iiAJU)fT9(=I&m(a+Wc zQP^gbA3~7K{Y%RBYG&H$b#ZATQP>ldt4O?$*&qHOxNlsJv8F#{pelF5BJ_S44Held zlKl}mZ?I1ZY6;{q0Uzj#Eio4Q7?GTm6cgKty1=2tw0MyS4r|{Xc}M|7($4t+FC?~*Pq8V> z=7qD2FBjSvM9@2kL`g}>&YtNnDF%JPfGqCg(}9EfnGHM>>2XLrAaI=~RX*6{<-C^X zTYT<)BsbuCFe6V$9OkAYTf2sKQHMbL&R`%%Gk$%%sG(a;E_(hYRK)kuBq;-x3#_vH zXfg6g@*7M>YQ568+Zjq`R3KSu!&rwKO<$B4rP*yGBO8KCruN6LQTwVvL&_x<6I)71 zNVxV}jHN}I?mk~lg^MW^LQc~P4VzD=^6AtVF>8UTQz?&kH#TbS8NJ7^%VTIxl43N* zcTVPU*mlZhMlRQnwcQ!<3wm4ZWvd@LwLOtPzO>B~$-uy% zjzeB0`|)E&{UlOeI^8ErfDsfu5o8DC35cH>g>l4!-vRn19^l0+a_~jy)uypuvP(Ii z<f!^RH&qB%Co)YV!UAkW`fp#$f2wQ$M!*0Ku$I1pjL6*t<(Z?f(8oN9(m8N%i(7o1F>j#hUq9r()faR*Kg>dp2Rg z1Ep$kBUA)PynwN0Ct|{q5onm9ftOX`%TxgGS`qDkLMj6@APb|dtqrUa<9M(qw4r#? zZl*>|8_D)3O7)5?Dh>{eAoAkx-x*ke%QXiIQXf8X=iN-cS*_$S zk)X;}MtCxy&J(ZDsG;R<`MoMesr(TAQm;{}JgP4Xu)S|-Iz{gOCBo`o3B{;}eyCVd zP*CI>4Oen-aBOaFf^=0?6Oxl5X)E5F(n)})fXAfiiCii!rpgJI|72#i32bXpqpm_D zYXTlJQ_wQiXzcM)6Qhujft^cXFokmt;2=|DwTgjS$8Mv3(1EJ-kZ#+q#CoF_4}-#prBg0X~)y3jxCcn%3%nvX#rd+tycpB+HkRP zH#%7V@?6i*uqsvFR*RCXbYya}nzt06%>?X{+_jqhC^i$=1Vx^sE)J9AmKn%#K+Ey2 zV?|g1gbuOrL-I2qfFM2miA_y6h@PL!5tPh~%V``7VARFR;I_qq8q_V3iNOo>8BS$% zrZD^<0tHUp&zP4AJb1)S<;cV1Hw{OC(_Qf|+&%hLkt17aDwzrKa)LW+FjCk96c}e0 zmjZQXY!rYQfq6zFX%Ge6RhviDqN1Yo^zsyemsx1!Qd-K&aexj8SBC^Fmpcr=W0AfN z<(oNqoK8El5lA4<9Kake3WohTpm1d|i2;l}rQ-V9wL@XE1o=IPqk&lb=8$8F1mCu^ zQtiy`=$XetH+Xx*&@_MDf;)AzC>`~_NVb5r>IHLy=QF7b`E+|aT>u&NGIwiLq4Fz;OT28zzfw0OsZLXIf6{ zOYBgdyz#w58bc#S#_gpCr&b`E#PGqUZlulp(8B_*YsRW=UM22+6^@~mh-uw zR@03{gHw3&VtXKlMj4mxN`Fj{zOJ#*@7leg>mSUF>a!r_VEL}vSl1+9*s+%p0_qx*cU;TZCAS?K1v~tr~d8jZc*k(C#)g&>s$!((dBvwxM&h* z`LD$DqiU*gBCu%#p(Xk%wr_lDA($j|M`ve>L9m>zxom)Rfa{bk_2>8RuGiR?z)p{@ zwbqtRKB235ToZ4ayS2y2u08EH*>5t@Gyxp3c=+BgRgwI8pN|G!PG_7H>zxrtZR&1N z5yKhs6{6xrlUdjyu%HFVwf13i$`C|F?~VQap`Yt?hHQl;!TQ!iSR|B5?zgz=q#xKu z7eX>vd9i!=-FBJw6C6Ty_};q6wlW*7YjL}>L$&GpBJl;37ObRzf&*!G9>vCOjTFE3J4pg5muRsKKzEtpH_3%<<6Zb*_Ukr{UN||`x&=P zW%KLO@wLujxs}{7-A4zBkfDSDN#xZdvfcnP>lz4@LRfQ5vxNNN94a#0iQ3a>Sb3x< zGzQ;`59Z3o1PaXtRIXxp^>p}pJX#wN7&Wv?5i}eezqDm7EjhbD+dDf2@}>pLrw%k! zRK?$yYOFEM=vN+of?7n041PL!H`JGSC6*XOgYyjc%bqc%>Gk?-pzzTuwZtigF+{{7 z!BEiN9t6H7N|y&ArX1HBFLQ0NnM#BJRv*1!kkpf#C2nL~oJ{ihmzKYO$45sMR77_i zSb!7{P&F%;I`>9i0?4|F40r}Evv^cmf*(|dfIuO2*KPF6Ldi_)-@=$*%c4USG12d) z*+asHFn{qC54#TgkXv9CLFh5C^}5U(b67v{R;+`v z&Hc-Nq-|CdB-V6y_rd0tZ;4tja5RpKTI1p4x0($gxNtzJ=;`UHC%r)Q{LpRqu2d%) z!wKv>Dc3lW7ZPGi5XHv90kHkf-d;32uu*@Ze+;eFOL)jDr;%5~T&x$q-LCkJscdOc|++meZVPVxip+ zP1f|=BhIALw42^yY}-aDU3HCCGZYc3;^Kj2%0@=H!x#x*uxODwza^~69Bav~0gkv0 z-V5v(vltS@G4snapmW2=_j3Kn5JzdgU3(afV0L2Rz%%iuEnarLyO0G z2JfH2WTu*@zbwr_5O&|+#*n0wfh706)dW}*LD14=xZ9?{-cg_#S4d)jMWcB|r<9TN zg4zhIh`bcHoQ52poWw!Bh5?t+XeWp?g)yU%@$vDImmhh&IZ6~7xhAv3Q?`M(24C@E z9ThO}w=MKr3VM|4$O4Cip&PRR3Y_#q034pHa;mLuLw(kr2UB7)eRM+Fz-ORdtbsii zyAb;ZRy)bW5>V?rb5Y91rHqA@id$KgIb>&Mjv)FLQv+E3R~9f@AKB!`0qr`x{3$9wcE<`?B6J@X!laX(32j*WaZ-p zDxT)Udf}xoW9fGRITol602+7XS{PbX2P|42jqz%d%IQTCe-~b#Hy|gYZ@Q-aY0-A7uD$wk; zV2i2;F7pw_LqT(5rat*8x>hUwth`)+g{OJxF!_BLywZRkRMi`W&6v>ypa?>MP1b5P zcNwUVUWoHeH#BUPwXUcCnqL;{I?VJEDNEj#5S6$s$`jSzsoi1PHAaqDDI--gW@cVlzEER-ujQ&S9Lk-4GotkIBVLLmHWJY#IT*DV z4s{M(1o$*L_J$O&xD9B3iwRA~YvYodiR2C0c<5979GJDEQ3e zE^8_|(M>5lyNm3Zwt66^vIm?h=$TG#=JD8P;Q>3V!zi)_u+8ZKl)oedG?DH(-uHJX z{c~Ni#`@u4b#)I-ck?{Y43FbI^>JK`6ciFHapVsP-qM!{sM`MFcwf~gedLk#s4oLP zA(~Jxu!#q~Z(l`~6=NC* zmTMSBmypvB^Ou>^5OX8rnT+2Phf7XQKI-(6{{i_H!vq*1vfqCJ@IvNaB<-jM6%EbY z6Qu#)*HmC%he6=K?E(2;GtEEY_`f?N{y&~H04(V`o0-$b%35Mi^Iws~*`PsfU||E{ zWd$UmVl^QAXz$MWns*fKQU!Vb5Yb~2>f8TuvhS}cd~X_L{;RnLu7i!{CVgJTS?dW@uu%XMe1>1C6s;NDoada5GN(-d#7_<=lj0v zI)8lE`TsY|^?TpqFe_$ixW*4I1=LE$(N4Qky` z?FP)lB%PA^_#^3bdTp)7cp?T+v~tuyHjP`Bkxk9qFPBrFW;B)^74WNZEYui z*!jeQKR%7cH90Ydtiqap`QMTse0fw*p!=lF=yIAgy#B)e6ZyIBMv`FN7H0u}6;{jl ze4{naq7b{iHel!FRZV&F3-)g{3Kg_N*pZlg0-1WwL*!0MyP-j|%9*<5eVTVS5&Zo8 z-A5C-DVQTGDN(ustCRamUs4M=n51j&0620FM75{YFB7XjyFSC4{*Y6v&WPRn^}XWx zR>tNFe&W&b@xw>iE!K`671h@Z;k_o1Ip#R$#I*6j+J z>F(;{*BO+MGkoUOgLEg8lc#I-F3;(rLYCq|ah4r_Xqlt!(gC;mofX3>i^mUc*I2MF zI00Z>JT6Tg9v%jr&b5??Ai{rHPQko8gF6J!(#ZpV9`Ax4N4i9tKu}&nqHUDW4)X{J z{hx>YA0b1*UMhRBe~0zhXyc30t;aJ_V{6*=zH9tZtGDI8SKmd8j@EbvXPT>G+LBk^ zH8lmUz5PZ08+SjOs=J>Q{UU}I6Z2WS zB)hXsA1a85z2plT8sH_d$L-Z_uVyh%*nY{hQc2JGe+ zU%B1cX`+1=_C`OG-ml@xIXbC1dtwY z>-;^QE}xZBR~L%YpoCm6;sfygv_k^SIKlRgj+f0Qw_VSW9}CFZ zdX#hW@d+&faJVffuXJ_U+CMobhmQaXTyk}Md^`Y=AVn)PGc#RXXjU5JVu!~TO4!lT zNFII6@-jd#x}v1yzWW^FHxN%@t)4(+8hB+%>gs2++1S{ibD&jnbZ%-BA%<_-U|U1a zkUCiES4DJEVO-xbGT0(;Q*i%#@Os!i%NMwq27+KU`-(rZ^D8SWv$Dj55eZ#)q~o5Q z-cHXI>sJ#-u#N+5smv9F>j5*ytB~Sztv;j$^HXbEXW2}oT(GYD^KQx0P!9(A$Q=9v zqQIPk1GW6dfdpgg-d_DRZ`st+t*>2gvkCqlV=Irz$)hAuK?SEH=!<;zMTRwr0nMy( zVaElx7m}-Cmd_-ce(4@b!5O~+B3<9%rwzsLV3l3 zwg4xUYt3o7`Z7Q9e++T$ zbf+2LgE@fReYzt{w}M5$-=1;&Ut*eIp?zsND=S_bga~7$jZb1%0Y2V)-Z>EHzqo7?y-lcpyJBaVHuv$oB7o3m(YW(M{Ll^3hfvLkOdNWocw z)o(O&5B}C&i;K&i{>ez-`|it7HO;cpUJ5>$$P@Dlm#jEK&@w}R zjy#ltG~9~Nc8%`Pjdcs{uncIK)=_~gtApucoBCfS2Y+@iLeR?d+b>>Q3~!<&}fFT zObSsRXO#nn^QfF;X709;?QbTW{|Gq$?n8q=OjvD>xfFYPzMHY#8DX@33KV}^yB*#7 zrQ>dhgJ}ZKr>WGR_1JO^5LR8Ac~OH$=$(mBXxbg@IXxVy6~)29Fhl}LPF9WU) z8(@23QTrKW@QWz&%mY6oj^G>G*DLSbeJ4lePf!p!K%6ovpRe6MsEcTv)>B z?-iVC`Ysot_r_tZ_aOL33dZ7Z)^hi$R5m#maFJBu zOHVK)p+d*&OuqNnE&J!}kVWAe^plhz5;)R+>52*VPmfDMSfA3xNfAHlTl#`}@6$U^>`#cZca(az~%}8;tYpz*&c{xZZPfSeMXSc^( z6$vQS1vy8Jo}<;k<_2>J3i>+N9w!M{BrBB6&D6Y);BXY8aSeiX=8?h62y~k=ICuP< zIB4CVMX>WDBnlOANfKhXRip(PfN;!-9Pt0|LLcHoXx()Eu;=IB6=0=~^hQTVPfwrK zuq(08lcp3|q$xrzC@zu~K+NX>Z%im>MDj}(V^I#*>^$CI90(gW(3#Ndtu0AF zo+X_)5mT|dtLR=Su$m6U88=+0U97wz#C}qjFROBUPE{HBwczzM|o;x9>T-3TILL5r*G$v(b>w7-LvJ zJ0%`_Gu#AFFR0<^st<=UHE;Q`&n+M@evUID=udwolQenu7X~iz@^}wFQf|3{ zO=5zv#Ck<$AVim(@Gs$CI1K$q&Fpt^5?Kl~V;2tY?*0%T8zrVITpAeww|7EL7+M%S I(K{FZZ^IG}RR910 From 12b713411d24bb0df9495cf532f6d0010c8d0914 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 13 Apr 2020 15:29:01 -0700 Subject: [PATCH 03/64] Update monitor-the-use-of-removable-storage-devices.md Removable storage note per CSS --- .../monitor-the-use-of-removable-storage-devices.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 18d2e3d8c2..870101a427 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: --- # Monitor the use of removable storage devices @@ -28,7 +28,9 @@ If you configure this policy setting, an audit event is generated each time a us Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored. ->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. +Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +> [!NOTE] When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/en-us/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/en-us/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor. **To configure settings to monitor removable storage devices** From 61b0ffb053f509534fa61099a7b8ed8e69b2438d Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 13 Apr 2020 15:58:44 -0700 Subject: [PATCH 04/64] Update monitor-the-use-of-removable-storage-devices.md --- .../auditing/monitor-the-use-of-removable-storage-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 870101a427..1188b932e6 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -30,7 +30,7 @@ Use the following procedures to monitor the use of removable storage devices and Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. -> [!NOTE] When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/en-us/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/en-us/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor. +> [!NOTE] When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor. **To configure settings to monitor removable storage devices** From 95525768f0e7292962811c103d2b571e1cb3446d Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 15 Apr 2020 17:13:45 -0700 Subject: [PATCH 05/64] Added bitmask table --- .../client-management/mdm/bitlocker-csp.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 6ba943ffca..002104212e 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1331,4 +1331,26 @@ The following example is provided to show proper format and should not be taken ``` + +### Bitmask error codes +The following table provides the mapping of strings to status node bits: +| Bit | UI Text | +|-----|---------| +|0|The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| +|1|The encryption method of the OS volume doesn't match the BitLocker policy.| +|2|The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| +|3|The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| +|4|The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| +|5|The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| +|6|The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| +|7|The OS volume is unprotected.| +|8|Recovery key backup failed.| +|9|A fixed drive is unprotected.| +|10|The encryption method of the fixed drive doesn't match the BitLocker policy.| +|11|To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.| +|12|Windows Recovery Environment (WinRE) isn't configured.| +|13|A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. | +|14|The TPM isn't ready for BitLocker.| +|15|The network isn't available, which is required for recovery key backup. | +|16-31|For future use.| From 03c6904f77fcf58a10546a241d7c2e308b00349f Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 16 Apr 2020 14:07:45 -0700 Subject: [PATCH 06/64] Added bitmask table --- .../client-management/mdm/bitlocker-csp.md | 54 +++++++++---------- 1 file changed, 26 insertions(+), 28 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 002104212e..6fdb0ccaad 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -13,9 +13,6 @@ manager: dansimp --- # BitLocker CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro. > [!NOTE] @@ -25,7 +22,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns the setting configured by the admin. -For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if TPM protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). +For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). The following diagram shows the BitLocker configuration service provider in tree format. @@ -284,7 +281,7 @@ ADMX Info: > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). -This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker. +This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker. > [!NOTE] > Only one of the additional authentication options can be required at startup, otherwise an error occurs. @@ -1058,7 +1055,7 @@ Interior node. Supported operation is Get. **Status/DeviceEncryptionStatus** -This node reports compliance state of device encryption on the system. +This node reports compliance state of device encryption on the system. See @@ -1088,9 +1085,31 @@ Supported values: - 0 - Indicates that the device is compliant. - Any other value represents a non-compliant device. - Value type is int. Supported operation is Get. +The following table provides the mapping of the bits in the **Status/DeviceEncryptionStatus** node to the error code string: +| Bit | Error Code String | +|-----|---------| +|0|The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| +|1|The encryption method of the OS volume doesn't match the BitLocker policy.| +|2|The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| +|3|The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| +|4|The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| +|5|The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| +|6|The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| +|7|The OS volume is unprotected.| +|8|Recovery key backup failed.| +|9|A fixed drive is unprotected.| +|10|The encryption method of the fixed drive doesn't match the BitLocker policy.| +|11|To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.| +|12|Windows Recovery Environment (WinRE) isn't configured.| +|13|A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. | +|14|The TPM isn't ready for BitLocker.| +|15|The network isn't available, which is required for recovery key backup. | +|16-31|For future use.| + + + @@ -1332,25 +1351,4 @@ The following example is provided to show proper format and should not be taken ``` -### Bitmask error codes -The following table provides the mapping of strings to status node bits: -| Bit | UI Text | -|-----|---------| -|0|The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| -|1|The encryption method of the OS volume doesn't match the BitLocker policy.| -|2|The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| -|3|The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| -|4|The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| -|5|The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| -|6|The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| -|7|The OS volume is unprotected.| -|8|Recovery key backup failed.| -|9|A fixed drive is unprotected.| -|10|The encryption method of the fixed drive doesn't match the BitLocker policy.| -|11|To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.| -|12|Windows Recovery Environment (WinRE) isn't configured.| -|13|A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. | -|14|The TPM isn't ready for BitLocker.| -|15|The network isn't available, which is required for recovery key backup. | -|16-31|For future use.| From c5b2ef0657b7179036b7464c1d417dbb0b6ac907 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Apr 2020 14:59:38 -0700 Subject: [PATCH 07/64] Update monitor-the-use-of-removable-storage-devices.md fix note style --- .../auditing/monitor-the-use-of-removable-storage-devices.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 1188b932e6..ee4ffad617 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -30,7 +30,8 @@ Use the following procedures to monitor the use of removable storage devices and Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. -> [!NOTE] When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor. +> [!NOTE] +> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor. **To configure settings to monitor removable storage devices** From d6137383a3b5884adf8cb3e012a1562003a6727b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 16 Apr 2020 15:34:43 -0700 Subject: [PATCH 08/64] Minor update to trigger build --- windows/client-management/mdm/bitlocker-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 6fdb0ccaad..247f122787 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: lomayor ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 04/16/2020 ms.reviewer: manager: dansimp --- From ddc12e15dd47681072e0caa8dd31ca7a0fcdcd43 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 16 Apr 2020 15:51:42 -0700 Subject: [PATCH 09/64] Updated table format --- windows/client-management/mdm/bitlocker-csp.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 247f122787..3eb71e57d5 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1055,7 +1055,7 @@ Interior node. Supported operation is Get. **Status/DeviceEncryptionStatus** -This node reports compliance state of device encryption on the system. See +This node reports compliance state of device encryption on the system.
@@ -1087,8 +1087,8 @@ Supported values: Value type is int. Supported operation is Get. -The following table provides the mapping of the bits in the **Status/DeviceEncryptionStatus** node to the error code string: -| Bit | Error Code String | +The following table provides the mapping of the bits in the **Status/DeviceEncryptionStatus** node to the error codes: +| Bit | Error Code | |-----|---------| |0|The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| |1|The encryption method of the OS volume doesn't match the BitLocker policy.| From a35f30cde322a3aa20330e3f17ecd2217279fbcd Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 16 Apr 2020 16:29:24 -0700 Subject: [PATCH 10/64] Updated table --- windows/client-management/mdm/bitlocker-csp.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 3eb71e57d5..f53cc96b95 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1088,6 +1088,7 @@ Supported values: Value type is int. Supported operation is Get. The following table provides the mapping of the bits in the **Status/DeviceEncryptionStatus** node to the error codes: + | Bit | Error Code | |-----|---------| |0|The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| From 1c42ce2aa063efb24677ac156557628f87804030 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 16 Apr 2020 16:51:31 -0700 Subject: [PATCH 11/64] Updated table format --- .../client-management/mdm/bitlocker-csp.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index f53cc96b95..3d9cf7a67b 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1090,24 +1090,24 @@ Value type is int. Supported operation is Get. The following table provides the mapping of the bits in the **Status/DeviceEncryptionStatus** node to the error codes: | Bit | Error Code | -|-----|---------| -|0|The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| -|1|The encryption method of the OS volume doesn't match the BitLocker policy.| -|2|The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| -|3|The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| -|4|The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| -|5|The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| -|6|The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| -|7|The OS volume is unprotected.| -|8|Recovery key backup failed.| -|9|A fixed drive is unprotected.| -|10|The encryption method of the fixed drive doesn't match the BitLocker policy.| -|11|To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.| -|12|Windows Recovery Environment (WinRE) isn't configured.| -|13|A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. | -|14|The TPM isn't ready for BitLocker.| -|15|The network isn't available, which is required for recovery key backup. | -|16-31|For future use.| +|-----|------------| +| 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| +| 1 |The encryption method of the OS volume doesn't match the BitLocker policy.| +| 2 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| +| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| +| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| +| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| +| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| +| 7 |The OS volume is unprotected.| +| 8 |Recovery key backup failed.| +| 9 |A fixed drive is unprotected.| +| 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.| +| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.| +| 12 |Windows Recovery Environment (WinRE) isn't configured.| +| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. | +| 14 |The TPM isn't ready for BitLocker.| +| 15 |The network isn't available, which is required for recovery key backup. | +| 16-31 |For future use.| From dec8475ee01c9b4c2503c537b9f645e9da5c0274 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Wed, 22 Apr 2020 18:28:17 -0700 Subject: [PATCH 12/64] Update manage-updates-baselines-windows-defender-antivirus.md First draft to verify the process flow --- ...es-baselines-windows-defender-antivirus.md | 68 ++++++++++++++----- 1 file changed, 50 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index d444eaedc1..fe00cf4804 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -48,24 +48,56 @@ You can manage the distribution of updates through Windows Server Update Service Only the main version is listed in the following table as reference information: -Month | Platform/Client | Engine ----|---|--- -Mar-2020 | 4.18.2003.x| 1.1.16900.x -Feb-2020 | - | 1.1.16800.x -Jan-2020 | 4.18.2001.x | 1.1.16700.x -Dec-2019 | - | - | -Nov-2019 | 4.18.1911.x | 1.1.16600.x -Oct-2019 | 4.18.1910.x | 1.1.16500.x -Sep-2019 | 4.18.1909.x | 1.1.16400.x -Aug-2019 | 4.18.1908.x | 1.1.16300.x -Jul-2019 | 4.18.1907.x | 1.1.16200.x -Jun-2019 | 4.18.1906.x | 1.1.16100.x -May-2019 | 4.18.1905.x | 1.1.16000.x -Apr-2019 | 4.18.1904.x | 1.1.15900.x -Mar-2019 | 4.18.1903.x | 1.1.15800.x -Feb-2019 | 4.18.1902.x | 1.1.15700.x -Jan-2019 | 4.18.1901.x | 1.1.15600.x -Dec-18 | 4.18.1812.X | 1.1.15500.x +
