From 7d9e4abd38c4506746ea6a88e4a26b570415ed81 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 12:29:46 -0700 Subject: [PATCH 01/27] 24538295 - Adding CI Policy Command Docs --- .../TOC.yml | 2 + .../code-integrity-policy-commands.md | 192 ++++++++++++++++++ 2 files changed, 194 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index a7d64bd225..cc2387f639 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -86,6 +86,8 @@ href: merge-windows-defender-application-control-policies.md - name: Enforce WDAC policies href: enforce-windows-defender-application-control-policies.md + - name: Code Integrity Policy, Token, and Miscellaneous Commands + href: code-integrity-policy-commands.md - name: Use code signing to simplify application control for classic Windows applications href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md items: diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md new file mode 100644 index 0000000000..ffc8f5349b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -0,0 +1,192 @@ +--- +title: CI Policy, Token, and Miscellaneous Commands +description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands. +author: valemieux +ms.author: v-alemieux +ms.service: WDAC +ms.topic: how-to +ms.date: 08/07/2022 +ms.custom: template-how-to +--- + +# CIPolicyCommands + +Generates Policy Commands, Token Commands, and Miscellaneous Commands for user mode code and drivers. + +# Policy Commands + +| Command:| --update-policy /Path/To/Policy/File | +| Description: | Add or update a policy on the current system | +| Alias: | -up | + +| Command:| --remove-policy PolicyGUID | +| Description: | Remove a policy indicated by PolicyGUID from the system | +| Alias: | -rp | + +| Command:| --list-policies | +| Description: | Dump information about all policies on the system, whether they be active or not | +| Alias: | -lp | + +# Token Commands + +| Command:| --add-token Path/To/Token/File [--token-id ID] | +| Description: | Deploy a token onto the current system, with an optional specific ID. | +| Alias: | -at | +>[!NOTE] If [ID] is specified, a pre-existing token with [ID] should not exist. + +| Command:| --remove-token ID | +| Description: | Remove a Token indicated by ID from the system. | +| Alias: | -rt | + +| Command:| --list-tokens | +| Description: | Dump information about all tokens on the system | +| Alias: | -lt | + +# Miscellaneous Commands + +| Command:| --device-id | +| Description: | Dump the Code Integrity Device Id | +| Alias: | -id | + +| Command:| --refresh | +| Description: | Attempt to Refresh CI Policies | +| Alias: | -r | + +| Command:| --help | +| Description: | Display help | +| Alias: | -h | + +#Examples + +#Example 1: Update Policy/Deploy +Extract BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip into C:\windows\system32 +```powershell``` +PS C:\Users\[USER] cd \windows\system32 +PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up + +C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip +Usage: CiTool.exe COMMAND [-json] +Commands: +----------------------------- Policy Commands --------------------------------- + --update-policy /Path/To/Policy/File + Add or update a policy on the current system + aliases: -up + --remove-policy PolicyGUID + Remove a policy indicated by PolicyGUID from the system + aliases: -rp + --list-policies + Dump information about all policies on the system, whether they be active or not + aliases: -lp +----------------------------- Token Commands --------------------------------- + --add-token Path/To/Token/File [--token-id ID] + Deploy a token onto the current system, with an optional specific ID + If [ID] is specified, a pre-existing token with [ID] should not exist. + aliases:-at + --remove-token ID + Remove a Token indicated by ID from the system. + aliases: -rt + --list-tokens + Dump information about all tokens on the system + aliases: -lt +----------------------------- Misc Commands --------------------------------- + --device-id + Dump the Code Integrity Device Id + aliases: -id + --refresh + Attempt to Refresh CI Policies + aliases: -r + --help + Display this message + aliases: -h +----------------------------- Global Flags--------------------------------- + -json + Format output as json and suppress input +``` + +#Example 2: Refresh the policy +```powershell``` +PS C:\Users\[USER] cd \windows\system32 +PS C:\Windows\System32>.\CITool.exe --refresh +Operation Successful +``` + +#Example 3: Remove the policy +```powershell``` +PS C:\Users\[USER] cd \windows\system32 +PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} +Usage: CiTool.exe COMMAND [-json] +Commands: +----------------------------- Policy Commands --------------------------------- + --update-policy /Path/To/Policy/File + Add or update a policy on the current system + aliases: -up + --remove-policy PolicyGUID + Remove a policy indicated by PolicyGUID from the system + aliases: -rp + --list-policies + Dump information about all policies on the system, whether they be active or not + aliases: -lp +----------------------------- Token Commands --------------------------------- + --add-token Path/To/Token/File [--token-id ID] + Deploy a token onto the current system, with an optional specific ID + If [ID] is specified, a pre-existing token with [ID] should not exist. + aliases:-at + --remove-token ID + Remove a Token indicated by ID from the system. + aliases: -rt + --list-tokens + Dump information about all tokens on the system + aliases: -lt +----------------------------- Misc Commands --------------------------------- + --device-id + Dump the Code Integrity Device Id + aliases: -id + --refresh + Attempt to Refresh CI Policies + aliases: -r + --help + Display this message + aliases: -h +----------------------------- Global Flags--------------------------------- + -json + Format output as json and suppress input +Press Enter to Exit +``` + +#Example 4: Display help +```powershell``` +PS C:\Users\[USER] cd \windows\system32 +PS C:\windows\system32> .\CITool.exe -h + +----------------------------- Policy Commands --------------------------------- + --update-policy /Path/To/Policy/File + Add or update a policy on the current system + aliases: -up + --remove-policy PolicyGUID + Remove a policy indicated by PolicyGUID from the system + aliases: -rp + --list-policies + Dump information about all policies on the system, whether they be active or not + aliases: -lp +----------------------------- Token Commands --------------------------------- + --add-token Path/To/Token/File [--token-id ID] + Deploy a token onto the current system, with an optional specific ID + If [ID] is specified, a pre-existing token with [ID] should not exist. + aliases:-at + --remove-token ID + Remove a Token indicated by ID from the system. + aliases: -rt + --list-tokens + Dump information about all tokens on the system + aliases: -lt +----------------------------- Misc Commands --------------------------------- + --device-id + Dump the Code Integrity Device Id + aliases: -id + --refresh + Attempt to Refresh CI Policies + aliases: -r + --help + Display this message + aliases: -h +``` \ No newline at end of file From 7cf1059272a5cc7944c094549155dc2f401c6254 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 12:40:06 -0700 Subject: [PATCH 02/27] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index ffc8f5349b..0c216575ab 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -60,7 +60,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m #Example 1: Update Policy/Deploy Extract BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip into C:\windows\system32 -```powershell``` +```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up @@ -104,14 +104,14 @@ Commands: ``` #Example 2: Refresh the policy -```powershell``` +```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --refresh Operation Successful ``` #Example 3: Remove the policy -```powershell``` +```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} Usage: CiTool.exe COMMAND [-json] @@ -154,7 +154,7 @@ Press Enter to Exit ``` #Example 4: Display help -```powershell``` +```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\windows\system32> .\CITool.exe -h From 339a934dbe21a9544d55bb06b8f3bbc5a246269b Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 13:02:16 -0700 Subject: [PATCH 03/27] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 0c216575ab..ec6ca8c21b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -15,53 +15,53 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m # Policy Commands -| Command:| --update-policy /Path/To/Policy/File | +| Command:|--update-policy /Path/To/Policy/File | | Description: | Add or update a policy on the current system | | Alias: | -up | -| Command:| --remove-policy PolicyGUID | +| Command:|--remove-policy PolicyGUID | | Description: | Remove a policy indicated by PolicyGUID from the system | | Alias: | -rp | -| Command:| --list-policies | +| Command:|--list-policies | | Description: | Dump information about all policies on the system, whether they be active or not | | Alias: | -lp | # Token Commands -| Command:| --add-token Path/To/Token/File [--token-id ID] | +| Command:|--add-token Path/To/Token/File [--token-id ID] | | Description: | Deploy a token onto the current system, with an optional specific ID. | | Alias: | -at | >[!NOTE] If [ID] is specified, a pre-existing token with [ID] should not exist. -| Command:| --remove-token ID | +| Command:|--remove-token ID | | Description: | Remove a Token indicated by ID from the system. | | Alias: | -rt | -| Command:| --list-tokens | +| Command:|--list-tokens | | Description: | Dump information about all tokens on the system | | Alias: | -lt | # Miscellaneous Commands -| Command:| --device-id | +| Command:|--device-id | | Description: | Dump the Code Integrity Device Id | | Alias: | -id | -| Command:| --refresh | +| Command:|--refresh | | Description: | Attempt to Refresh CI Policies | | Alias: | -r | -| Command:| --help | +| Command:|--help | | Description: | Display help | | Alias: | -h | #Examples #Example 1: Update Policy/Deploy -Extract BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip into C:\windows\system32 +Extract policy file to C:\windows\system32 ```powershell -PS C:\Users\[USER] cd \windows\system32 +PS C:\Users\ cd \windows\system32 PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip From 5e833309c0555d2cfcd98a89073028fcbb49c98b Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 14:49:17 -0700 Subject: [PATCH 04/27] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index ec6ca8c21b..4c153b656b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -13,7 +13,7 @@ ms.custom: template-how-to Generates Policy Commands, Token Commands, and Miscellaneous Commands for user mode code and drivers. -# Policy Commands +## Policy Commands | Command:|--update-policy /Path/To/Policy/File | | Description: | Add or update a policy on the current system | @@ -27,7 +27,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Description: | Dump information about all policies on the system, whether they be active or not | | Alias: | -lp | -# Token Commands +## Token Commands | Command:|--add-token Path/To/Token/File [--token-id ID] | | Description: | Deploy a token onto the current system, with an optional specific ID. | @@ -42,7 +42,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Description: | Dump information about all tokens on the system | | Alias: | -lt | -# Miscellaneous Commands +## Miscellaneous Commands | Command:|--device-id | | Description: | Dump the Code Integrity Device Id | @@ -56,16 +56,16 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Description: | Display help | | Alias: | -h | -#Examples +## Examples -#Example 1: Update Policy/Deploy +1. Update Policy/Deploy Extract policy file to C:\windows\system32 ```powershell PS C:\Users\ cd \windows\system32 PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -Usage: CiTool.exe COMMAND [-json] +Usage: CiTool.exe COMMAND [Command-Options] [-json] Commands: ----------------------------- Policy Commands --------------------------------- --update-policy /Path/To/Policy/File @@ -103,18 +103,18 @@ Commands: Format output as json and suppress input ``` -#Example 2: Refresh the policy +2. Refresh the policy ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --refresh Operation Successful ``` -#Example 3: Remove the policy +3. Remove the policy ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} -Usage: CiTool.exe COMMAND [-json] +Usage: CiTool.exe COMMAND [Command-Options] [-json] Commands: ----------------------------- Policy Commands --------------------------------- --update-policy /Path/To/Policy/File @@ -153,7 +153,7 @@ Commands: Press Enter to Exit ``` -#Example 4: Display help +4. Display help ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\windows\system32> .\CITool.exe -h From 1c0742872c7cd22e4d65fb6523dd15ae6ac08f0f Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 15:50:13 -0700 Subject: [PATCH 05/27] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 54 +++++++------------ 1 file changed, 20 insertions(+), 34 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 4c153b656b..60d8c53ebe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -3,7 +3,7 @@ title: CI Policy, Token, and Miscellaneous Commands description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands. author: valemieux ms.author: v-alemieux -ms.service: WDAC +ms.service: security ms.topic: how-to ms.date: 08/07/2022 ms.custom: template-how-to @@ -15,46 +15,32 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m ## Policy Commands -| Command:|--update-policy /Path/To/Policy/File | -| Description: | Add or update a policy on the current system | -| Alias: | -up | - -| Command:|--remove-policy PolicyGUID | -| Description: | Remove a policy indicated by PolicyGUID from the system | -| Alias: | -rp | - -| Command:|--list-policies | -| Description: | Dump information about all policies on the system, whether they be active or not | -| Alias: | -lp | +| Command | Description | Alias | +| | | | +|--------|---------|---------| +|--update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | +| --remove-policy PolicyGUID | Remove a policy indicated by PolicyGUID from the system | -rp | +| --list-policies | Dump information about all policies on the system, whether they be active or not | -lp | ## Token Commands -| Command:|--add-token Path/To/Token/File [--token-id ID] | -| Description: | Deploy a token onto the current system, with an optional specific ID. | -| Alias: | -at | ->[!NOTE] If [ID] is specified, a pre-existing token with [ID] should not exist. +| Command | Description | Alias | +| | | | +|--------|---------|---------| +|--add-token Path/To/Token/File [--token-id ID] | Deploy a token onto the current system, with an optional specific ID. | -at | +|--remove-token ID | Remove a Token indicated by ID from the system. | -rt | +|--list-tokens | Dump information about all tokens on the system | -lt | -| Command:|--remove-token ID | -| Description: | Remove a Token indicated by ID from the system. | -| Alias: | -rt | - -| Command:|--list-tokens | -| Description: | Dump information about all tokens on the system | -| Alias: | -lt | +>[!NOTE] Regarding --add-token, if <[ID]> is specified, a pre-existing token with [ID] should not exist. ## Miscellaneous Commands -| Command:|--device-id | -| Description: | Dump the Code Integrity Device Id | -| Alias: | -id | - -| Command:|--refresh | -| Description: | Attempt to Refresh CI Policies | -| Alias: | -r | - -| Command:|--help | -| Description: | Display help | -| Alias: | -h | +| Command | Description | Alias | +| | | | +|--------|---------|---------| +|--device-id | Dump the Code Integrity Device ID | -id | +|--refresh | Attempt to Refresh CI Policies | -r | +|--help | Display help | -h | ## Examples From 983d4176fc6500086c88ffb37f383860b4aa6eeb Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 15:54:18 -0700 Subject: [PATCH 06/27] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 60d8c53ebe..6e6a566a5b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -18,7 +18,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Command | Description | Alias | | | | | |--------|---------|---------| -|--update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | +| --update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | | --remove-policy PolicyGUID | Remove a policy indicated by PolicyGUID from the system | -rp | | --list-policies | Dump information about all policies on the system, whether they be active or not | -lp | @@ -27,9 +27,9 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Command | Description | Alias | | | | | |--------|---------|---------| -|--add-token Path/To/Token/File [--token-id ID] | Deploy a token onto the current system, with an optional specific ID. | -at | -|--remove-token ID | Remove a Token indicated by ID from the system. | -rt | -|--list-tokens | Dump information about all tokens on the system | -lt | +| --add-token Path/To/Token/File [--token-id ID] | Deploy a token onto the current system, with an optional specific ID. | -at | +| --remove-token ID | Remove a Token indicated by ID from the system. | -rt | +| --list-tokens | Dump information about all tokens on the system | -lt | >[!NOTE] Regarding --add-token, if <[ID]> is specified, a pre-existing token with [ID] should not exist. @@ -38,9 +38,9 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Command | Description | Alias | | | | | |--------|---------|---------| -|--device-id | Dump the Code Integrity Device ID | -id | -|--refresh | Attempt to Refresh CI Policies | -r | -|--help | Display help | -h | +| --device-id | Dump the Code Integrity Device ID | -id | +| --refresh | Attempt to Refresh CI Policies | -r | +| --help | Display help | -h | ## Examples From 1b6a574a3b1decfe56105fd33c1813a327a156c9 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 16:03:25 -0700 Subject: [PATCH 07/27] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 6e6a566a5b..5a2860c500 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -16,7 +16,6 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m ## Policy Commands | Command | Description | Alias | -| | | | |--------|---------|---------| | --update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | | --remove-policy PolicyGUID | Remove a policy indicated by PolicyGUID from the system | -rp | @@ -25,18 +24,16 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m ## Token Commands | Command | Description | Alias | -| | | | |--------|---------|---------| | --add-token Path/To/Token/File [--token-id ID] | Deploy a token onto the current system, with an optional specific ID. | -at | | --remove-token ID | Remove a Token indicated by ID from the system. | -rt | | --list-tokens | Dump information about all tokens on the system | -lt | ->[!NOTE] Regarding --add-token, if <[ID]> is specified, a pre-existing token with [ID] should not exist. +>[!NOTE] Regarding --add-token, if <[ID]> is specified, a pre-existing token with <[ID]> should not exist. ## Miscellaneous Commands | Command | Description | Alias | -| | | | |--------|---------|---------| | --device-id | Dump the Code Integrity Device ID | -id | | --refresh | Attempt to Refresh CI Policies | -r | From 50179c0bbd6ef5f34eec6eb54c18d9fe45ba329e Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 16:10:09 -0700 Subject: [PATCH 08/27] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 5a2860c500..8b250ca2cd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -29,7 +29,8 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | --remove-token ID | Remove a Token indicated by ID from the system. | -rt | | --list-tokens | Dump information about all tokens on the system | -lt | ->[!NOTE] Regarding --add-token, if <[ID]> is specified, a pre-existing token with <[ID]> should not exist. +>[!NOTE] +>Regarding --add-token, if <[ID]> is specified, a pre-existing token with <[ID]> should not exist. ## Miscellaneous Commands From d3f84d880855ff613991931f6382308127c5a37e Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 8 Aug 2022 23:56:41 -0700 Subject: [PATCH 09/27] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 8b250ca2cd..0d60465937 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -30,7 +30,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | --list-tokens | Dump information about all tokens on the system | -lt | >[!NOTE] ->Regarding --add-token, if <[ID]> is specified, a pre-existing token with <[ID]> should not exist. +>Regarding --add-token, if [ID] is specified, a pre-existing token with [ID] should not exist. ## Miscellaneous Commands @@ -42,8 +42,11 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m ## Examples -1. Update Policy/Deploy -Extract policy file to C:\windows\system32 +>[!NOTE] +>The following examples assume you have extracted the policy file {BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip to C:\windows\system32 + +1. Update Policy + ```powershell PS C:\Users\ cd \windows\system32 PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up From ac2c8afe45fb23442416240ac05719e1e6361df9 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 22 Aug 2022 11:26:07 -0700 Subject: [PATCH 10/27] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 0d60465937..1f7042ee0c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -2,14 +2,15 @@ title: CI Policy, Token, and Miscellaneous Commands description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands. author: valemieux -ms.author: v-alemieux +ms.author: jgeurten ms.service: security +ms.reviewer: jgeurten ms.topic: how-to ms.date: 08/07/2022 ms.custom: template-how-to --- -# CIPolicyCommands +# Manage WDAC Policies with CI Tool Generates Policy Commands, Token Commands, and Miscellaneous Commands for user mode code and drivers. @@ -19,7 +20,7 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m |--------|---------|---------| | --update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | | --remove-policy PolicyGUID | Remove a policy indicated by PolicyGUID from the system | -rp | -| --list-policies | Dump information about all policies on the system, whether they be active or not | -lp | +| --list-policies | Dump information about all policies on the system, whether they are active or not | -lp | ## Token Commands @@ -37,18 +38,17 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m | Command | Description | Alias | |--------|---------|---------| | --device-id | Dump the Code Integrity Device ID | -id | -| --refresh | Attempt to Refresh CI Policies | -r | -| --help | Display help | -h | +| --refresh | Attempt to Refresh WDAC Policies | -r | +| --help | Display the tool's help menu | -h | ## Examples >[!NOTE] >The following examples assume you have extracted the policy file {BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip to C:\windows\system32 -1. Update Policy +1. Deploy a WDAC policy onto the system ```powershell -PS C:\Users\ cd \windows\system32 PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip @@ -90,14 +90,14 @@ Commands: Format output as json and suppress input ``` -2. Refresh the policy +2. Refresh the WDAC policies in the \Windows\system32\CodeIntegrity\CiPolicies\Active folder ```powershell -PS C:\Users\[USER] cd \windows\system32 -PS C:\Windows\System32>.\CITool.exe --refresh +PS C:\Users\[USER] cd \Windows\system32\CodeIntegrity\CiPolicies\Active +PS C:\Windows\System32\CodeIntegrity\CiPolicies\Active>.\CITool --refresh Operation Successful ``` -3. Remove the policy +3. Remove a specific WDAC policy by GUID ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} @@ -140,7 +140,7 @@ Commands: Press Enter to Exit ``` -4. Display help +4. Display the help menu ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\windows\system32> .\CITool.exe -h From acfd907b5b12ca8cd8315e6c0d59eb4d60eff9c7 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 22 Aug 2022 11:37:43 -0700 Subject: [PATCH 11/27] Update code-integrity-policy-commands.md --- .../code-integrity-policy-commands.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md index 1f7042ee0c..b722b9fcff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md @@ -2,9 +2,9 @@ title: CI Policy, Token, and Miscellaneous Commands description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands. author: valemieux -ms.author: jgeurten +ms.author: jogeurte ms.service: security -ms.reviewer: jgeurten +ms.reviewer: jogeurte ms.topic: how-to ms.date: 08/07/2022 ms.custom: template-how-to From 5162802ca0ba64302851eea4fe306b0002abb09e Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Sun, 11 Sep 2022 22:56:37 -0700 Subject: [PATCH 12/27] Updating descriptions, titles, file name, and capitalization --- ...egrity-policy-commands.md => citool-commands.md} | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) rename windows/security/threat-protection/windows-defender-application-control/{code-integrity-policy-commands.md => citool-commands.md} (94%) diff --git a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md similarity index 94% rename from windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md rename to windows/security/threat-protection/windows-defender-application-control/citool-commands.md index b722b9fcff..86d7700fd0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -1,6 +1,6 @@ --- -title: CI Policy, Token, and Miscellaneous Commands -description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands. +title: Managing CI Policies and Tokens with CiTool +description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool author: valemieux ms.author: jogeurte ms.service: security @@ -43,16 +43,13 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m ## Examples ->[!NOTE] ->The following examples assume you have extracted the policy file {BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip to C:\windows\system32 - 1. Deploy a WDAC policy onto the system ```powershell PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -Usage: CiTool.exe COMMAND [Command-Options] [-json] +Usage: CiTool COMMAND [Command-Options] [-json] Commands: ----------------------------- Policy Commands --------------------------------- --update-policy /Path/To/Policy/File @@ -90,14 +87,14 @@ Commands: Format output as json and suppress input ``` -2. Refresh the WDAC policies in the \Windows\system32\CodeIntegrity\CiPolicies\Active folder +2. Refresh the WDAC policies in the \Windows\System32\CodeIntegrity\CiPolicies\Active folder ```powershell PS C:\Users\[USER] cd \Windows\system32\CodeIntegrity\CiPolicies\Active PS C:\Windows\System32\CodeIntegrity\CiPolicies\Active>.\CITool --refresh Operation Successful ``` -3. Remove a specific WDAC policy by GUID +3. Remove a specific WDAC policy by its policy ID ```powershell PS C:\Users\[USER] cd \windows\system32 PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} From fbe5214a3d411a126818c7fd10650995b8a0607e Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Sun, 11 Sep 2022 23:02:01 -0700 Subject: [PATCH 13/27] Update TOC.yml --- .../windows-defender-application-control/TOC.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index cc2387f639..e38c8944b3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -86,8 +86,8 @@ href: merge-windows-defender-application-control-policies.md - name: Enforce WDAC policies href: enforce-windows-defender-application-control-policies.md - - name: Code Integrity Policy, Token, and Miscellaneous Commands - href: code-integrity-policy-commands.md + - name: Managing WDAC Policies with CI Tool + href: citool-commands.md - name: Use code signing to simplify application control for classic Windows applications href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md items: From eadad34b16f30d1a888db1a8b073a4e6c46f8cce Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 12 Sep 2022 22:14:44 -0700 Subject: [PATCH 14/27] Update citool-commands.md --- .../citool-commands.md | 97 +++---------------- 1 file changed, 12 insertions(+), 85 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md index 86d7700fd0..94c0be2807 100644 --- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -10,9 +10,10 @@ ms.date: 08/07/2022 ms.custom: template-how-to --- -# Manage WDAC Policies with CI Tool +# Manage Windows Defender Application Control (WDAC) Policies with CI Tool -Generates Policy Commands, Token Commands, and Miscellaneous Commands for user mode code and drivers. +CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. +This article will describe how to use CI Tool to update and manage policies. CI Tool is now included in box as part of Windows and can be interacted with in the command line. ## Policy Commands @@ -46,101 +47,27 @@ Generates Policy Commands, Token Commands, and Miscellaneous Commands for user m 1. Deploy a WDAC policy onto the system ```powershell -PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up - -C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -Usage: CiTool COMMAND [Command-Options] [-json] -Commands: ------------------------------ Policy Commands --------------------------------- - --update-policy /Path/To/Policy/File - Add or update a policy on the current system - aliases: -up - --remove-policy PolicyGUID - Remove a policy indicated by PolicyGUID from the system - aliases: -rp - --list-policies - Dump information about all policies on the system, whether they be active or not - aliases: -lp ------------------------------ Token Commands --------------------------------- - --add-token Path/To/Token/File [--token-id ID] - Deploy a token onto the current system, with an optional specific ID - If [ID] is specified, a pre-existing token with [ID] should not exist. - aliases:-at - --remove-token ID - Remove a Token indicated by ID from the system. - aliases: -rt - --list-tokens - Dump information about all tokens on the system - aliases: -lt ------------------------------ Misc Commands --------------------------------- - --device-id - Dump the Code Integrity Device Id - aliases: -id - --refresh - Attempt to Refresh CI Policies - aliases: -r - --help - Display this message - aliases: -h ------------------------------ Global Flags--------------------------------- - -json - Format output as json and suppress input +PS C:\Users\[USER] CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" +Operation Successful +Press Enter to Continue ``` -2. Refresh the WDAC policies in the \Windows\System32\CodeIntegrity\CiPolicies\Active folder +2. Refresh the WDAC policies ```powershell -PS C:\Users\[USER] cd \Windows\system32\CodeIntegrity\CiPolicies\Active -PS C:\Windows\System32\CodeIntegrity\CiPolicies\Active>.\CITool --refresh +PS C:\Users\[USER] CITool --refresh Operation Successful ``` 3. Remove a specific WDAC policy by its policy ID ```powershell -PS C:\Users\[USER] cd \windows\system32 -PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B} -Usage: CiTool.exe COMMAND [Command-Options] [-json] -Commands: ------------------------------ Policy Commands --------------------------------- - --update-policy /Path/To/Policy/File - Add or update a policy on the current system - aliases: -up - --remove-policy PolicyGUID - Remove a policy indicated by PolicyGUID from the system - aliases: -rp - --list-policies - Dump information about all policies on the system, whether they be active or not - aliases: -lp ------------------------------ Token Commands --------------------------------- - --add-token Path/To/Token/File [--token-id ID] - Deploy a token onto the current system, with an optional specific ID - If [ID] is specified, a pre-existing token with [ID] should not exist. - aliases:-at - --remove-token ID - Remove a Token indicated by ID from the system. - aliases: -rt - --list-tokens - Dump information about all tokens on the system - aliases: -lt ------------------------------ Misc Commands --------------------------------- - --device-id - Dump the Code Integrity Device Id - aliases: -id - --refresh - Attempt to Refresh CI Policies - aliases: -r - --help - Display this message - aliases: -h ------------------------------ Global Flags--------------------------------- - -json - Format output as json and suppress input -Press Enter to Exit +PS C:\Users\[USER] CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" +Operation Successful +Press Enter to Continue ``` 4. Display the help menu ```powershell -PS C:\Users\[USER] cd \windows\system32 -PS C:\windows\system32> .\CITool.exe -h +PS C:\Users\[USER] CITool -h ----------------------------- Policy Commands --------------------------------- --update-policy /Path/To/Policy/File From 5090368490df98a7b2ce3019598992097b66a421 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Thu, 15 Sep 2022 06:06:46 -0700 Subject: [PATCH 15/27] Update citool-commands.md --- .../citool-commands.md | 108 +++++++++--------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md index 94c0be2807..846e91f229 100644 --- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -19,20 +19,20 @@ This article will describe how to use CI Tool to update and manage policies. CI | Command | Description | Alias | |--------|---------|---------| -| --update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up | -| --remove-policy PolicyGUID | Remove a policy indicated by PolicyGUID from the system | -rp | +| --update-policy | Add or update a policy on the current system | -up | +| --remove-policy | Remove a policy indicated by PolicyGUID from the system | -rp | | --list-policies | Dump information about all policies on the system, whether they are active or not | -lp | ## Token Commands | Command | Description | Alias | |--------|---------|---------| -| --add-token Path/To/Token/File [--token-id ID] | Deploy a token onto the current system, with an optional specific ID. | -at | -| --remove-token ID | Remove a Token indicated by ID from the system. | -rt | +| --add-token <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at | +| --remove-token | Remove a Token indicated by ID from the system. | -rt | | --list-tokens | Dump information about all tokens on the system | -lt | >[!NOTE] ->Regarding --add-token, if [ID] is specified, a pre-existing token with [ID] should not exist. +>Regarding --add-token, if is specified, a pre-existing token with should not exist. ## Miscellaneous Commands @@ -46,58 +46,58 @@ This article will describe how to use CI Tool to update and manage policies. CI 1. Deploy a WDAC policy onto the system -```powershell -PS C:\Users\[USER] CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" -Operation Successful -Press Enter to Continue -``` + ```powershell + PS C:\Users\ CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" + Operation Successful + Press Enter to Continue + ``` 2. Refresh the WDAC policies -```powershell -PS C:\Users\[USER] CITool --refresh -Operation Successful -``` + ```powershell + PS C:\Users\ CITool --refresh + Operation Successful + ``` 3. Remove a specific WDAC policy by its policy ID -```powershell -PS C:\Users\[USER] CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" -Operation Successful -Press Enter to Continue -``` + ```powershell + PS C:\Users\ CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" + Operation Successful + Press Enter to Continue + ``` 4. Display the help menu -```powershell -PS C:\Users\[USER] CITool -h - ------------------------------ Policy Commands --------------------------------- - --update-policy /Path/To/Policy/File - Add or update a policy on the current system - aliases: -up - --remove-policy PolicyGUID - Remove a policy indicated by PolicyGUID from the system - aliases: -rp - --list-policies - Dump information about all policies on the system, whether they be active or not - aliases: -lp ------------------------------ Token Commands --------------------------------- - --add-token Path/To/Token/File [--token-id ID] - Deploy a token onto the current system, with an optional specific ID - If [ID] is specified, a pre-existing token with [ID] should not exist. - aliases:-at - --remove-token ID - Remove a Token indicated by ID from the system. - aliases: -rt - --list-tokens - Dump information about all tokens on the system - aliases: -lt ------------------------------ Misc Commands --------------------------------- - --device-id - Dump the Code Integrity Device Id - aliases: -id - --refresh - Attempt to Refresh CI Policies - aliases: -r - --help - Display this message - aliases: -h -``` \ No newline at end of file + ```powershell + PS C:\Users\ CITool -h + + ----------------------------- Policy Commands --------------------------------- + --update-policy /Path/To/Policy/File + Add or update a policy on the current system + aliases: -up + --remove-policy PolicyGUID + Remove a policy indicated by PolicyGUID from the system + aliases: -rp + --list-policies + Dump information about all policies on the system, whether they be active or not + aliases: -lp + ----------------------------- Token Commands --------------------------------- + --add-token Path/To/Token/File <--token-id ID> + Deploy a token onto the current system, with an optional specific ID + If is specified, a pre-existing token with should not exist. + aliases:-at + --remove-token ID + Remove a Token indicated by ID from the system. + aliases: -rt + --list-tokens + Dump information about all tokens on the system + aliases: -lt + ----------------------------- Misc Commands --------------------------------- + --device-id + Dump the Code Integrity Device Id + aliases: -id + --refresh + Attempt to Refresh CI Policies + aliases: -r + --help + Display this message + aliases: -h + ``` \ No newline at end of file From a688596c20e384aeb0d155ee6aea04f88c806dd8 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Thu, 15 Sep 2022 06:20:29 -0700 Subject: [PATCH 16/27] Update understanding-wdac-policy-settings.md --- .../understanding-wdac-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index c731e404ee..51cbc36d46 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -15,7 +15,7 @@ ms.reviewer: jgeurten ms.author: dansimp manager: dansimp ms.date: 10/11/2021 -ms.technology: mde +ms.technology: m365-security --- # Understanding WDAC Policy Settings From fe57e235a41a04d9aaf0091090a33c1f81ac557c Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 19 Sep 2022 10:22:54 -0700 Subject: [PATCH 17/27] Update citool-commands.md --- .../windows-defender-application-control/citool-commands.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md index 846e91f229..0ce1cdebb9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -13,7 +13,7 @@ ms.custom: template-how-to # Manage Windows Defender Application Control (WDAC) Policies with CI Tool CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. -This article will describe how to use CI Tool to update and manage policies. CI Tool is now included in box as part of Windows and can be interacted with in the command line. +This article will describe how to use CI Tool to update and manage policies. CI Tool will be included in box as part of Windows in the January lifecycle update and will be able to be interacted with in the command line. ## Policy Commands From ecfcfebaf075cff95759930f0b276c5dce68c545 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 28 Sep 2022 13:15:56 -0700 Subject: [PATCH 18/27] revise for 6783128 --- windows/deployment/TOC.yml | 8 +- .../deployment/deploy-enterprise-licenses.md | 315 ++++++++++-------- .../deployment/images/sa-pro-activation.png | Bin 44736 -> 0 bytes .../windows-10-subscription-activation.md | 10 +- 4 files changed, 186 insertions(+), 147 deletions(-) delete mode 100644 windows/deployment/images/sa-pro-activation.png diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 902c4828e2..be27ffd69f 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -129,13 +129,13 @@ href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md - name: Subscription Activation items: - - name: Windows 10/11 Subscription Activation + - name: Windows subscription activation href: windows-10-subscription-activation.md - - name: Windows 10/11 Enterprise E3 in CSP + - name: Windows Enterprise E3 in CSP href: windows-10-enterprise-e3-overview.md - - name: Configure VDA for Subscription Activation + - name: Configure VDA for subscription activation href: vda-subscription-activation.md - - name: Deploy Windows 10/11 Enterprise licenses + - name: Deploy Windows Enterprise licenses href: deploy-enterprise-licenses.md - name: Deploy Windows client updates items: diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 0eb5352dfa..d5c1ba6dad 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -1,256 +1,297 @@ --- -title: Deploy Windows 10/11 Enterprise licenses -manager: dougeby -ms.author: aaroncz -description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows 10/11 Enterprise E3 or E5 Subscription Activation, or for