+ March-2020 (4.18.2003.8/1.1.16900.2) + + + + Released: **March 26, 2020** + Platform/Client: **4.18.2003.8** + Engine: **1.1.16900.2** + + ### What´s new + * fix1 + * fix2 + * fix3 + + ### Known Issues + * New file path + Because of a change in the file path location in the update, many downloads are blocked when AppLocker is enabled. +To work around this issue, open Group Policy, and then change the setting to Allow for the following path: + + +%OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\* + + +> [!NOTE] +> Information the user should notice even if skimming. + +
+ +
+ Jan-2020 (4.18.2001.10/1.1.16700.2) + + + Released: **March 26, 2020** + Platform/Client: **4.18.2001.10** + Engine: **1.1.16700.2** + + ### What´s new + * fix1 + * fix2 + * fix3 + + ### Known Issues + * New file path + Because of a change in the file path location in the update, many downloads are blocked when AppLocker is enabled. +To work around this issue, open Group Policy, and then change the setting to Allow for the following path: + +%OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\* + +
+ ## In this section From 818b815adae8e76485f0435b740a0e3406e45ed9 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Sun, 26 Apr 2020 18:07:51 -0700 Subject: [PATCH 13/64] Update manage-updates-baselines-windows-defender-antivirus.md revision of the doc + supportability statement --- ...es-baselines-windows-defender-antivirus.md | 212 ++++++++++++++---- 1 file changed, 168 insertions(+), 44 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index fe00cf4804..9cbd8b642a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Manage Windows Defender Antivirus updates and apply baselines -description: Manage how Windows Defender Antivirus receives protection and product updates. +title: Manage Microsoft Defender Antivirus updates and apply baselines +description: Manage how Microsoft Defender Antivirus receives protection and product updates. keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,7 +17,7 @@ ms.reviewer: manager: dansimp --- -# Manage Windows Defender Antivirus updates and apply baselines +# Manage Microsoft Defender Antivirus updates and apply baselines **Applies to:** @@ -25,16 +25,16 @@ manager: dansimp There are two types of updates related to keeping Windows Defender Antivirus up to date: -1. Protection updates +1. Security intelligence updates 2. Product updates -You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection. -## Protection updates -Windows Defender Antivirus uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as Security intelligence updates. +## Security intelligence updates -The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. +Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads Security intelligence updates to provide protection. + +The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the Security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. Engine updates are included with the Security intelligence updates and are released on a monthly cadence. @@ -46,59 +46,183 @@ You can manage the distribution of updates through Windows Server Update Service ## Released platform and engine versions -Only the main version is listed in the following table as reference information: +### Monthly platform and engine releases +For information how to update or how to install the platform update, please see: [Update for Windows Defender antimalware platform](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform)
- March-2020 (4.18.2003.8/1.1.16900.2) - + April-2020 (Platform: 4.18.2004.5 | Engine: 1.1.17000.2) +Security intelligence update version: **TBD** +Released: **April 30, 2020** +Platform: **4.18.2004.5** +Engine: **1.1.17000.2** +Support phase: **Security and Critical Updates** - Released: **March 26, 2020** - Platform/Client: **4.18.2003.8** - Engine: **1.1.16900.2** - - ### What´s new - * fix1 - * fix2 - * fix3 - - ### Known Issues - * New file path - Because of a change in the file path location in the update, many downloads are blocked when AppLocker is enabled. -To work around this issue, open Group Policy, and then change the setting to Allow for the following path: +### What's new +:::row::: + :::column::: + **Platform** + * fix1 + * fix2 -%OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\* - - -> [!NOTE] -> Information the user should notice even if skimming. - + :::column-end::: + :::column::: + **Engine** + * fix1 + * fix2 + :::column-end::: +:::row-end::: + +### Known Issues +No known issues
- Jan-2020 (4.18.2001.10/1.1.16700.2) + March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2) + +Security intelligence update version: **1.313.8.0** +Released: **March 24, 2020** +Platform: **4.18.2003.8** +Engine: **1.1.16900.4** +Support phase: **Technical upgrade Support (Only)** + +### What's new + +:::row::: + :::column::: + **Platform** + * fix1 + * fix2 + + :::column-end::: + :::column::: + **Engine** + * fix1 + * fix2 + :::column-end::: +:::row-end::: + +### Known Issues +No known issues +
+ +
+ + February-2020 (Platform: - | Engine: 1.1.16800.2) + + Security intelligence update version: **1.311.4.0** + Released: **February 25, 2020** + Platform/Client: **-** + Engine: **1.1.16800.2** + Support phase: **N/A** + +### What's new + +:::row::: + :::column::: + **Platform** + * fix1 + * fix2 + + :::column-end::: + :::column::: + **Engine** + * fix1 + * fix2 + :::column-end::: +:::row-end::: + +### Known Issues +No known issues +
+ +
+ January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2) - Released: **March 26, 2020** + Security intelligence update version: **1.309.32.0** + Released: **January 30, 2020** Platform/Client: **4.18.2001.10** - Engine: **1.1.16700.2** - - ### What´s new - * fix1 - * fix2 - * fix3 - - ### Known Issues - * New file path - Because of a change in the file path location in the update, many downloads are blocked when AppLocker is enabled. -To work around this issue, open Group Policy, and then change the setting to Allow for the following path: + Engine: **1.1.16700.2** + Support phase: **Technical upgrade Support (Only)** + +### What's new -%OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\* +:::row::: + :::column::: + **Platform** + * fix1 + * fix2 + :::column-end::: + :::column::: + **Engine** + * fix1 + * fix2 + :::column-end::: +:::row-end::: + +### Known Issues +No known issues
+
+ November-2019 (Platform: 4.18.1911.2 | Engine: 1.1.16600.7) +Security intelligence update version: **1.307.13.0** +Released: **December 7, 2019** +Platform: **4.18.1911.2** +Engine: **1.1.17000.7** +Support phase: **No support** + +### What's new + +:::row::: + :::column::: + **Platform** + * fix1 + * fix2 + + :::column-end::: + :::column::: + **Engine** + * fix1 + * fix2 + :::column-end::: +:::row-end::: + +### Known Issues +No known issues +
+ +## Windows Defender Antivirus platform support +As stated above, platform and engine updates are provided on a monthly cadence. +Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version. + + +* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. + + +* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* + +*Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version. + +During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update(*). + +### Platform version included with Windows 10 releases +The below table provides the Windows Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases: + +|Windows 10 release |Platform version |Engine version |Support phase | +|-|-|-|-| +|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) +|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) +|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) +|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) +|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) +|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) +|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) +Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) ## In this section From 0d85997bc89cc3383f58df850e31adcbde8516e9 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 27 Apr 2020 18:46:56 -0400 Subject: [PATCH 14/64] linting --- ...cloud-protection-windows-defender-antivirus.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 985b6f0b7c..5d069878d5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -37,14 +37,14 @@ There are specific network-connectivity requirements to ensure your endpoints ca >[!NOTE] >In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. -**Use Intune to enable cloud-delivered protection** +## Use Intune to enable cloud-delivered protection 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **All services > Intune**. 3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). 4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. 5. On the **Cloud-delivered protection** switch, select **Enable**. -6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. +6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. 7. In the **Submit samples consent** dropdown, select one of the following: - **Send safe samples automatically** @@ -60,11 +60,11 @@ There are specific network-connectivity requirements to ensure your endpoints ca For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) -**Use Configuration Manager to enable cloud-delivered protection:** +## Use Configuration Manager to enable cloud-delivered protection See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). -**Use Group Policy to enable cloud-delivered protection:** +## Use Group Policy to enable cloud-delivered protection 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -89,7 +89,7 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht 7. Click **OK**. -**Use PowerShell cmdlets to enable cloud-delivered protection:** +## Use PowerShell cmdlets to enable cloud-delivered protection Use the following cmdlets to enable cloud-delivered protection: @@ -108,14 +108,15 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: ```WMI -MAPSReporting +MAPSReporting SubmitSamplesConsent ``` See the following for more information and allowed parameters: + - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -**Enable cloud-delivered protection on individual clients with the Windows Security app** +**Enable cloud-delivered protection on individual clients with the Windows Security app > [!NOTE] > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. From 59ea54e63e139a77a4f3db3231fb02a223e73513 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 27 Apr 2020 19:50:36 -0400 Subject: [PATCH 15/64] info on valid values + links --- ...e-cloud-protection-windows-defender-antivirus.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 5d069878d5..97460bb973 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -95,15 +95,20 @@ Use the following cmdlets to enable cloud-delivered protection: ```PowerShell Set-MpPreference -MAPSReporting Advanced -Set-MpPreference -SubmitSamplesConsent AlwaysPrompt +Set-MpPreference -SubmitSamplesConsent SendSafeSamples ``` >[!NOTE] ->You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. +> You can also set **-SubmitSamplesConsent** to SendAllSamples`, `NeverSend`, or `AlwaysPrompt`. -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +>[!WARNING] +> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection state of the device. +> +> In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature won't work. -**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:** +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. [Policy CSP - Defender](../../../client-management/mdm//policy-csp-defender.md) also has more information specifically on [-SubmitSampleConsent](../../../client-management/mdm//policy-csp-defender.md#defender-submitsamplesconsent). + +## Use Windows Management Instruction (WMI) to enable cloud-delivered protection Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: From 7400f912325a02f8341dbc790b016060669caf33 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Tue, 28 Apr 2020 10:05:49 -0700 Subject: [PATCH 16/64] Update manage-updates-baselines-windows-defender-antivirus.md fixing table --- ...es-baselines-windows-defender-antivirus.md | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 9cbd8b642a..057ae2c994 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Manage Microsoft Defender Antivirus updates and apply baselines -description: Manage how Microsoft Defender Antivirus receives protection and product updates. +title: Manage Windows Defender Antivirus updates and apply baselines +description: Manage how Windows Defender Antivirus receives protection and product updates. keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,7 +17,7 @@ ms.reviewer: manager: dansimp --- -# Manage Microsoft Defender Antivirus updates and apply baselines +# Manage Windows Defender Antivirus updates and apply baselines **Applies to:** @@ -32,7 +32,7 @@ There are two types of updates related to keeping Windows Defender Antivirus up ## Security intelligence updates -Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads Security intelligence updates to provide protection. +Windows Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads Security intelligence updates to provide protection. The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the Security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. @@ -213,15 +213,16 @@ During the technical support (only) phase, commercially reasonable support incid ### Platform version included with Windows 10 releases The below table provides the Windows Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases: -|Windows 10 release |Platform version |Engine version |Support phase | +|Windows 10 release |Platform version |Engine version |Support phase | |-|-|-|-| -|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) -|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) -|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) -|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) -|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) -|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) -|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) +|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) | +|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) | +|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) | +|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) | +|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) | +|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) | +|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) | + Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) ## In this section From 7e621dd7f9fa4472482b53300680c1bfed8be106 Mon Sep 17 00:00:00 2001 From: matt-call <49792205+matt-call@users.noreply.github.com> Date: Tue, 28 Apr 2020 14:52:59 -0400 Subject: [PATCH 17/64] Update remotewipe-csp.md More Fixes --- windows/client-management/mdm/remotewipe-csp.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index bdf604d6d8..3ee8a2cd21 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -48,16 +48,16 @@ Supported operation is Exec. Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. **AutomaticRedeployment** -Added in Windows 10, next major update. Node for the Autopilot Reset operation. +Added in Windows 10, version 1809. Node for the Autopilot Reset operation. **AutomaticRedeployment/doAutomaticRedeployment** -Added in Windows 10, next major update. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. +Added in Windows 10, version 1809. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. **AutomaticRedeployment/LastError** -Added in Windows 10, next major update. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT). +Added in Windows 10, version 1809. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT). **AutomaticRedeployment/Status** -Added in Windows 10, next major update. Status value indicating current state of an Autopilot Reset operation. +Added in Windows 10, version 1809. Status value indicating current state of an Autopilot Reset operation. Supported values: From 3487798189a01355c9d2a9ac2fce8b64062f5ade Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Tue, 28 Apr 2020 12:55:33 -0700 Subject: [PATCH 18/64] Update manage-updates-baselines-windows-defender-antivirus.md update according to feedback --- ...es-baselines-windows-defender-antivirus.md | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index b05fb44dc0..8b55207b8c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -27,7 +27,9 @@ There are two types of updates related to keeping Windows Defender Antivirus up 1. Security intelligence updates 2. Product updates - +> [!IMPORTANT] +> Keeping Windows Defender Antivirus up to date is crucial to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. +> This also applies to devices where Windows Defender Antivirus is running in [passive mode](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). ## Security intelligence updates @@ -39,9 +41,10 @@ Engine updates are included with the Security intelligence updates and are relea ## Product updates -Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. +Windows Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. -You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. +You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. +For more information see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) ## Released platform and engine versions @@ -138,13 +141,14 @@ No known issues