Windows 10/11 Enterprise E3 in CSP -ms.prod: w10 -ms.localizationpriority: medium +title: Deploy Windows Enterprise licenses +description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows Enterprise E3 or E5 subscription activation, or for Windows Enterprise E3 in CSP. author: aczechowski -ms.topic: article +ms.author: aaroncz +manager: dougeby +ms.prod: windows-client +ms.technology: itpro-deploy +ms.localizationpriority: medium +ms.topic: how-to ms.collection: highpri +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- -# Deploy Windows 10/11 Enterprise licenses +# Deploy Windows Enterprise licenses -This topic describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10/11 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). +This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). > [!NOTE] -> * Windows 10/11 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. Windows 11 is considered "later" in this context. -> * Windows 10/11 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. -> * Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. -> * Windows 10/11 Enterprise Subscription Activation requires Windows 10/11 Enterprise per user licensing; it doesn't work on per device based licensing. - -> [!IMPORTANT] -> An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device isn't able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. -> ->Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled". +> These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro. +> +> - Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA). +> - Enterprise E3 in CSP. +> - Automatic, non-KMS activation also requires a device with a firmware-embedded activation key. +> - Subscription activation requires Enterprise _per user_ licensing. It doesn't work with _per device_ licensing. ## Firmware-embedded activation key -To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt: +To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt: ```PowerShell -(Get-CimInstance -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey +(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey ``` If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. -## Enabling Subscription Activation with an existing EA +## Enable subscription activation with an existing EA -If you're an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: +If you're an EA customer with an existing Microsoft 365 tenant, use the following steps to enable Windows subscription licenses on your existing tenant: -1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: +1. Work with your reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on your current Windows Enterprise SA license: - - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 - - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 - -2. After an order is placed, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. -3. The admin can now assign subscription licenses to users. + | SKU | Description | + |---------|---------| + | **AAA-51069** | `Win OLS Activation User Alng Sub Add-on E3` | + | **AAA-51068** | `Win OLS Activation User Sub Add-on E5` | + | **VRM-00001** | `Win OLS Activation User GCC Sub Per User` | -Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: + > [!NOTE] + > As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. + +1. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses have been provisioned on the tenant. + +1. You can now assign subscription licenses to users. + +If you need to update contact information and resend the activation email, use the following process: 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -2. Click **Subscriptions**. -3. Click **Online Services Agreement List**. -4. Enter your agreement number, and then click **Search**. -5. Click the **Service Name**. -6. In the **Subscription Contact** section, click the name listed under **Last Name**. -7. Update the contact information, then click **Update Contact Details**. This action will trigger a new email. -Also in this article: -- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses. -- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them. +1. Select **Subscriptions**. + +1. Select **Online Services Agreement List**. + +1. Enter your agreement number, and then select **Search**. + +1. Select the **Service Name**. + +1. In the **Subscription Contact** section, select the name listed under **Last Name**. + +1. Update the contact information, then select **Update Contact Details**. This action will trigger a new email. ## Active Directory synchronization with Azure AD -You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10/11 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. +If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Azure AD. An example of a cloud service is Windows Enterprise E3 or E5. -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10/11 Enterprise E3 or E5). This synchronization means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. +**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. Azure AD Connect is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. -**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. +:::image type="content" source="images/enterprise-e3-ad-connect.png" alt-text="Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD."::: -![Illustration of Azure Active Directory Connect.](images/enterprise-e3-ad-connect.png) - -**Figure 1. On-premises AD DS integrated with Azure AD** +Figure 1: On-premises AD DS integrated with Azure AD For more information about integrating on-premises AD DS domains with Azure AD, see the following resources: -- [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity) -- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) - -> [!NOTE] -> If you're implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. +- [What is hybrid identity with Azure Active Directory?](/azure/active-directory/hybrid/whatis-hybrid-identity) +- [Azure AD Connect and Azure AD Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap) ## Preparing for deployment: reviewing requirements -Devices must be running Windows 10 Pro, version 1703, or later and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. +- Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro +- Azure AD-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. + +For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this article. ## Assigning licenses to users -Upon acquisition of Windows 10/11 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: +After you've ordered the Windows subscription (Windows 10 Business, E3 or E5), you'll receive an email with guidance on how to use Windows as an online service: -> [!div class="mx-imgBorder"] -> ![profile.](images/al01.png) +:::image type="content" source="images/al01.png" alt-text="An example email from Microsoft to complete your profile after purchasing Online Services through Microsoft Volume Licensing."::: The following methods are available to assign licenses: -1. When you have the required Azure AD subscription, [group-based licensing](/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. +- When you have the required Azure AD subscription, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. -2. You can sign in to portal.office.com and manually assign licenses: +- You can sign in to the Microsoft 365 admin center and manually assign licenses: - ![portal.](images/al02.png) + :::image type="content" source="images/al02.png" alt-text="A screenshot of the admin center, showing assignment of the Windows 10 Enterprise E3 product license to a specific user."::: -3. You can assign licenses by uploading a spreadsheet. +- You can assign licenses by uploading a spreadsheet. -4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available. +- [How to use PowerShell to automatically assign licenses to your Microsoft 365 users](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx). -5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. +> [!TIP] +> Other solutions may exist from the community. For example, a Microsoft MVP shared the following process: [Assign EMS licenses based on local Active Directory group membership](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/). ## Explore the upgrade experience -Now that your subscription has been established and Windows 10/11 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10/11 Enterprise. What will the users experience? How will they upgrade their devices? +Now that you've established a subscription and assigned licenses to users, you can upgrade devices running supported versions of Windows 10 Pro or Windows 11 Pro to Enterprise edition. -### Step 1: Join Windows 10/11 Pro devices to Azure AD +> [!NOTE] +> The following experiences are specific to Windows 10. The general concepts also apply to Windows 11. -Users can join a Windows 10/11 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703 or later. +### Step 1: Join Windows Pro devices to Azure AD -**To join a device to Azure AD the first time the device is started** +You can join a Windows Pro device to Azure AD during setup, the first time the device starts. You can also join a device that's already set up. -1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.

+#### Join a device to Azure AD the first time the device is started - Who owns this PC? page in Windows 10 setup +1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then select **Next**. - **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup** + :::image type="content" source="images/enterprise-e3-who-owns.png" alt-text="A screenshot of the 'Who owns this PC?' page in Windows 10 setup."::: -2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.

+ Figure 2: The "Who owns this PC?" page in initial Windows 10 setup. - Choose how you'll connect - page in Windows 10 setup +1. On the **Choose how you'll connect** page, select **Join Azure AD**, and then select **Next**. - **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup** + :::image type="content" source="images/enterprise-e3-choose-how.png" alt-text="A screenshot of the 'Choose how you'll connect' page in Windows 10 setup."::: -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.

+ Figure 3: The "Choose how you'll connect" page in initial Windows 10 setup. - Let's get you signed in - page in Windows 10 setup +1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**. - **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup** + :::image type="content" source="images/enterprise-e3-lets-get.png" alt-text="A screenshot of the 'Let's get you signed in' page in Windows 10 setup."::: -Now the device is Azure AD–joined to the company’s subscription. + Figure 4: The "Let's get you signed in" page in initial Windows 10 setup. -**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up** +Now the device is Azure AD-joined to the organization's subscription. ->[!IMPORTANT] ->Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account. +#### Join a device to Azure AD when the device is already set up with Windows 10 Pro -1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.

+> [!IMPORTANT] +> Make sure that the user you're signing in with is _not_ the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account. - Connect to work or school configuration +1. Go to **Settings**, select **Accounts**, and select **Access work or school**. - **Figure 5. Connect to work or school configuration in Settings** + :::image type="content" source="images/enterprise-e3-connect-to-work-or-school.png" alt-text="A screenshot of the 'Connect to work or school' settings page."::: -2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.

+ Figure 5: "Connect to work or school" configuration in Settings. - Set up a work or school account +1. In **Set up a work or school account**, select **Join this device to Azure Active Directory**. - **Figure 6. Set up a work or school account** + :::image type="content" source="images/enterprise-e3-set-up-work-or-school.png" alt-text="A screenshot of the 'Set up a work or school account' wizard."::: -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.

+ Figure 6: Set up a work or school account. - Let's get you signed in - dialog box +1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**. - **Figure 7. The “Let’s get you signed in” dialog box** + :::image type="content" source="images/enterprise-e3-lets-get-2.png" alt-text="A screenshot of the 'Let's get you signed in' window."::: -Now the device is Azure AD–joined to the company's subscription. + Figure 7: The "Let's get you signed in" window. + +Now the device is Azure AD-joined to the organization's subscription. ### Step 2: Pro edition activation -> [!IMPORTANT] -> If your device is running Windows 10, version 1803 or later, this step isn't needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. -> If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. - -
-Windows 10 Pro activated -
Figure 7a - Windows 10 Pro activation in Settings - -Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). +If the device is running a supported version of Windows 10 or Windows 11, it automatically activates Windows Enterprise edition using the firmware-embedded activation key. ### Step 3: Sign in using Azure AD account -Once the device is joined to your Azure AD subscription, the users will sign in by using their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. +Once the device is joined to Azure AD, users will sign in with their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. -
Sign in, Windows 10 +:::image type="content" source="images/enterprise-e3-sign-in.png" alt-text="A screenshot of signing in to Windows 10 as an Azure AD user."::: -**Figure 8. Sign in by using Azure AD account** +Figure 8: Sign in to Windows 10 with an Azure AD account. ### Step 4: Verify that Enterprise edition is enabled -You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. +To verify the Windows Enterprise E3 or E5 subscription, go to **Settings**, select **Update & Security**, and select **Activation**. -
-Windows 10 activated and subscription active +:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of verifying Windows 10 Enterprise activation in Settings."::: -**Figure 9 - Windows 10 Enterprise subscription in Settings** +Figure 9: Verify Windows 10 Enterprise subscription in Settings. -If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. +If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. > [!NOTE] -> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: +> If you use the `slmgr /dli` or `slmgr /dlv` commands to get the activation information for the E3 or E5 license, the license information displayed will be similar to the following output: +> +> ```console > Name: Windows(R), Professional edition > Description: Windows(R) Operating System, RETAIL channel > Partial Product Key: 3V66T - -## Virtual Desktop Access (VDA) - -Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). - -Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md). +> ``` ## Troubleshoot the user experience -In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: +In some instances, users may experience problems with the Windows Enterprise E3 or E5 subscription. The most common problems that users may experience are the following issues: -- The existing Windows 10 Pro, version 1703 or 1709 operating system isn't activated. This problem doesn't apply to Windows 10, version 1803 or later. -- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed. +- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed. +- An earlier version of Windows 10 Pro isn't activated. For example, Windows 10, versions 1703 or 1709. -Use the following figures to help you troubleshoot when users experience these common problems: +### Troubleshoot common problems in the Activation pane -- [Figure 9](#win-10-activated-subscription-active) (see the section above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active. +Use the following figures to help you troubleshoot when users experience common problems: -- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active. +#### Device in healthy state -
- Windows 10 not activated and subscription active -
Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings +The following image illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active. -- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. +:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's healthy and successfully activated."::: -
- Windows 10 activated and subscription not active -
Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings +#### Device that's not activated with active subscription -- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed. +Figure 10 illustrates a device on which the Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active. -
- Windows 10 not activated and subscription not active -
Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings +:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that isn't activated but the subscription is active"::: + +Figure 10: Windows 10 Pro, version 1703 edition not activated in Settings. + +It displays the following error: "We can't activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034." + +#### Device that's activated without an Enterprise subscription + +Figure 11 illustrates a device on which the Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. + +:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's activated but the subscription isn't active"::: + +Figure 11: Windows 10 Enterprise subscription lapsed or removed in Settings. + +It displays the following error: "Windows 10 Enterprise subscription is not valid." + +#### Device that's not activated and without an Enterprise subscription + +Figure 12 illustrates a device on which the Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed. + +:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's not activated and the subscription isn't active"::: + +Figure 12: Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings. + +It displays both of the previously mentioned error messages. ### Review requirements on devices -Devices must be running Windows 10 Pro, version 1703 (or later), and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. +Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro. Earlier versions of Windows 10, such as version 1703, don't support this feature. -**To determine if a device is Azure Active Directory-joined:** +Devices must also be joined to Azure AD, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. -1. Open a command prompt and type **dsregcmd /status**. -2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined. +Use the following procedures to review whether a particular device meets these requirements. -**To determine the version of Windows 10:** +#### Determine if a device is Azure AD-joined -At a command prompt, type: **winver** +1. Open a command prompt and enter `dsregcmd /status`. -A popup window will display the Windows 10 version number and detailed OS build information. +1. Review the output in the **Device State** section. If the **AzureAdJoined** value is **YES**, the device is joined to Azure AD. -If a device is running a version of Windows 10 Pro prior to version 1703 (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. +#### Determine the version of Windows -### Delay in the activation of Enterprise License of Windows 10 +1. Open a command prompt and enter `winver`. -This delay is by design. Windows 10 and Windows 11 include a built-in cache that is used when determining upgrade eligibility, including responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires. +1. The **About Windows** window displays the OS version and build information. +1. Compare this information again the Windows support lifecycle: + + - [Windows 10 release information](/windows/release-health/release-information) + - [Windows 11 release information](/windows/release-health/windows11-release-information) + +> [!NOTE] +> If a device is running a version of Windows 10 Pro prior to version 1703, it won't upgrade to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. + +### Delay in the activation of Enterprise license of Windows 10 + +This delay is by design. Windows 10 and Windows 11 include a built-in cache that's used when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires. + +## Known issues + +If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. To work around this issue: + +- Make sure that the device doesn't have the following registry value: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations = 1 (REG_DWORD)`. If this registry value exists, it must be set to `0`. + +- Make sure that the following group policy setting is **disabled**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations. + +## Virtual Desktop Access (VDA) + +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). + +Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Azure AD-joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md). diff --git a/windows/deployment/images/sa-pro-activation.png b/windows/deployment/images/sa-pro-activation.png deleted file mode 100644 index 4066c45dad80974f9641c6475cde6c28f5c731ca..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 44736 zcmcG$Wmr^S*f&Zul+4hb3P^V-3=I+z1`b^k(nxp1&?O~Z20b9sJ(QGyba!`4y&M0} zd!6SxU(aBg*%v?UiI`MEc6D7tG~OFBJ)gSp8E6jPec#JXl9#6ut}LhhN=Y+e zL^+ady2k77#An{k&i-QI<0x0nU!MbsY`4J-r}h3Rzmt9ef$xuvw2|7rufKl^V_dM3 z0Wk)HWk@`Zccw(MY3Ut}`<3G<%-3#?R8^Ga{=Em!L;Ebm%F3$V(6#W*^u&6aLTzn* zJ=83cjL2Yw=Y3cR_~9IEzgBVPpM)=R?x{?E4Z$O4!GQPkgr<;SPZ>Xa0EjVyNb^*N zq=_%%J_W}%GDK|1gr;*pq5W#5((ixHz|Q&dCNOg033B6B!I;KZBGBRd6D?tXmE#TR zzpKn+^EZfY?!1v9Y3)m&?9zVBh-yP_XSY?|#M zjwHybb_zYgp=?P>;07^2s_pAtAEwZFZHJwec!xi^A}Xg^Sgw;!&;A*SMEpA)%p+ng z^_JHzK*H;{yRJr~9{5-1y*kZTd1sa=UIly$JX2lX8R+f6Zals4PyWt#iG6aD1D~eM zCH1SVcvXIcn_ljcL@xs3m?dCX(i)?E$WC+1+DNL_N}&ya>I$6kxPdEjlWQOjt``h z!f(a?Ps`LY#fZ;4j6AmUB!{nY{AB;0x-}{uIX4l~G4Q6vql`pqGQ^RHW%aCu;p_Wf z5lKpB>;J|-_>w1=K!5sKl<443lJ4FK+!i~&L4&r9jxMGB2s~4aqin;UKk4c1EybQ_ zMT`0#G+pf8T_4o=-CeN~S2_D$t{HMp6p{kx_Td|)~w6zM$PBertG=qhXGJvpir zmPT@A!&EIHE8Vd*P@li=*Kwude*DPP&0-4`e}~(n`;^!K0`BxX_3l=1^Zf1FwC>ZV zAE&JWci#Tf8~TXW%4Pcx0>Z5D-h|w7^rgtv!CuY6e#=<#yBgq|`Hp|LYO+Ql_OZa{ z{`SIk7tyUVSMTEU>Vjb=5hSq`p>ucx8GlNZs4K)5*Bfb z2giIcv!0`HeHT$!