- January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2) + January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2) - Security intelligence update version: **1.309.32.0** - Released: **January 30, 2020** - Platform/Client: **4.18.2001.10** - Engine: **1.1.16700.2** - Support phase: **Technical upgrade Support (Only)** + +Security intelligence update version: **1.309.32.0** +Released: **January 30, 2020** +Platform/Client: **4.18.2001.10** +Engine: **1.1.16700.2** +Support phase: **Technical upgrade Support (Only)** ### What's new From 23aa7f69aaea4e5b1384032df78b2ab72fe30de0 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 28 Apr 2020 15:58:03 -0400 Subject: [PATCH 19/64] some copyedits and clarifications --- ...d-protection-windows-defender-antivirus.md | 34 +++++++++---------- 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 97460bb973..aad6c18af5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -22,8 +22,8 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. +> [!NOTE] +> The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) @@ -34,8 +34,8 @@ See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protectio There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details. ->[!NOTE] ->In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. +> [!NOTE] +> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. ## Use Intune to enable cloud-delivered protection @@ -51,10 +51,10 @@ There are specific network-connectivity requirements to ensure your endpoints ca - **Send all samples automatically** >[!NOTE] - >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. + > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. + > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work. 8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. @@ -70,22 +70,22 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht 2. In the **Group Policy Management Editor** go to **Computer configuration**. -3. Click **Administrative templates**. +3. Select **Administrative templates**. 4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** -5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**. +5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. -6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following: +6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following: 1. **Send safe samples** (1) 2. **Send all samples** (3) >[!NOTE] - >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. + > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > [!WARNING] - > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. + > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work. 7. Click **OK**. @@ -95,18 +95,16 @@ Use the following cmdlets to enable cloud-delivered protection: ```PowerShell Set-MpPreference -MAPSReporting Advanced -Set-MpPreference -SubmitSamplesConsent SendSafeSamples +Set-MpPreference -SubmitSamplesConsent SendAllSamples ``` +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. [Policy CSP - Defender](../../../client-management/mdm//policy-csp-defender.md) also has more information specifically on [-SubmitSampleConsent](../../../client-management/mdm//policy-csp-defender.md#defender-submitsamplesconsent). + >[!NOTE] -> You can also set **-SubmitSamplesConsent** to SendAllSamples`, `NeverSend`, or `AlwaysPrompt`. +> You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. >[!WARNING] -> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection state of the device. -> -> In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature won't work. - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. [Policy CSP - Defender](../../../client-management/mdm//policy-csp-defender.md) also has more information specifically on [-SubmitSampleConsent](../../../client-management/mdm//policy-csp-defender.md#defender-submitsamplesconsent). +> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work. ## Use Windows Management Instruction (WMI) to enable cloud-delivered protection From 74e0d0222bba98bf583e6017225fb00867bdc249 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 28 Apr 2020 16:30:55 -0400 Subject: [PATCH 20/64] one more heading --- .../enable-cloud-protection-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index aad6c18af5..7fea389db9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -119,7 +119,7 @@ See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -**Enable cloud-delivered protection on individual clients with the Windows Security app +## Enable cloud-delivered protection on individual clients with the Windows Security app > [!NOTE] > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. From a5df7f867caba3d907691f97da8201cb3a7b866c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 28 Apr 2020 14:14:32 -0700 Subject: [PATCH 21/64] Update manage-updates-baselines-windows-defender-antivirus.md --- ...manage-updates-baselines-windows-defender-antivirus.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 8b55207b8c..fe28605d32 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -43,13 +43,13 @@ Engine updates are included with the Security intelligence updates and are relea Windows Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. -You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. -For more information see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) +You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. +For more information see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) ## Released platform and engine versions ### Monthly platform and engine releases -For information how to update or how to install the platform update, please see: [Update for Windows Defender antimalware platform](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) +For information how to update or how to install the platform update, please see: [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform)
April-2020 (Platform: 4.18.2004.5 | Engine: 1.1.17000.2) @@ -226,7 +226,7 @@ The below table provides the Windows Defender Antivirus platform and engine vers |1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) | |1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) | -Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) +Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) ## In this section From 2dc9a5aa3a1ba414e490fd48038ac5be9112d553 Mon Sep 17 00:00:00 2001 From: Ikko Ashimine Date: Thu, 30 Apr 2020 00:25:14 +0900 Subject: [PATCH 22/64] Fix typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Micosoft→Microsoft --- windows/client-management/mdm/get-offline-license.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md index 772d402b87..87699a8b11 100644 --- a/windows/client-management/mdm/get-offline-license.md +++ b/windows/client-management/mdm/get-offline-license.md @@ -1,6 +1,6 @@ --- title: Get offline license -description: The Get offline license operation retrieves the offline license information of a product from the Micosoft Store for Business. +description: The Get offline license operation retrieves the offline license information of a product from the Microsoft Store for Business. ms.assetid: 08DAD813-CF4D-42D6-A783-994A03AEE051 ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get offline license -The **Get offline license** operation retrieves the offline license information of a product from the Micosoft Store for Business. +The **Get offline license** operation retrieves the offline license information of a product from the Microsoft Store for Business. ## Request From f88df254db72eef46d349f7ba102c925ba8caae1 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 29 Apr 2020 12:13:54 -0700 Subject: [PATCH 23/64] Updates to Pro X --- .../surface/enroll-and-configure-surface-devices-with-semm.md | 2 +- devices/surface/surface-pro-arm-app-management.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 0147596761..80367c8e53 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -24,7 +24,7 @@ For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Manage A streamlined method of managing firmware from the cloud on Surface Pro 7,Surface Pro X and Surface Laptop 3 is now available via public preview. For more information,refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md). > [!NOTE] -> SEMM is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). +> SEMM is supported on Surface Pro X via the UEFI Manager only. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). #### Download and install Microsoft Surface UEFI Configurator The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center. diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index f3d922c048..488eeca1a2 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -139,10 +139,10 @@ The following tables show the availability of selected key features on Surface P | Endpoint Configuration Manager | Yes | Yes | | | Power on When AC Restore | Yes | Yes | | | Surface Diagnostic Toolkit (SDT) for Business | Yes | Yes | | -| Surface Dock Firmware Update | Yes | Yes | | +| Surface Dock Firmware Update | Yes | No | | | Asset Tag Utility | Yes | Yes | | | Surface Enterprise management Mode (SEMM) | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. | -| Surface UEFI Configurator | Yes | | No option to disable hardware. on Surface Pro X at the firmware level. | +| Surface UEFI Configurator | Yes | No | No option to disable hardware. on Surface Pro X at the firmware level. | | Surface UEFI Manager | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. | From 332428dae3b023cc3cae5de4661d8c76741098a7 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 29 Apr 2020 13:08:38 -0700 Subject: [PATCH 24/64] Incorporated dev feedback --- windows/client-management/mdm/bitlocker-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 3d9cf7a67b..78737dcfde 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1083,7 +1083,7 @@ This node reports compliance state of device encryption on the system. Supported values: - 0 - Indicates that the device is compliant. -- Any other value represents a non-compliant device. +- Any non-zero value - Indicates that the device is not compliant. This value represents a bitmask with each bit explained by values in the table below. Value type is int. Supported operation is Get. @@ -1092,7 +1092,7 @@ The following table provides the mapping of the bits in the **Status/DeviceEncry | Bit | Error Code | |-----|------------| | 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| -| 1 |The encryption method of the OS volume doesn't match the BitLocker policy.| +| 1 |The encryption method of the OS volume doesn't match the BitLocker policy.| | 2 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| | 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| | 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| From 39c30d2e99388cb1f686526f246ca8c5b61baa89 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Wed, 29 Apr 2020 13:29:05 -0700 Subject: [PATCH 25/64] Update command-line-arguments-windows-defender-antivirus.md Update CPU Throttling parameter --- .../command-line-arguments-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index b42e1c8729..0483497ae8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -42,7 +42,7 @@ MpCmdRun.exe -scan -2 | Command | Description | |:----|:----| | `-?` **or** `-h` | Displays all available options for this tool | -| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. | +| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. CpuThrottling will honor the configured CPU throttling from policy | | `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing | | `-GetFiles` | Collects support information | | `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder | From 9adbbcaafc363c24cbbe7ad66258dc661e16d7c5 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 29 Apr 2020 13:56:35 -0700 Subject: [PATCH 26/64] Minor text updates --- windows/client-management/mdm/bitlocker-csp.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 78737dcfde..4d8c043a56 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1081,13 +1081,11 @@ This node reports compliance state of device encryption on the system. -Supported values: -- 0 - Indicates that the device is compliant. -- Any non-zero value - Indicates that the device is not compliant. This value represents a bitmask with each bit explained by values in the table below. - Value type is int. Supported operation is Get. -The following table provides the mapping of the bits in the **Status/DeviceEncryptionStatus** node to the error codes: +Supported values: +- 0 - Indicates that the device is compliant. +- Any non-zero value - Represents a bitmask indicating that the device is not compliant. The following tables provides the mapping of each bit with the error code: | Bit | Error Code | |-----|------------| From 9d82bfa6dca671e99de8826d753a05048d6fc425 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 29 Apr 2020 14:05:08 -0700 Subject: [PATCH 27/64] Applied [!NOTE] style --- .../monitor-the-use-of-removable-storage-devices.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index ee4ffad617..30ed1af8fc 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -49,7 +49,8 @@ After you configure the settings to monitor removable storage devices, use the f 1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window. - >**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + > [!NOTE] + > If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 2. Type **gpupdate /force**, and press ENTER. 3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy. @@ -59,7 +60,8 @@ After you configure the settings to monitor removable storage devices, use the f Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted. - >**Note:**  We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event. + > [!NOTE] + > We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event. ### Related resource From 89777310578af1b4a1e59a5fe39606e90a1f512d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 29 Apr 2020 14:17:20 -0700 Subject: [PATCH 28/64] Deleted duplicated text, indent content in a second-level list item --- .../enroll-and-configure-surface-devices-with-semm.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 80367c8e53..fd8f4626e5 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -107,11 +107,11 @@ To enroll a Surface device in SEMM with a Surface UEFI configuration package, fo 3. Click **Finish** to complete the Surface UEFI configuration package installation and restart the Surface device when you are prompted to do so. 4. Surface UEFI will load the configuration file and determine that SEMM is not enabled on the device. Surface UEFI will then begin the SEMM enrollment process, as follows: * Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate. - * Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8. + * Surface UEFI will prompt you to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8. - ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint") - - *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint* + ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint") + + *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint* * Surface UEFI will store the SEMM certificate in firmware and apply the configuration settings that are specified in the Surface UEFI configuration file. From e673cc5c10197f3ec4ceb48d721c8682f763d847 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 29 Apr 2020 14:18:40 -0700 Subject: [PATCH 29/64] More text updates --- windows/client-management/mdm/bitlocker-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 4d8c043a56..ed78e1629d 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1085,7 +1085,7 @@ Value type is int. Supported operation is Get. Supported values: - 0 - Indicates that the device is compliant. -- Any non-zero value - Represents a bitmask indicating that the device is not compliant. The following tables provides the mapping of each bit with the error code: +- Any non-zero value - Indicates that the device is not compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table: | Bit | Error Code | |-----|------------| From e3cd937cb6c111a889cf3102a6d61d94100a0b0e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 16:17:33 -0700 Subject: [PATCH 30/64] Update index.md --- windows/security/threat-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 38daa97fbb..479b71f272 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -77,7 +77,7 @@ The attack surface reduction set of capabilities provide the first line of defen **[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. -- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) +- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) - [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) - [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) - [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) From 88916746edc38b90973fec1013ab6e654cb6d8f0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 16:21:06 -0700 Subject: [PATCH 31/64] Update index.md --- windows/security/threat-protection/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 479b71f272..af978544ae 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -78,10 +78,10 @@ The attack surface reduction set of capabilities provide the first line of defen To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. - [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) -- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) -- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus) +- [Machine learning](https://docs.microsoft.com/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) - [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) -- [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) +- [Automated sandbox service](https://docs.microsoft.com/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) From e7e18f8c8c07da4764c63e52e6d5652849101e34 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 29 Apr 2020 16:29:54 -0700 Subject: [PATCH 32/64] Replaced HTML entities in body text and code blocks These caused two broken instances of [!NOTE] and invalid XML in the code blocks. --- .../client-management/mdm/bitlocker-csp.md | 166 +++++++++--------- 1 file changed, 84 insertions(+), 82 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index ed78e1629d..71c5bbf78b 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -159,7 +159,7 @@ If you want to disable this policy, use the following SyncML: **EncryptionMethodByDriveType** -Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". +Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
@@ -212,7 +212,7 @@ EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operat EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. - The possible values for 'xx' are: + The possible values for 'xx' are: - 3 = AES-CBC 128 - 4 = AES-CBC 256 @@ -234,7 +234,7 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov chr - <disabled/> + ``` @@ -244,7 +244,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRequireStartupAuthentication** -This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup". +This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
@@ -286,7 +286,7 @@ This setting allows you to configure whether BitLocker requires additional authe > [!NOTE] > Only one of the additional authentication options can be required at startup, otherwise an error occurs. -If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. +If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. @@ -314,13 +314,13 @@ Data id:
  • ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
    • -The possible values for 'xx' are: +The possible values for 'xx' are:
    • true = Explicitly allow
    • false = Policy not set
    -The possible values for 'yy' are: +The possible values for 'yy' are:
    • 2 = Optional
    • 1 = Required
      • @@ -339,7 +339,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa chr - <disabled/> + ``` @@ -348,7 +348,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesMinimumPINLength** -This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup". +This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".
    @@ -414,7 +414,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa chr - <disabled/> + ``` @@ -424,7 +424,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRecoveryMessage** -This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" +This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name). @@ -465,11 +465,11 @@ ADMX Info: This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. -If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). +If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). -If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. +If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. -If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. +If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. Sample value for this node to enable this policy is: @@ -477,7 +477,7 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are: - 0 = Empty - 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input"). @@ -501,7 +501,7 @@ Disabling the policy will let the system choose the default behaviors. If you w chr - <disabled/> + ``` @@ -514,7 +514,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRecoveryOptions** -This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name). +This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
    @@ -553,18 +553,18 @@ ADMX Info: This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker. -The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. +The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. -In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. +In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. -Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. +Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. -Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS. +Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS. -Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -> [!Note] -> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. +> [!NOTE] +> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. @@ -576,16 +576,16 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are: - true = Explicitly allow - false = Policy not set -The possible values for 'yy' are: +The possible values for 'yy' are: - 2 = Allowed - 1 = Required - 0 = Disallowed -The possible values for 'zz' are: +The possible values for 'zz' are: - 2 = Store recovery passwords only - 1 = Store recovery passwords and key packages @@ -601,7 +601,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa chr - <disabled/> + ``` @@ -611,7 +611,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **FixedDrivesRecoveryOptions** -This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (). +This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
    @@ -650,19 +650,20 @@ ADMX Info: This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker. -The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. +The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. -In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. +In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. -Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. +Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. -Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. +Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. -Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS. +Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS. -> [!Note]
    > If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. +> [!NOTE] +> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. @@ -674,13 +675,13 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are:
    • true = Explicitly allow
    • false = Policy not set
    -The possible values for 'yy' are: +The possible values for 'yy' are:
    • 2 = Allowed
    • 1 = Required
      • @@ -688,7 +689,7 @@ The possible values for 'yy' are:
    -The possible values for 'zz' are: +The possible values for 'zz' are:
    • 2 = Store recovery passwords only
    • 1 = Store recovery passwords and key packages
      • @@ -706,7 +707,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa chr - <disabled/> + ``` @@ -716,7 +717,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **FixedDrivesRequireEncryption** -This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name). +This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
    @@ -775,7 +776,7 @@ If you disable or do not configure this setting, all fixed data drives on the co chr - <disabled/> + ``` @@ -785,7 +786,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **RemovableDrivesRequireEncryption** -This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name). +This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
    @@ -826,11 +827,12 @@ This setting configures whether BitLocker protection is required for a computer If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. -If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. +If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. -> [!Note]
    > This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. +> [!NOTE] +> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. Sample value for this node to enable this policy is: @@ -838,7 +840,7 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are:
    • true = Explicitly allow
    • false = Policy not set
      • @@ -856,7 +858,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa chr - <disabled/> + ``` @@ -1229,10 +1231,10 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType - <enabled/> - <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/> - <data id="EncryptionMethodWithXtsFdvDropDown_Name" value="7"/> - <data id="EncryptionMethodWithXtsRdvDropDown_Name" value="4"/> + + + + @@ -1244,12 +1246,12 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication - <enabled/> - <data id="ConfigureNonTPMStartupKeyUsage_Name" value="true"/> - <data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="2"/> - <data id="ConfigurePINUsageDropDown_Name" value="2"/> - <data id="ConfigureTPMPINKeyUsageDropDown_Name" value="2"/> - <data id="ConfigureTPMUsageDropDown_Name" value="2"/> + + + + + + @@ -1261,8 +1263,8 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength - <enabled/> - <data id="MinPINLength" value="6"/> + + @@ -1274,10 +1276,10 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage - <enabled/> - <data id="RecoveryMessage_Input" value="blablablabla"/> - <data id="PrebootRecoveryInfoDropDown_Name" value="2"/> - <data id="RecoveryUrl_Input" value="blablabla"/> + + + + @@ -1289,14 +1291,14 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions - <enabled/> - <data id="OSAllowDRA_Name" value="true"/> - <data id="OSRecoveryPasswordUsageDropDown_Name" value="2"/> - <data id="OSRecoveryKeyUsageDropDown_Name" value="2"/> - <data id="OSHideRecoveryPage_Name" value="true"/> - <data id="OSActiveDirectoryBackup_Name" value="true"/> - <data id="OSActiveDirectoryBackupDropDown_Name" value="2"/> - <data id="OSRequireActiveDirectoryBackup_Name" value="true"/> + + + + + + + + @@ -1308,14 +1310,14 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions - <enabled/> - <data id="FDVAllowDRA_Name" value="true"/> - <data id="FDVRecoveryPasswordUsageDropDown_Name" value="2"/> - <data id="FDVRecoveryKeyUsageDropDown_Name" value="2"/> - <data id="FDVHideRecoveryPage_Name" value="true"/> - <data id="FDVActiveDirectoryBackup_Name" value="true"/> - <data id="FDVActiveDirectoryBackupDropDown_Name" value="2"/> - <data id="FDVRequireActiveDirectoryBackup_Name" value="true"/> + + + + + + + + @@ -1327,7 +1329,7 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption - <enabled/> + @@ -1339,8 +1341,8 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption - <enabled/> - <data id="RDVCrossOrg" value="true"/> + + From 36f12fb400506adea0d6b7dbf0f96f19b9ff5b8a Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Wed, 29 Apr 2020 16:40:40 -0700 Subject: [PATCH 33/64] Update manage-updates-baselines-windows-defender-antivirus.md Final draft --- ...es-baselines-windows-defender-antivirus.md | 140 +++++++----------- 1 file changed, 55 insertions(+), 85 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 8b55207b8c..2a8874766c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -28,8 +28,8 @@ There are two types of updates related to keeping Windows Defender Antivirus up 2. Product updates > [!IMPORTANT] -> Keeping Windows Defender Antivirus up to date is crucial to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. -> This also applies to devices where Windows Defender Antivirus is running in [passive mode](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). +> Keeping Windows Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. +> This also applies to devices where Windows Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). ## Security intelligence updates @@ -43,70 +43,64 @@ Engine updates are included with the Security intelligence updates and are relea Windows Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. -You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. -For more information see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) +You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. +For more information see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) ## Released platform and engine versions ### Monthly platform and engine releases -For information how to update or how to install the platform update, please see: [Update for Windows Defender antimalware platform](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) +For information how to update or how to install the platform update, please see: [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) + +All our updates contain: +* performance improvements +* serviceability improvements +* Integration improvements (Cloud, MTP) +
      April-2020 (Platform: 4.18.2004.5 | Engine: 1.1.17000.2) -Security intelligence update version: **TBD** -Released: **April 30, 2020** -Platform: **4.18.2004.5** -Engine: **1.1.17000.2** -Support phase: **Security and Critical Updates** + Security intelligence update version: **TBD** + Released: **April 30, 2020** + Platform: **4.18.2004.5** + Engine: **1.1.17000.2** + Support phase: **Security and Critical Updates** ### What's new +* WDfilter improvements +* Add more actionable event data to ASR detection events +* Fixed version information in diagnostic data and WMI +* Fixed incorrect platform version in UI after platform update +* Dynamic URL intel for Fileless threat protection +* UEFI scan capability +* Extend logging for updates -:::row::: - :::column::: - **Platform** - * fix1 - * fix2 - - :::column-end::: - :::column::: - **Engine** - * fix1 - * fix2 - :::column-end::: -:::row-end::: - ### Known Issues No known issues +
      March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2) -Security intelligence update version: **1.313.8.0** -Released: **March 24, 2020** -Platform: **4.18.2003.8** -Engine: **1.1.16900.4** -Support phase: **Technical upgrade Support (Only)** + Security intelligence update version: **1.313.8.0** + Released: **March 24, 2020** + Platform: **4.18.2003.8** + Engine: **1.1.16900.4** + Support phase: **Technical upgrade Support (Only)** ### What's new -:::row::: - :::column::: - **Platform** - * fix1 - * fix2 - - :::column-end::: - :::column::: - **Engine** - * fix1 - * fix2 - :::column-end::: -:::row-end::: +* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) +* Improve diagnostic capability +* reduce Security intelligence timeout (5min) +* Extend AMSI engine internal log capability +* Improve notification for process blocking ### Known Issues -No known issues +[**Fixed**] Windows Defender Antivirus is skipping files when running a scan. + +
      @@ -122,22 +116,10 @@ No known issues ### What's new -:::row::: - :::column::: - **Platform** - * fix1 - * fix2 - - :::column-end::: - :::column::: - **Engine** - * fix1 - * fix2 - :::column-end::: -:::row-end::: - + ### Known Issues No known issues +
      @@ -152,22 +134,18 @@ Support phase: **Technical upgrade Support (Only)** ### What's new -:::row::: - :::column::: - **Platform** - * fix1 - * fix2 - - :::column-end::: - :::column::: - **Engine** - * fix1 - * fix2 - :::column-end::: -:::row-end::: +* Fixed BSOD on WS2016 with Exchange +* Support platform updates when TMP is redirected to network path +* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) +* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility) +* Fix 4.18.1911.10 hang ### Known Issues -No known issues +[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform. +
      +> [!IMPORTANT] +> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
      This update has reboot flag for systems that are experiencing the hang issue.
      the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability. +
      @@ -181,22 +159,14 @@ Support phase: **No support** ### What's new -:::row::: - :::column::: - **Platform** - * fix1 - * fix2 - - :::column-end::: - :::column::: - **Engine** - * fix1 - * fix2 - :::column-end::: -:::row-end::: +* Fixed MpCmdRun tracing level +* Fixed WDFilter version info +* Improve notifications (PUA) +* add MRT logs to support files ### Known Issues No known issues +
      ## Windows Defender Antivirus platform support @@ -226,7 +196,7 @@ The below table provides the Windows Defender Antivirus platform and engine vers |1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) | |1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) | -Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) +Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) ## In this section From 0133de5d8f62666fee1e86b7acf722058b20ded2 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 29 Apr 2020 16:52:34 -0700 Subject: [PATCH 34/64] Decreased unnecessary indentation in some code blocks --- .../client-management/mdm/bitlocker-csp.md | 168 +++++++++--------- 1 file changed, 84 insertions(+), 84 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 71c5bbf78b..8611ab72a1 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -330,18 +330,18 @@ The possible values for 'yy' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication - - - chr - - - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -405,18 +405,18 @@ Sample value for this node to enable this policy is: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength - - - chr - - - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -492,18 +492,18 @@ The possible values for 'xx' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage - - - chr - - - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage + + + chr + + + + ``` > [!NOTE] @@ -592,18 +592,18 @@ The possible values for 'zz' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions - - - chr - - - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -698,18 +698,18 @@ The possible values for 'zz' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions - - - chr - - - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -767,18 +767,18 @@ Sample value for this node to enable this policy is: If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption - - - chr - - - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -849,18 +849,18 @@ The possible values for 'xx' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption - - - chr - - - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption + + + chr + + + + ``` From b3aa78f00c417a6a13269ff8637887fd93aee301 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Thu, 30 Apr 2020 15:37:26 +0300 Subject: [PATCH 35/64] Update linux-install-manually.md Linking to post install actions to as customers may not notice this. --- .../microsoft-defender-atp/linux-install-manually.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 5d6395cdf9..6dbfee2073 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -247,7 +247,8 @@ unzip WindowsDefenderATPOnboardingPackage.zip ``` > [!IMPORTANT] - > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`. + > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.
      + > Please note that you may also need to configure a proxy after completing the initial installation:
      https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration 5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine: From 16bdaab95b3e49591ef6e1134982aca3a188b725 Mon Sep 17 00:00:00 2001 From: Hiroshi Yoshioka <40815708+hyoshioka0128@users.noreply.github.com> Date: Thu, 30 Apr 2020 23:25:25 +0900 Subject: [PATCH 36/64] =?UTF-8?q?Typo=20"***Removable=20=EF=BD=9E=20Hub=20?= =?UTF-8?q?***"=E2=86=92"***Removable=20=EF=BD=9E=20Hub***"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://docs.microsoft.com/en-us/surface-hub/surface-hub-technical-84 --- devices/surface-hub/surface-hub-technical-84.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface-hub/surface-hub-technical-84.md b/devices/surface-hub/surface-hub-technical-84.md index 1c08da5a6b..837883da14 100644 --- a/devices/surface-hub/surface-hub-technical-84.md +++ b/devices/surface-hub/surface-hub-technical-84.md @@ -134,7 +134,7 @@ RJ11, bottom I/O | ![](images/rj11.png) | Connects to room control systems. --- -***Removable lifting handles on 84” Surface Hub *** +***Removable lifting handles on 84” Surface Hub*** ![](images/sh-84-hand.png) @@ -142,7 +142,7 @@ RJ11, bottom I/O | ![](images/rj11.png) | Connects to room control systems. --- -***Wall mount threads on back of 84” Surface Hub *** +***Wall mount threads on back of 84” Surface Hub*** ![](images/sh-84-wall.png) From f0119ca307c7d4be730967e8d922504c478307d7 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 30 Apr 2020 08:31:24 -0700 Subject: [PATCH 37/64] pencil edits --- .../enable-cloud-protection-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 7fea389db9..8c14c01d58 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -98,7 +98,7 @@ Set-MpPreference -MAPSReporting Advanced Set-MpPreference -SubmitSamplesConsent SendAllSamples ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. [Policy CSP - Defender](../../../client-management/mdm//policy-csp-defender.md) also has more information specifically on [-SubmitSampleConsent](../../../client-management/mdm//policy-csp-defender.md#defender-submitsamplesconsent). +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). >[!NOTE] > You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. From e6acb452e9e90c7aa9d36cde434de68afc0ac801 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 30 Apr 2020 08:48:33 -0700 Subject: [PATCH 38/64] pencil edit --- windows/security/threat-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index af978544ae..671528c198 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -79,7 +79,7 @@ To further reinforce the security perimeter of your network, Microsoft Defender - [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) - [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus) -- [Machine learning](https://docs.microsoft.com/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) +- [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) - [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) - [Automated sandbox service](https://docs.microsoft.com/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) From c59bd389b34f8930ea2cb6d09b39270fc0c7c246 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 30 Apr 2020 08:51:14 -0700 Subject: [PATCH 39/64] pencil edit --- windows/security/threat-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 671528c198..f7ed889815 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -81,7 +81,7 @@ To further reinforce the security perimeter of your network, Microsoft Defender - [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus) - [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) - [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) -- [Automated sandbox service](https://docs.microsoft.com/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) +- [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) From d7e05c006158fe6981e900372de1f7d5445d291d Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Thu, 30 Apr 2020 09:07:41 -0700 Subject: [PATCH 40/64] Update manage-updates-baselines-windows-defender-antivirus.md final --- .../manage-updates-baselines-windows-defender-antivirus.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 2a8874766c..4b1cb37db3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -46,9 +46,11 @@ Windows Defender Antivirus requires [monthly updates (KB4052623)](https://suppor You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. For more information see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) -## Released platform and engine versions +> [!NOTE] +> We release these monthly updates in phases (aka rings). This result in multiple packages showing up in your WSUS server. + +## Monthly platform and engine versions -### Monthly platform and engine releases For information how to update or how to install the platform update, please see: [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) All our updates contain: From 5a0b42a25433558621cbcbfbd2cc8227b206e728 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Thu, 30 Apr 2020 09:38:18 -0700 Subject: [PATCH 41/64] Update manage-updates-baselines-windows-defender-antivirus.md remove rings and typo --- .../manage-updates-baselines-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 4b1cb37db3..8146772e45 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -47,7 +47,7 @@ You can manage the distribution of updates through [Windows Server Update Servic For more information see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) > [!NOTE] -> We release these monthly updates in phases (aka rings). This result in multiple packages showing up in your WSUS server. +> We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server. ## Monthly platform and engine versions From 6e9d4e6040150f58a32254b9785f47420d8f80f3 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Thu, 30 Apr 2020 09:39:51 -0700 Subject: [PATCH 42/64] CI 116919 - Updated link. --- .../configure-client-computers-vamt.md | 91 ++++++++++--------- 1 file changed, 48 insertions(+), 43 deletions(-) diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index 6b80a72d89..d7298c1030 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -3,15 +3,15 @@ title: Configure Client Computers (Windows 10) description: Configure Client Computers ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc ms.reviewer: -manager: laurawi +manager: dcscontentpm +author: greg-lindsay, v-miegge ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation audience: itpro -author: greg-lindsay -ms.date: 04/25/2017 +ms.date: 04/30/2020 ms.topic: article --- @@ -19,26 +19,27 @@ ms.topic: article To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers: -- An exception must be set in the client computer's firewall. -- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations. +- An exception must be set in the client computer's firewall. +- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations. Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows. -**Important**   -This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933). +> [IMPORTANT]   +> This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript). ## Configuring the Windows Firewall to allow VAMT access Enable the VAMT to access client computers using the **Windows Firewall** Control Panel: -1. Open Control Panel and double-click **System and Security**. -2. Click **Windows Firewall**. -3. Click **Allow a program or feature through Windows Firewall**. -4. Click the **Change settings** option. -5. Select the **Windows Management Instrumentation (WMI)** checkbox. -6. Click **OK**. - **Warning**   - By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below. +1. Open Control Panel and double-click **System and Security**. +2. Click **Windows Firewall**. +3. Click **Allow a program or feature through Windows Firewall**. +4. Click the **Change settings** option. +5. Select the **Windows Management Instrumentation (WMI)** checkbox. +6. Click **OK**. + + **Warning**   + By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below. ## Configure Windows Firewall to allow VAMT access across multiple subnets @@ -46,50 +47,54 @@ Enable the VAMT to access client computers across multiple subnets using the **W ![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) -1. Open the Control Panel and double-click **Administrative Tools**. -2. Click **Windows Firewall with Advanced Security**. -3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private): - - Windows Management Instrumentation (ASync-In) - - Windows Management Instrumentation (DCOM-In) - - Windows Management Instrumentation (WMI-In) +1. Open the Control Panel and double-click **Administrative Tools**. +2. Click **Windows Firewall with Advanced Security**. +3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private): + + - Windows Management Instrumentation (ASync-In) + - Windows Management Instrumentation (DCOM-In) + - Windows Management Instrumentation (WMI-In) 4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel. - + 5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box. - - - On the **General** tab, select the **Allow the connection** checkbox. - - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need. - - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public). + + - On the **General** tab, select the **Allow the connection** checkbox. + - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need. + - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public). -In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. -For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911). + In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. + + For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://support.microsoft.com/help/929851). ## Create a registry value for the VAMT to access workgroup-joined computer -**Caution**   -This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912). +> [WARNING]   +> This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://support.microsoft.com/help/256986). On the client computer, create the following registry key using regedit.exe. -1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` -2. Enter the following details: - **Value Name: LocalAccountTokenFilterPolicy** - **Type: DWORD** - **Value Data: 1** - **Note**   - To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client. +1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` +2. Enter the following details: + + - **Value Name: LocalAccountTokenFilterPolicy** + - **Type: DWORD** + - **Value Data: 1** + + > [NOTE] + > To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client. ## Deployment options There are several options for organizations to configure the WMI firewall exception for computers: -- **Image.** Add the configurations to the master Windows image deployed to all clients. -- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**. -- **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility. -- **Manual.** Configure the WMI firewall exception individually on each client. + +- **Image.** Add the configurations to the master Windows image deployed to all clients. +- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**. +- **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility. +- **Manual.** Configure the WMI firewall exception individually on each client. + The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception. ## Related topics - [Install and Configure VAMT](install-configure-vamt.md) - - From 68757ec4832c204a7d3eddf206f5f8624c04daa4 Mon Sep 17 00:00:00 2001 From: Mike Eggers <49650192+v-miegge@users.noreply.github.com> Date: Thu, 30 Apr 2020 09:54:41 -0700 Subject: [PATCH 43/64] Fixed metadata --- .../volume-activation/configure-client-computers-vamt.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index d7298c1030..08cca37792 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -3,8 +3,8 @@ title: Configure Client Computers (Windows 10) description: Configure Client Computers ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc ms.reviewer: -manager: dcscontentpm -author: greg-lindsay, v-miegge +manager: laurawi +author: greg-lindsay ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy From 0ab5e0a75c4871ed93427e78f644922da32977e5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 30 Apr 2020 10:30:47 -0700 Subject: [PATCH 44/64] Update manage-updates-baselines-windows-defender-antivirus.md --- .../manage-updates-baselines-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 8146772e45..26af9d3642 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -93,7 +93,7 @@ No known issues ### What's new -* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) +* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) * Improve diagnostic capability * reduce Security intelligence timeout (5min) * Extend AMSI engine internal log capability From d1e63d097bb94c903ae1a2a31e47f65899cba21f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 30 Apr 2020 13:25:53 -0700 Subject: [PATCH 45/64] Update manage-updates-baselines-windows-defender-antivirus.md --- ...manage-updates-baselines-windows-defender-antivirus.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 26af9d3642..fdd68a1bc4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -33,11 +33,11 @@ There are two types of updates related to keeping Windows Defender Antivirus up ## Security intelligence updates -Windows Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads Security intelligence updates to provide protection. +Windows Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection. -The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the Security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. +The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. -Engine updates are included with the Security intelligence updates and are released on a monthly cadence. +Engine updates are included with the security intelligence updates and are released on a monthly cadence. ## Product updates @@ -56,7 +56,7 @@ For information how to update or how to install the platform update, please see: All our updates contain: * performance improvements * serviceability improvements -* Integration improvements (Cloud, MTP) +* integration improvements (Cloud, MTP)
      From 89dfbfc5eb64388dd706549e1eec89af87a6b227 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 30 Apr 2020 14:07:22 -0700 Subject: [PATCH 46/64] Changed ordered list to unordered, corrected punctuation --- ...dates-baselines-windows-defender-antivirus.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index fdd68a1bc4..8eafa9113d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -24,8 +24,8 @@ manager: dansimp There are two types of updates related to keeping Windows Defender Antivirus up to date: -1. Security intelligence updates -2. Product updates + - Security intelligence updates + - Product updates > [!IMPORTANT] > Keeping Windows Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. @@ -44,14 +44,14 @@ Engine updates are included with the security intelligence updates and are relea Windows Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. -For more information see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) +For more information, see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). > [!NOTE] > We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server. ## Monthly platform and engine versions -For information how to update or how to install the platform update, please see: [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) +For information how to update or how to install the platform update, please see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). All our updates contain: * performance improvements @@ -173,7 +173,7 @@ No known issues ## Windows Defender Antivirus platform support As stated above, platform and engine updates are provided on a monthly cadence. -Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version. +Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version: * **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. @@ -181,9 +181,9 @@ Customers must stay current with the latest platform update to be fully supporte * **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* -*Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version. +\* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version. -During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update(*). +During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*). ### Platform version included with Windows 10 releases The below table provides the Windows Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases: @@ -198,7 +198,7 @@ The below table provides the Windows Defender Antivirus platform and engine vers |1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) | |1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) | -Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) +Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). ## In this section From 843b8eabb5aedb41c269585c83e001aa5e6b8d54 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 30 Apr 2020 16:13:26 -0700 Subject: [PATCH 47/64] Update linux-install-manually.md --- .../microsoft-defender-atp/linux-install-manually.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 6dbfee2073..747252643a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -248,7 +248,7 @@ unzip WindowsDefenderATPOnboardingPackage.zip > [!IMPORTANT] > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.
      - > Please note that you may also need to configure a proxy after completing the initial installation:
      https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration + > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Microsoft Defender ATP for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration). 5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine: From ce8d2a957bac77e730ba4ebc73d38f6b36158056 Mon Sep 17 00:00:00 2001 From: Tyler Conn <63677761+tymconn@users.noreply.github.com> Date: Thu, 30 Apr 2020 16:30:00 -0700 Subject: [PATCH 48/64] Update data-storage-privacy.md As per CELA Guidance, from Jim Sfekas, the MDATP Data storage location information in addition to updating certification related details in the "Can Microsoft help us maintain our regulatory compliance?". --- .../data-storage-privacy.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md index f59264a083..eec05ff19b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md @@ -46,15 +46,18 @@ Microsoft does not use your data for advertising. ## Data protection and encryption The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. - There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum. -## Do I have the flexibility to select where to store my data? +## Data storage location -When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States, or dedicated Azure Government data centers (soon to be in preview). Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. +Microsoft Defender ATP operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Microsoft Defender ATP uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service. + +Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. + +Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. ## Is my data isolated from other customer data? Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. @@ -84,12 +87,10 @@ Your data will be kept and will be available to you while the license is under g ## Can Microsoft help us maintain regulatory compliance? -Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications. - -Microsoft Defender ATP for Government (soon to be in preview) is currently undergoing audit for achieving FedRAMP High accreditation as well as Provisional Authorization (PA) at Impact Levels 4 and 5. +Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications. By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. -For more information on the Microsoft Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/trustcenter/compliance/iso-iec-27001). +For more information on the Microsoft Defender ATP certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink) From d662874d5c55f1fd2ef9708627a4866663006f3a Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 30 Apr 2020 17:07:15 -0700 Subject: [PATCH 49/64] Indented (or further indented) content in list items --- .../linux-install-manually.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 747252643a..1c83c3447b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -204,19 +204,19 @@ Download the onboarding package from Microsoft Defender Security Center: 4. From a command prompt, verify that you have the file. Extract the contents of the archive: -```bash -ls -l -``` + ```bash + ls -l + ``` -`total 8` -`-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip` + `total 8` + `-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip` -```bash -unzip WindowsDefenderATPOnboardingPackage.zip -``` + ```bash + unzip WindowsDefenderATPOnboardingPackage.zip + ``` -`Archive: WindowsDefenderATPOnboardingPackage.zip` -`inflating: WindowsDefenderATPOnboarding.py` + `Archive: WindowsDefenderATPOnboardingPackage.zip` + `inflating: WindowsDefenderATPOnboarding.py` ## Client configuration @@ -254,21 +254,21 @@ unzip WindowsDefenderATPOnboardingPackage.zip - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command): - ```bash - mdatp --health realTimeProtectionEnabled - ``` + ```bash + mdatp --health realTimeProtectionEnabled + ``` - Open a Terminal window. Copy and execute the following command: - ``` bash - curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt - ``` + ``` bash + curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt + ``` - The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats: - ```bash - mdatp --threat --list --pretty - ``` + ```bash + mdatp --threat --list --pretty + ``` ## Log installation issues From d91733c658147b1465c4ecdc04c256927ad07e7e Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Thu, 30 Apr 2020 17:07:17 -0700 Subject: [PATCH 50/64] Update configure-advanced-scan-types-windows-defender-antivirus.md Updating Email scanning limitations. Making it less confusing and sticking to topic --- ...ed-scan-types-windows-defender-antivirus.md | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index 981c05b0ae..14125ae30d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -47,7 +47,7 @@ To configure the Group Policy settings described in the following table: Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class ---|---|---|--- -See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` +Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan` Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` @@ -72,29 +72,19 @@ For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft. ## Email scanning limitations -We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. - -Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails. - -You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated: +Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated: - DBX - MBX - MIME -PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. +PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files. -If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat: +If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually: - Email subject - Attachment name ->[!WARNING] ->There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles: -> -> - [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1) -> - [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2) - ## Related topics - [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) From 93ef5dbb8fd5a495c7a605ba23cf5564cf8ea0b6 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 1 May 2020 08:47:53 -0700 Subject: [PATCH 51/64] TOC update --- devices/hololens/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 330bc3286e..3a518791ed 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -37,7 +37,7 @@ # User management and access management ## [Manage user identity and sign-in for HoloLens](hololens-identity.md) ## [Share your HoloLens with multiple people](hololens-multiple-users.md) -## [Set up HoloLens as a kiosk for specific applications](hololens-kiosk.md) +## [Set up HoloLens as a kiosk](hololens-kiosk.md) # Holographic applications ## [Use 3D Viewer on HoloLens](holographic-3d-viewer-beta.md) From 5fe4ff73c21004b454b9b63c92f346491f8018cc Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 1 May 2020 09:45:22 -0700 Subject: [PATCH 52/64] Edits --- devices/hololens/hololens-kiosk.md | 120 ++++++++++++++--------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 482241ea7f..5cd1b01595 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -23,15 +23,15 @@ appliesto: You can configure a HoloLens device to function as a fixed-purpose device, also called a *kiosk*, by configuring the device to run in kiosk mode. Kiosk mode limits the applications (or users) that are available on the device. Kiosk mode is a convenient feature that you can use to dedicate a HoloLens device to business apps, or to use the HoloLens device in an app demo. -This article provides information about aspects of configuring kiosks that are specific to HoloLens devices. For general information about types of Windows-based kiosks and how to configure them, see [Configure kiosks and digital signs on Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-methods). +This article provides information about aspects of kiosk configuration that are specific to HoloLens devices. For general information about the different types of Windows-based kiosks and how to configure them, see [Configure kiosks and digital signs on Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-methods). > [!IMPORTANT] -> Kiosk mode determines which apps are available when a user signs in to the device. However, kiosk mode is not a security limitation. It does not stop an "allowed" app from launching an app that is not allowed. In order to block apps or processes from launching, use [Windows Defender Application Control (WDAC) CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) to create appropriate policies. +> Kiosk mode determines which apps are available when a user signs in to the device. However, kiosk mode is not a security method. It does not stop an "allowed" app from opening another app that is not allowed. In order to block apps or processes from opening, use [Windows Defender Application Control (WDAC) CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) to create appropriate policies. -You can use kiosk mode in one of two configurations (single-app kiosk or multi-app kiosk), and you can use select one of three processes to set up and deploy the kiosk configuration. +You can use kiosk mode in either a single-app or a multi-app configuration, and you can use one of three processes to set up and deploy the kiosk configuration. > [!IMPORTANT] -> Deleting the multi-app configuration removes the user lockdown profiles that the assigned access feature put in place. However, it does not revert all of the policy changes. To revert these policies, you have to reset the device to the factory settings. +> Deleting the multi-app configuration removes the user lockdown profiles that the assigned access feature created. However, it does not revert all the policy changes. To revert these policies, you have to reset the device to the factory settings. ## Plan the kiosk deployment @@ -39,7 +39,7 @@ You can use kiosk mode in one of two configurations (single-app kiosk or multi-a You can configure any HoloLens 2 device to use kiosk mode. -To configure a HoloLens (1st gen) device to use kiosk mode, you must first make sure that the device runs Windows 10, version 1803, or a newer version. If you have used the Windows Device Recovery Tool to recover your HoloLens (1st gen) device to its default build, or if you have installed the most recent updates, then your device is ready. +To configure a HoloLens (1st gen) device to use kiosk mode, you must first make sure that the device runs Windows 10, version 1803, or a later version. If you have used the Windows Device Recovery Tool to recover your HoloLens (1st gen) device to its default build, or if you have installed the most recent updates, your device is ready to configure. > [!IMPORTANT] > To help protect devices that run in kiosk mode, consider adding device management policies that turn off features such as USB connectivity. Additionally, check your update ring settings to make sure that automatic updates do not occur during business hours. @@ -48,7 +48,7 @@ To configure a HoloLens (1st gen) device to use kiosk mode, you must first make A single-app kiosk starts the specified app when the user signs in to the device. The Start menu is disabled, as is Cortana. A HoloLens 2 device does not respond to the [Start](hololens2-basic-usage.md#start-gesture) gesture. A HoloLens (1st gen) device does not respond to the [bloom](hololens1-basic-usage.md) gesture. Because only one app can run, the user cannot place other apps. -A multi-app kiosk displays the start menu when the user signs in to the device. The kiosk configuration determines what apps are available on the Start menu. You can use a multi-app kiosk to provide an easy-to-understand experience for users by putting in front of them only the things they need to use, and removing from their view the things they don't need to access. +A multi-app kiosk displays the Start menu when the user signs in to the device. The kiosk configuration determines which apps are available on the Start menu. You can use a multi-app kiosk to provide an easy-to-understand experience for users by presenting to them only the things that they have to use, and removing the things they don't need to use. The following table lists the feature capabilities in the different kiosk modes. @@ -72,19 +72,19 @@ For examples of how to use these capabilities, see the following table. |Use a single-app kiosk for: |Use a multi-app kiosk for: | | --- | --- | -|A device that runs only a Dynamics 365 Guide for new hires. |A device that runs both Guides and Remote Assistance for a range of employees. | -|A device that runs only a custom app. |A device that functions as a kiosk for the majority of users (running only a custom app), but functions as a normal device for a specific group of users. | +|A device that runs only a Dynamics 365 Guide for new employees. |A device that runs both Guides and Remote Assistance for a range of employees. | +|A device that runs only a custom app. |A device that functions as a kiosk for most users (running only a custom app), but functions as a standard device for a specific group of users. | ### Plan kiosk apps -For general information about selecting kiosk apps, see [Guidelines for choosing an app for assigned access (kiosk mode)](https://docs.microsoft.com/windows/configuration/guidelines-for-assigned-access-app). +For general information about how to choose kiosk apps, see [Guidelines for choosing an app for assigned access (kiosk mode)](https://docs.microsoft.com/windows/configuration/guidelines-for-assigned-access-app). If you use the Windows Device Portal to configure a single-app kiosk, you select the app during the setup process. -If you use an MDM system or a provisioning package to configure kiosk mode, you use the [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to specify applications. The CSP uses [Application User Model IDs (AUMIDs)](https://docs.microsoft.com/windows/configuration/find-the-application-user-model-id-of-an-installed-app) to identify applications. The following table lists the AUMIDs of some in-box applications that you can use in a multi-app kiosk. +If you use a Mobile Device Management (MDM) system or a provisioning package to configure kiosk mode, you use the [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to specify applications. The CSP uses [Application User Model IDs (AUMIDs)](https://docs.microsoft.com/windows/configuration/find-the-application-user-model-id-of-an-installed-app) to identify applications. The following table lists the AUMIDs of some in-box applications that you can use in a multi-app kiosk. > [!CAUTION] -> You cannot select the Shell app as a kiosk app. In addition, we recommend that you do **not** select the Microsoft Edge, Microsoft Store, or the File Explorer app as kiosk apps. +> You cannot select the Shell app as a kiosk app. Addition, we recommend that you do **not** select Microsoft Edge, Microsoft Store, or File Explorer as a kiosk app. @@ -107,23 +107,23 @@ If you use an MDM system or a provisioning package to configure kiosk mode, you |Tips |Microsoft.HoloLensTips\_8wekyb3d8bbwe\!HoloLensTips | > 1 To enable photo or video capture, you have to enable the Camera app as a kiosk app. -> 2 When you enable the Camera app, be aware of the following: +> 2 When you enable the Camera app, be aware of the following conditions: > - The Quick Actions menu includes the Photo and Video buttons. -> - You should also enable an app that can interact with or retrieve pictures (such as Photos, Mail, or OneDrive). +> - You should also enable an app (such as Photos, Mail, or OneDrive) that can interact with or retrieve pictures. > > 3 Even if you do not enable Cortana as a kiosk app, built-in voice commands are enabled. However, commands that are related to disabled features have no effect. -> 4 To enable Miracast as a kiosk app, enable the Camera app and the Device Picker app. +> 4 You cannot enable Miracast directly. To enable Miracast as a kiosk app, enable the Camera app and the Device Picker app. ### Plan user and device groups In an MDM environment, you use groups to manage device configurations and user access. -The kiosk configuration profile includes the **User logon type** setting. **User logon type** identifies the user (or group that contains the users) who can use the app (or apps) that you add. If a user signs in by using an account that is not included in the configuration profile, that user cannot use apps on the kiosk. +The kiosk configuration profile includes the **User logon type** setting. **User logon type** identifies the user (or group that contains the users) who can use the app or apps that you add. If a user signs in by using an account that is not included in the configuration profile, that user cannot use apps on the kiosk. > [!NOTE] > The **User logon type** of a single-app kiosk specifies a single user account. This is the user context under which the kiosk runs. The **User logon type** of a multi-app kiosk can specify one or more user accounts or groups that can use the kiosk. -Before you can deploy the kiosk configuration to a device, you have to *assign* the kiosk configuration profile to a group that contains the device or a user that can sign on to the device. This setting produces behavior such as the following. +Before you can deploy the kiosk configuration to a device, you have to *assign* the kiosk configuration profile to a group that contains the device or a user who can sign in to the device. This setting produces behavior such as the following. - If the device is a member of the assigned group, the kiosk configuration deploys to the device the first time that any user signs in on the device. - If the device is not a member of the assigned group, but a user who is a member of that group signs in, the kiosk configuration deploys to the device at that time. @@ -140,11 +140,11 @@ You use a single group (Group 1) for both devices and users. One device and user - **User logon type**: Group 1 - **Assigned group**: Group 1 -No matter which user signs on to the device first (and goes through the Out-of-Box Experience, or OOBE), the kiosk configuration deploys to the device. Users A, B, and C can all sign in to the device and get the kiosk experience. +Regardless of which user signs on to the device first (and goes through the Out-of-Box Experience, or OOBE), the kiosk configuration deploys to the device. Users A, B, and C can all sign in to the device and get the kiosk experience. **Example 2** -You contract devices out to two different vendors who need different kiosk experiences. Both vendors have users, and you want all of the users to have access to kiosks from both their own vendor and the other vendor. You configure groups as follows: +You contract out devices to two different vendors who need different kiosk experiences. Both vendors have users, and you want all the users to have access to kiosks from both their own vendor and the other vendor. You configure groups as follows: - Device Group 1: - Device 1 (Vendor 1) @@ -170,19 +170,19 @@ You create two kiosk configuration profiles that have the following settings: These configurations produce the following results: -- When any user signs on to Device 1 or Device 2, Intune deploys Kiosk Profile 1 to that device. -- When any user signs on to Device 3 or Device 4, Intune deploys Kiosk Profile 2 to that device. -- User A and user B can sign in to any of the four devices. If they sign in to Device 1 or Device 2, they see Vendor 1's kiosk experience. If they sign in to Device 3 or Device 4, they see Vendor 2's kiosk experience. +- When any user signs in to Device 1 or Device 2, Intune deploys Kiosk Profile 1 to that device. +- When any user signs in to Device 3 or Device 4, Intune deploys Kiosk Profile 2 to that device. +- User A and user B can sign in to any of the four devices. If they sign in to Device 1 or Device 2, they see the Vendor 1 kiosk experience. If they sign in to Device 3 or Device 4, they see the Vendor 2 kiosk experience. #### Profile conflicts If two or more kiosk configuration profiles target the same device, they conflict. In the case of Intune-managed devices, Intune does not apply any of the conflicting profiles. -Other types of profiles and policies, such as device restrictions that are not related to the kiosk configuration profile, do not conflict with the kiosk configuration profile. +Other kinds of profiles and policies, such as device restrictions that are not related to the kiosk configuration profile, do not conflict with the kiosk configuration profile. ### Select a deployment method -You can select one of three methods to deploy kiosk configurations: +You can select one of the following methods to deploy kiosk configurations: - [Microsoft Intune or other mobile device management (MDM) service](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk) @@ -191,16 +191,16 @@ You can select one of three methods to deploy kiosk configurations: - [Windows Device Portal](#use-the-windows-device-portal-to-set-up-a-single-app-kiosk) > [!NOTE] - > Because this method requires that developer mode be enabled on the device, we recommend that you use it only for demonstrations. + > Because this method requires that Developer Mode be enabled on the device, we recommend that you use it only for demonstrations. -The following table lists the capabilities and benefits of each of the three deployment methods. +The following table lists the capabilities and benefits of each of the deployment methods. |   |Deploy by using Windows Device Portal |Deploy by using a provisioning package |Deploy by using MDM | | --------------------------- | ------------- | -------------------- | ---- | |Deploy single-app kiosks | Yes | Yes | Yes | |Deploy multi-app kiosks | No | Yes | Yes | |Deploy to local devices only | Yes | Yes | No | -|Deploy by using developer mode |Required | Not required | Not required | +|Deploy by using Developer Mode |Required | Not required | Not required | |Deploy by using Azure Active Directory (AAD) | Not required | Not required | Required | |Deploy automatically | No | No | Yes | |Deployment speed | Fastest | Fast | Slow | @@ -224,7 +224,7 @@ To set up kiosk mode by using Microsoft Intune or another MDM system, follow the You can configure your MDM system to enroll HoloLens devices automatically when the user first signs in, or have users enroll devices manually. The devices also have to be joined to your Azure AD domain, and assigned to the appropriate groups. -For more information about enrolling the devices, see [Enroll HoloLens in MDM](hololens-enroll-mdm.md) and [Intune enrollment methods for Windows devices](https://docs.microsoft.com/mem/intune/enrollment/windows-enrollment-methods). +For more information about how to enroll the devices, see [Enroll HoloLens in MDM](hololens-enroll-mdm.md) and [Intune enrollment methods for Windows devices](https://docs.microsoft.com/mem/intune/enrollment/windows-enrollment-methods). ### MDM, step 2 – Create a kiosk configuration profile @@ -237,22 +237,22 @@ For more information about enrolling the devices, see [Enroll HoloLens in MDM](h - To create a multi-app kiosk, select **Kiosk Mode** > **Multi-app kiosk**. 1. To start configuring the kiosk, select **Add**. -Your next steps differ depending on the type of kiosk that you want. For further information, select one of the following: +Your next steps differ depending on the type of kiosk that you want. For more information, select one of the following options: - [Single-app kiosk](#mdmconfigsingle) - [Multi-app kiosk](#mdmconfigmulti) -For more information about creating a kiosk configuration profile, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/configuration/kiosk-settings). +For more information about how to create a kiosk configuration profile, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/configuration/kiosk-settings). ### MDM, step 3 (single-app) – Configure the settings for a single-app kiosk -This section summarizes the settings that a single-app kiosk requires. For more detailed information, see the following articles: +This section summarizes the settings that a single-app kiosk requires. For more details, see the following articles: - For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). - For more information about the available settings for single-app kiosks in Intune, see [Single full-screen app kiosks](https://docs.microsoft.com/intune/configuration/kiosk-settings-holographic#single-full-screen-app-kiosks) -- For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig). +- For other MDM services, check your provider's documentation for instructions. If you have to use a custom XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig). -1. Select **User logon type** > **Local user account**, and enter the user name of the local (device) account or Microsoft Account (MSA) that can sign in to the kiosk. +1. Select **User logon type** > **Local user account**, and then enter the user name of the local (device) account or Microsoft Account (MSA) that can sign in to the kiosk. > [!NOTE] > **Autologon** user account types aren't supported on Windows Holographic for Business. 1. Select **Application type** > **Store app**, and then select an app from the list. @@ -265,7 +265,7 @@ This section summarizes the settings that a multi-app kiosk requires. For more d - For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). - For more information about the available settings for multi-app kiosks in Intune, see [Multi-app kiosks](https://docs.microsoft.com/mem/intune/configuration/kiosk-settings-holographic#multi-app-kiosks) -- For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig). If you use an XML file, make sure to include the [Start layout](#start-layout-for-hololens). +- For other MDM services, check your provider's documentation for instructions. If you need to use a custom XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig). If you use an XML file, make sure to include the [Start layout](#start-layout-for-hololens). - You can optionally use a custom Start layout with Intune or other MDM services. For more information, see [Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others). 1. Select **Target Windows 10 in S mode devices** > **No**. @@ -273,10 +273,10 @@ This section summarizes the settings that a multi-app kiosk requires. For more d > S mode isn't supported on Windows Holographic for Business. 1. Select **User logon type** > **Azure AD user or group** or **User logon type** > **HoloLens visitor**, and then add one or more user groups or accounts. - Only users that belong to the groups or accounts that you specify in **User logon type** can use the kiosk experience. + Only users who belong to the groups or accounts that you specify in **User logon type** can use the kiosk experience. 1. Select one or more apps by using the following options: - - To add an uploaded line-of-business app, select **Add store app** and then select the app you want. + - To add an uploaded line-of-business app, select **Add store app** and then select the app that you want. - To add an app by specifying its AUMID, select **Add by AUMID** and then enter the AUMID of the app. [See the list of available AUMIDs](#aumids) Your next step is to [assign](#mdmassign) the profile to a group. @@ -287,7 +287,7 @@ Use the **Assignments** page of the kiosk configuration profile to set where you ### MDM, step 5 (single-app) – Deploy a single-app kiosk -When you use an MDM system, you can enroll the device in MDM during OOBE. After OOBE finishes, device sign-in is easy. +When you use an MDM system, you can enroll the device in MDM during OOBE. After OOBE finishes, signing in to the device is easy. During OOBE, follow these steps: @@ -295,13 +295,13 @@ During OOBE, follow these steps: 1. Enroll the device. Make sure that the device is added to the group that the kiosk configuration profile is assigned to. 1. Wait for OOBE to finish, for the store app to download and install, and for policies to be applied. Then restart the device. -The next time you sign in to the device, the kiosk app should automatically launch. +The next time you sign in to the device, the kiosk app should automatically start. -If you're not seeing your Kiosk mode yet, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor). +If you don't see your kiosk configuration at this point, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor). ### MDM, step 5 (multi-app) – Deploy a multi-app kiosk -When you use an MDM system, you can join the device to your Azure AD tenant and enroll the device in MDM during OOBE. If appropriate, provide the information that's required for enrollment to the users for the OOBE process. +When you use an MDM system, you can join the device to your Azure AD tenant and enroll the device in MDM during OOBE. If appropriate, provide the enrollment information to the users so that they have it available during the OOBE process. > [!NOTE] > If you have assigned the kiosk configuration profile to a group that contains users, make sure that one of those user accounts is the first account to sign in to the device. @@ -310,13 +310,13 @@ During OOBE, follow these steps: 1. Sign in by using the account that belongs to the **User logon type** group. 1. Enroll the device. -1. Wait for any apps that are part of the kiosk configuration profile to download and install, and for policies to be applied. +1. Wait for any apps that are part of the kiosk configuration profile to download and install. Also, wait for policies to be applied. 1. After OOBE finishes, you can install additional apps from the Microsoft store or by sideloading. [Required apps](https://docs.microsoft.com/mem/intune/apps/apps-deploy#assign-an-app) for the group that the device belongs to install automatically. -1. When finished, restart the device. +1. After the installation finishes, restart the device. The next time you sign in to the device by using an account that belongs to the **User logon type**, the kiosk app should automatically launch. -If you're not seeing your Kiosk mode yet, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor). +If you don't see your kiosk configuration at this point, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor). ## Use a provisioning package to set up a single-app or multi-app kiosk @@ -326,17 +326,17 @@ To set up kiosk mode by using a provisioning package, follow these steps. 2. [Add the XML file to a provisioning package.](#ppconfigadd) 3. [Apply the provisioning package to HoloLens.](#ppapply) -### Prov. package, step 1 – Create a kiosk configuration XML file +### Provisioning package, step 1 – Create a kiosk configuration XML file -Follow [the instructions for creating a kiosk configuration XML file for desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package), except for the following: +Follow [the general instructions to create a kiosk configuration XML file for Windows desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#create-xml-file), except for the following: - Do not include Classic Windows applications (Win32). HoloLens does not support these applications. -- Use the [placeholder Start XML](#start-layout-for-hololens) for HoloLens. +- Use the [placeholder Start layout XML](#start-layout-for-hololens) for HoloLens. - Optional: Add guest access to the kiosk configuration #### Optional: Add guest access to the kiosk configuration -In the [**Configs** section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured with the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data associated with the account is deleted when the account signs out. +In the [**Configs** section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured to support the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data that is associated with the account is deleted when the account signs out. To enable the **Guest** account, add the following snippet to your kiosk configuration XML: @@ -349,15 +349,15 @@ To enable the **Guest** account, add the following snippet to your kiosk configu ``` -#### Start layout for HoloLens +#### Placeholder Start layout for HoloLens -If you use a [provisioning package](##use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Windows Holographic for Business, so you'll need to use a placeholder Start layout. +If you use a [provisioning package](##use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Windows Holographic for Business. Therefore, you'll have to use a placeholder Start layout. > [!NOTE] -> Because a single-app kiosk launches the kiosk app when a user signs in, it does not use a Start menu and does not need a Start layout. +> Because a single-app kiosk starts the kiosk app when a user signs in, it does not use a Start menu and does not have to have a Start layout. > [!NOTE] -> If you use [MDM](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk) to set up a multi-app kiosk, you can optionally use a Start layout. For more information, see [Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others). +> If you use [MDM](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk) to set up a multi-app kiosk, you can optionally use a Start layout. For more information, see [Placeholder Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others). For the Start layout, add the following **StartLayout** section to the kiosk provisioning XML file: @@ -381,12 +381,12 @@ For the Start layout, add the following **StartLayout** section to the kiosk pro ``` -#### Start layout file for MDM (Intune and others) +#### Placeholder Start layout file for MDM (Intune and others) Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). > [!NOTE] -> If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-hololens). +> If you have to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-hololens). ```xml **Administrators**. +1. **Optional**. (If you want to apply the provisioning package after the initial setup of the device, and there is an admin user already available on the kiosk device, skip this step.) Select **Runtime settings** > **Accounts** > **Users**, and then create a user account. Provide a user name and password, and then select **UserGroup** > **Administrators**. By using this account, you can view the provisioning status and logs. -1. **Optional**. (If you already have a non-admin account on the kiosk device, skip this step.) Select **Runtime settings** > **Accounts** > **Users**, and then create a local user account. Make sure the user name is the same as the account that you specify in the configuration XML. Select **UserGroup** > **Standard Users**. +1. **Optional**. (If you already have a non-admin account on the kiosk device, skip this step.) Select **Runtime settings** > **Accounts** > **Users**, and then create a local user account. Make sure that the user name is the same as for the account that you specify in the configuration XML. Select **UserGroup** > **Standard Users**. 1. Select **File** > **Save**. 1. Select **Export** > **Provisioning package**, and then select **Owner** > **IT Admin**. This sets the precedence of this provisioning package higher than provisioning packages that are applied to this device from other sources. 1. Select **Next**. @@ -429,12 +429,12 @@ Save the following sample as an XML file. You can use this file when you configu > [!CAUTION] > Do not select **Enable package encryption**. On HoloLens devices, this setting causes provisioning to fail. 1. Select **Next**. -1. Specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. If you want to change the output location, select **Browse**. When finished, select **Next**. +1. Specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. If you want to change the output location, select **Browse**. When you are finished, select **Next**. 1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The build page displays the project information, and the progress bar indicates the build status. -### Prov. package, step 3 – Apply the provisioning package to HoloLens +### Provisioning package, step 3 – Apply the provisioning package to HoloLens -The "Configure HoloLens by using a provisioning package" article provides detailed instructions for applying the provisioning package under the following circumstances: +The "Configure HoloLens by using a provisioning package" article provides detailed instructions to apply the provisioning package under the following circumstances: - You can initially [apply a provisioning package to HoloLens during setup](hololens-provisioning.md#apply-a-provisioning-package-to-hololens-during-setup). @@ -445,12 +445,12 @@ The "Configure HoloLens by using a provisioning package" article provides detail To set up kiosk mode by using the Windows Device Portal, follow these steps. > [!IMPORTANT] -> Kiosk mode is only available if the device has [Windows Holographic for Business](hololens1-upgrade-enterprise.md) installed. +> Kiosk mode is available only if the device has [Windows Holographic for Business](hololens1-upgrade-enterprise.md) installed. 1. [Set up the HoloLens device to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. > [!CAUTION] - > When you set up HoloLens to use the Device Portal, you have to enable **Developer Mode** on the device. **Developer Mode** on a device that has Windows Holographic for Business enables you to side-load apps. However, this setting creates a risk that a user can install apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** by using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider). [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode) + > When you set up HoloLens to use the Device Portal, you have to enable Developer Mode on the device. Developer Mode on a device that has Windows Holographic for Business enables you to side-load apps. However, this setting creates a risk that a user can install apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable Developer Mode by using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider). [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode) 1. On a computer, connect to the HoloLens by using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#connecting_over_usb). @@ -466,7 +466,7 @@ To set up kiosk mode by using the Windows Device Portal, follow these steps. 1. Select **Enable Kiosk Mode**, select an app to run when the device starts, and then select **Save**. ![Kiosk Mode](images/kiosk.png) -1. Restart HoloLens. If you still have your Device Portal page open, you can select select **Restart** at the top of the page. +1. Restart HoloLens. If you still have your Device Portal page open, you can select **Restart** at the top of the page. ## More information From 03d82c2f44e8155b9af461c321c077efa2274c05 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 1 May 2020 10:11:26 -0700 Subject: [PATCH 53/64] Edit --- devices/hololens/hololens-kiosk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 5cd1b01595..c08a6c076b 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -470,5 +470,5 @@ To set up kiosk mode by using the Windows Device Portal, follow these steps. ## More information -Watch how to configure a kiosk in a provisioning package. +Watch how to configure a kiosk by using a provisioning package. > [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] From 57ca9c9ed1fefdcb8664bec71c10089717205408 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Fri, 1 May 2020 13:12:40 -0700 Subject: [PATCH 54/64] Update manage-updates-baselines-windows-defender-antivirus.md update April version --- .../manage-updates-baselines-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 8eafa9113d..5fdfa55aa4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -60,11 +60,11 @@ All our updates contain:
      - April-2020 (Platform: 4.18.2004.5 | Engine: 1.1.17000.2) + April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)  Security intelligence update version: **TBD**  Released: **April 30, 2020** - Platform: **4.18.2004.5** + Platform: **4.18.2004.6**  Engine: **1.1.17000.2**  Support phase: **Security and Critical Updates** From d186d71cc084c8df0e3fb989a58da658dff9a74b Mon Sep 17 00:00:00 2001 From: KimLiauw <64710446+KimLiauw@users.noreply.github.com> Date: Sat, 2 May 2020 14:44:01 -0700 Subject: [PATCH 55/64] Update respond-machine-alerts.md --- .../microsoft-defender-atp/respond-machine-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index 6a3f13571d..a6b23d0ed7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -97,7 +97,7 @@ The package contains the following folders: |:---|:---------| |Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine.

      NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | |Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | -|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

      - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

      - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

      ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

      - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

      - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

      - FirewassExecutionLog.txt and pfirewall.log | +|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

      - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

      - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

      ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

      - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

      - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

      - FirewallExecutionLog.txt and pfirewall.log | | Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.

      - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

      - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. | | Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. | | Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. | From 0ea9f9b33bd60e7ac68ca080945fed01e153bdad Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 3 May 2020 13:56:51 +0530 Subject: [PATCH 56/64] replaced entires to entries as per the user report #6622, I replaced **entires** to **entries** in row line no 116 --- .../client-management/troubleshoot-inaccessible-boot-device.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 3acffc551f..924b563043 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -113,7 +113,7 @@ To verify the BCD entries: 2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. >[!NOTE] - >If the computer is UEFI-based, the **bootmgr** and **winload** entires under **{default}** will contain an **.efi** extension. + >If the computer is UEFI-based, the **bootmgr** and **winload** entries under **{default}** will contain an **.efi** extension. ![bcdedit](images/screenshot1.png) From a214733faa111e1898c853da2cedd39856b6a745 Mon Sep 17 00:00:00 2001 From: alons8 <61512160+alons8@users.noreply.github.com> Date: Sun, 3 May 2020 17:09:22 +0300 Subject: [PATCH 57/64] Update configure-microsoft-threat-experts.md --- .../configure-microsoft-threat-experts.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 9698e75980..b38735478f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -71,7 +71,8 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. >[!NOTE] ->Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. +>- Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. +>- You will need to have the “Manage security settings” permission in the Security Center portal to be able to submit a “Consult a threat expert” inquiry. 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request. From 0c1e71f8b45eb625451045de760cad228e39c1bd Mon Sep 17 00:00:00 2001 From: Mati Goldberg Date: Sun, 3 May 2020 19:45:26 +0300 Subject: [PATCH 58/64] added sudo to onboarding command --- .../microsoft-defender-atp/linux-install-manually.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 1c83c3447b..c2d0882195 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -231,7 +231,7 @@ Download the onboarding package from Microsoft Defender Security Center: 2. Run WindowsDefenderATPOnboarding.py, and note that, in order to run this command, you must have `python` installed on the device: ```bash - python WindowsDefenderATPOnboarding.py + sudo python WindowsDefenderATPOnboarding.py ``` 3. Verify that the machine is now associated with your organization and reports a valid organization identifier: From 0e1c418708aa2ce76fd56eba06224e577b010753 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 4 May 2020 09:49:38 +0530 Subject: [PATCH 59/64] Update windows/client-management/troubleshoot-inaccessible-boot-device.md Accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../client-management/troubleshoot-inaccessible-boot-device.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 924b563043..d249b8c5f8 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -113,7 +113,7 @@ To verify the BCD entries: 2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. >[!NOTE] - >If the computer is UEFI-based, the **bootmgr** and **winload** entries under **{default}** will contain an **.efi** extension. + > If the computer is UEFI-based, the **bootmgr** and **winload** entries under **{default}** will contain an **.efi** extension. ![bcdedit](images/screenshot1.png) @@ -279,4 +279,3 @@ The reason that these entries may affect us is because there may be an entry in * `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows` ![SFC scannow](images/sfc-scannow.png) - From 2e73989c6ed11e1579ab593c3ac829c1133e1283 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 4 May 2020 09:49:55 +0530 Subject: [PATCH 60/64] Update windows/client-management/troubleshoot-inaccessible-boot-device.md Accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../client-management/troubleshoot-inaccessible-boot-device.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index d249b8c5f8..5556b97262 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -112,7 +112,7 @@ To verify the BCD entries: 2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. - >[!NOTE] + > [!NOTE] > If the computer is UEFI-based, the **bootmgr** and **winload** entries under **{default}** will contain an **.efi** extension. ![bcdedit](images/screenshot1.png) From 7d7f715b5df0f67ba03eb61651abe38827e0c29f Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 May 2020 09:12:10 -0700 Subject: [PATCH 61/64] Update windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../configure-microsoft-threat-experts.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index b38735478f..a399a88f76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -70,7 +70,7 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert ## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. ->[!NOTE] +> [!NOTE] >- Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. >- You will need to have the “Manage security settings” permission in the Security Center portal to be able to submit a “Consult a threat expert” inquiry. @@ -131,4 +131,3 @@ It is crucial to respond in a timely manner to keep the investigation moving. ## Related topic - [Microsoft Threat Experts overview](microsoft-threat-experts.md) - From 8ae85e7b6d4d4ffb4caed8dd2221e9432eb762e9 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 May 2020 09:12:22 -0700 Subject: [PATCH 62/64] Update windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../configure-microsoft-threat-experts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index a399a88f76..e58b459840 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -71,7 +71,7 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. > [!NOTE] ->- Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. +> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. >- You will need to have the “Manage security settings” permission in the Security Center portal to be able to submit a “Consult a threat expert” inquiry. 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request. From 302336f55eeeb84fd8c95262d2190f35e1640256 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 May 2020 09:12:31 -0700 Subject: [PATCH 63/64] Update windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../configure-microsoft-threat-experts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index e58b459840..1ae1fc060d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -72,7 +72,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w > [!NOTE] > - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. ->- You will need to have the “Manage security settings” permission in the Security Center portal to be able to submit a “Consult a threat expert” inquiry. +> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry. 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request. From dd69478c24b3e1e37ea62c0c7e2573111d465cb2 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 4 May 2020 19:20:37 +0300 Subject: [PATCH 64/64] add info about 0x8024043D https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6344 --- windows/deployment/update/windows-update-error-reference.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index b8d84e3075..b83dd307b0 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -45,6 +45,7 @@ This section lists the error codes for Microsoft Windows Update. | 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; WU client UI modules may not be installed. | | 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of WU client UI exported functions. | | 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. | +| 0x8024043D | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property is not available. | ## Inventory errors