`bNVcn_{6M=yvMlZSn1?x>jDJ_EDuVd&+TdLk1g$`M_the8t$G zvX8`&t_wbHvCmI`%Qh7pANTRhB&tI{)Xcf2HyyU)xlVuhI(4|zVf#Br+D^##@7C8+ ztx_Ff$7Q*N{Wfg+AALM6vsqsIV%d@hjVHT*UaMD6Rasm&{+l$Hey;N#7TM=>Zid;e zlg8LH?kmv(DtIXp7qg=TS=}^FQA70Zivi=6W-7&6rJsk$;S91>*kAj~z0#IbY3=yT zSrl%lBa-;3k4Mskt!IaX7nefM=k~%TFWkOb(2A z!y~Dr3X8v(_p;}aW=K#MUBa*){Sy5$^V!(Ty#=3(%z+HCQRwxqK*Mqb#|^o_v%Jdz zk%b@4KG&WLF19m2tNG1-y+3Dpm`|Fg9xKrzvx_Nv^A5mVnGVJw=C>x{KHZI@cOENR zUJN4q$@21Ztrji+d${e-Df6@^9PLcB^_&9@sT`dxW^J5Rx7mM3f7$&^d@FhWsQC7h z{O6F**7xxh^pZD)FFPo89aWrt*9S9q@@nKG$;L~x1r7@844OQB1$KXosx{N(jin5J z)(+ds33^odaqX9OZ^9GXyPGSmD)X1*9iJS)WA6-os)cMOe|P?Pc-+X(?FL?ZYo2hb zGf`ULackwug!EHc3)iaWoHgGZt31EETsbLeDh`x^boI6)mCI_H_q@lv&R0y&Y+o(h z{p7X$gDF6qjVnun&JDTVtH}l)sM$Wd<5poxy&+y6nRFjc2U_Et>&#VnM^RLv``^FeQ`r%Ui@-!pY&9vnSeD3 zouE-iPb&TLJJM?FiE|y_>C`!3X1HE1g;^w%K)*jspt#?TpGE8qz|{h!-95|W-j+ff z`uHu8{nLGnZ^cRFDyQJCHL&Q{^xC;uT;TiH=B&bpzhs8DF#}CIm1hyA-KtUll`Sg2 z``a3k#(XVkpzo|>H*HhXJ7cGdIky>L4pvRxVc}COO2lRY(>g8HY_#?S-};SNToT*6 zUVZa?5osEt&%9d#q(!{0?Y}x@q)nD)Nvnv;)r`emcVP{id675d*mgw>|85gG-5mj1 zX@8e1y;Sy%&0x+3(MfjR%bGo@E_wS{lk?v(8DkqY{~av{QTQLIfcppkSEIoJX1FUY z8=qfh(SFhHEy^|*FmwIy*N|4`-2H#MxQKZ4%5tvSxa~iPGtrldKKSo=&?Q@PeXujqqW(F?2%ZW z95#~`#&l#R`d{=LT!o!CHN0-mCIt966gCDkOa1Qe(&`R>udl+Yt;TGY+C$P(lfJ5? zaF3T8w)AIcvnN%)6rMuL*8&%?ng01Au zp{zLp~_khAY)Q^K$KRTN*ymoTTh#f#XpZ%RbK$d6-a z=}??7+5lzM5C5Qkhr5Pm!EM23JYSK}Ycn_OCO>jabcU*$GZddP0VmDx)06>RC<(xu zsSt95&80}5=1Ds5LutZ|u)z0gzml4MngPZ2r)|yLc*q)}n{G$u)83W?9|K zH|>sTwrSY=soNi$=FPD027u7>tJOqXpql@bC6o}X5*z>?oIPuXL*Sg#ki>p||8WE< zN14Xb1AV(JhkY=Pa_7>_3)b!YmCUuXPy7H2*?xCZo@d);VKg7%krtdrn7Mj&AJgKr z3zd^f-uEWZbzy%jZ#u68#(Gk0BV)y}X2G|C*5`DX`|&s2=KcDe8`HbP4#Ml>A?S7g z#DeEeX{pckIUOr0-XBxUBxyhJDkS*3NuWL*$f=LsDyt8-NLR#UpCfJc@+t)FYnMVjhUl4S9dE~V?L8P%ohK!Sbfc++ylJJJFZSnVYG{S5 zKIxWTpYQDmDFI_Gr)g0b!Z)51N-%jTPXpAepFbd6M!*w;=-7%mq4{4VCA7paEpU97KxX)nO{0i5c8x!Nq>&rM)u zWnv750pw`m!i&y5CeOXlU#H&r!;DEJ*K8?Mph{=u`O&0l>{K{wmL)d5w*w0c0hx)F z3wTiK8R*QqtgdS#0F6tgPCXl%Mgc6xJj=?Fc8a6E?xVF7Ls!(OkO)G{ut&7B%Fgp1 z8&};F0eWE98C#K^@zQi%ucPh)2>88j0^##r-kN$ws&C^V>~D+Q$+h5tHZ97Y81Cz7 z79}4>zi5@f5UM5MVmjnwtx<(&s=C4y!;-eCeUekr0GI)#`@Dk_JlQf!2=@yK4KoQ5 zq#LySS;)GcM?gk`I_qnpG*n&U>`(tJ(`FM|3J&g<){`(&F-ejrk9Q9RL_RHvtm~4- zu4+Kowf9L%Ej4CyB;2IP>boldX-;#oN5C{2vO(BrsrlA`^SP2P z;Z~_Y<5qm2YvdYBG0*o8y`Zm(wYbvx%_26i`?y<9Eg{*7fvxq!r6x)m3^9kZYhmr| zbNx8~E>`C1mBe8y`Zk=5+6@*QA?i+oi&&dY+!31+Zs=|;HCP=iD3O*x9 zA;7>KYxl1fJ+GsxY2zWbp7p)nvykvQKNV%v!X}w_z-})@@iSzhDp(>{XXJ~3=@EZp z)TV+feOV*jwrjpJ_gYJOH_H@#mWt&d6##k1lqKz%1+Ospsi8j)Jsi6So{fN0q|^`K z<}X|q1F+3a06>8Yr2v%3TLZzus6{Bch+@zCr$C9Aya+U5V?A=*vp8gqZ)zJ>ax8e~4C%5;`+<|Hlh#&o5FmzeUyIE;yc9Irsa8+M4<5 zd^>IQem6@(RG_y%r>u%gck?2-kInqc`R|%82`t>ak_~%IgnR)$M`nGg@Y%lcDAcV~ zVTovh6&E2G*SBv-A^mcQ8{}eT@vXG&mZ_eNah}pAHjvF0r-zlB=F~*m%>km9`{iYN za+)qiwNeK0!}?)M{4C++8hCG*aS7(mcs@E!z->oh^{#4rq*|r~T>I4MXkfpKQxc?1 zm2C1o`Zq(2Euxu8uZpYw^u}Lf?!(v2MorqLat4#Ci8KL=7~Q}lvq8e;bZD1Sx;KIc z$uGnSkQ*~f)R-B}CM||Q({ifT>i{Z7?>oxhtTSggJ%gm%Ng-WUEZqMn(Epz_C*aTSR8=D2Q|M%@ z52Rb*Z4CZ!4T{tanjS0h?Ck%n!f0c^;C&KZ`06`AR^`*FgsdJY3cu3>w}PdAnDq!1 zD&p@^{#5+l?AIp*(G%s%H;wL&eZ9R$4iDCX&IjWgpj6HP0A_K$TNMkSxFj)$+;9-J z@8#jrPe1_8G+*zhhXbq+@vLWHpn89AuxpB4r#PE~a{&w8TFV`FJyr1%}r!)KM+OjV|(t_fHS(pb+o*1ZL$K6m{l z(>-??UWu0R&5-2%q`;84=>z7nD8Tbn03@-EXKU zSY13mT*+zDIBW_~pt~DCat;Yf^y(@NgXn!P+YCI`lKK;>(}9sb<|Er7fjyAg8<9Wd zh6|;Iyf%}(4@BZ+miUx)Ho&@k+?+bx9cOH7rT~Gk(IwJq`R=P4ZNqM5pSSO?PfzVW znbH|cI4nvT0!;Pd`Zz!4*{^c|qX-RM#@;sD0DKWjSYCF9@NRM%J^nh;D$M8lLY~4NVuO7+AI3o~OV3EZ940nrQ=X zSPaA~QBGoqE_``OO$|VC*mKui%ZGw_2o#8OQmHXVW0kD%wkjQRfhD>sX`*cW0o(YBP6Yk(`8C&O+2W9tYVsa0cAEF|wT;qX+Q z(?4b;L5FakbD5~Kl&9%9>ZZ3h^f^ny8#)<$K2-YcfyhLf>fwNqoUAwPcs!GX&kt;L z?dl2}@G^YPr|bd-$&!NY>(EuQKT_`nJ(-ieY={dUT-Gws`9;3y0Go% zNWEaeD|5dB*;Jf&?=G)4vgd3uBR2tRJd8TGaIDxm1-UI?##D`}Js+?>dn9qHG4nq0rJfOh z_QS=u5Er;?NlT-O_5t8UxH`g&Y_@ zh;M}5-g5W17?2D;+(sU5relLxkQ+dBxL*QB%2^{SQ`QZ`tNhNi8&jdX^BH@6|CKJ3 z2W5U=2_3uAD0=g>e7$?(FJQkM)w1nFbnEap9wfz z+|7~zR`Fn<$lN{HHUz?xts9-oB_EBWp56n~@!}P2AvXs47&&GDcG$>hQE2*Sc6`Ko z&{{5_sQ@{YZDyh+`KF<>>v24=^o9+Wr)(OJy2cya?4NJu1T}g(%3lF;=;n$DK+|x5 zC)c$A-WA9n30FYGHWCUW^=Cp8F_BlrR-z#25E*bh(m*q zy-&t}+Rmujd}ezA>E+|{MSNSX>ANP~Iq4)f-0iEB{)D#E<=s7B2d4n0;Phf?h`B z?S@RyUTaTH4@$r<G;&IV=25y4EKJ>etjlJ8@c0g^5Qo-uNov(wO z6I-7j8g|v=!bjOW5fznO(7LI`8I^k2S4i4}Mzp6Nl|r@v_1(^eMY8tQVV2@-f;tt} zM{zLM^d*MrALIMWciArE+Vd5U=uMr8H%sTKs9Z>o=X@ah^Fgy&nJNU zYA8&GvW+>O>{WC;f(}7-epoJv;ArU-N!C)T>73?9=eDXe*K;Ylp6lE*T>Mbs==e)$nwp9VV!n==E#Tj^-Y`LKWpNs}@aX z<0l>^vu}J>oaDw7IQ1j)P%m)F{#>HvBV$AXrzLPG#5@XSci^z z(ho3kTT*J>4wbwBwRiI*qMWAL@lDmR1cb+ZU%lw?5V5jGe{cfha_y#da~Jo0?|e}O zi0r?SnS@ zyM%Bc)L?-N1sghZwE9u3kQ{K$+rmC^ye(Qi*aw7=Cq-Mg_{=es`4Ks$9CP4Fl)&Jj zp&Xmcv%qT%-?{?gIdT+hjsx|QrbfaK-@?YIN?W}?+k@xjV;#Ru)ri zO??+JC1s; zfK7XS5mL6Fmo3~K6pGr64ojM%|II;stru@MKki&lkZvK=r~bp_$*9CDhity1rgiVG z3hU?f)_8>xk3q=C-f@Wx?1_%~p{(jIlu1z;WZX+1jT#P(hx%_Nb61mtU#X5XdYlvh z61EpeHWD-2o=6M2i+*YI%vXp$J_JnF418+g{tmEQ!v>+}>1KQ|VM7=rD1WuA zVgJ~HO`ZjyA*wpS3O$kj^cXOA%EACI81+7cf@J`}tN9Z$Wqmpk;P)PXS`?>I&b^~n zw#Z@~Czg*qL{pNH<`76>A#o+zKd=e3RF#qD7O2^--N^DvIBY+40B0z%{#*QleGK{TpPE*JLe@YFfPqqwDv?@-RS9iqlNNBM%mEE z%!)CpfM(u!2AO+qJN@JRdVgAPhM1F{O4-LM)?{(cH_l;!EhHIFRD?V zw2QJ+7Jjw~bNbn_tSE#rZaflGL0ib1j3CfjaX7TY+4=MRwL!1o^QK+iLQG|gPmcl; zNKatN5BesSxdleuA$IPe>70X9JR_gmTx|FEdsb*XOK^wxjc$c5gu$TcM{G4iy_@&l z)rP?@?0tQf#jGzy(RbnqD^vO0MiZQ&}lDh`T-bag*U9(;E4W}Cpg!@uhN4;oTqJa%44Ih`#6l@Jk-U%Bb7ec>GkzXjfC)zi=>ED!LBWnhKCmFAx z;~~h3x2YwEl)z^|j)>RpCGD4N78e@QOJI7T9D4QhaLmuwF2UHEhJFmt(6kXx41%0hv@WPn)&fz#St9~zX$oa zH_aj|Z37*MAO=>G-WeS6(m1rD_689`H;r$mWtM*Xq^LjN6I9=LfE=@fmV4h+k4i&D>sN-L%rW%D3c(R_HXd3dT?NWRxm-ko(A)ce-$;Z z))#gAQcbNlOZBJBe2gPheUm?@9w76jGZR`AVpx%n-wxGUA+^4m3hvUogA+6YB;;vFIF36a?n(7oCKq!+#joeniI_GyI-Iow$S>H5cV@!}D3#TV&) zDjD;;3OCv8rtCW^BjM$0BDR&F~JDf*PQok4?+|1SZg{dFpK%H&8*Sx zCu!a{nIxRKPs7&XdQXGFCTFs4pHDZ`F24S-&Jp?kmO$eCH#EqVw04wld2`!;zH+nj zq-FQnn*!}pXqTXJzTx;}+zWW#qg$NO@(N%*jp3o=3~O8hyz_itGuwR`$No<<`$8}N zuoxpa{ji0Uv1+lU#4nI2G`8 zT5Kq^!_PLo(xFw9g|T6Y&=|@#zWW?n`2fI9)?H}!*(*p?JHAqfULm~@t!S~BaNoAA zkd+ieUj$%d&rfJmoyN4Wc>|{6FC@t$l0RDkLCyVM7yEm+dZUX8vG&5d>CHJF2l4N) z%(Nj7?7_ouqz88OVXnS9HYd&JWf%eV`fYJJTxbhWi^r(29;YBIf=2Rq(zS=64p3k0 za(|ePZ(b*g+D;2T zNZi=8R^LI<6?}S35t+Z@lJKX=4=(*Vpp&jode}TpA$~}R;`?zmH?>xHLF-+4{Wd#& zYdFN4l05g#_gC{15<&+V*ni_$hYDm3ZyMEyp6zfhWDV;LTQn-ZAkU3mOLystqFiaB z;$vc$c*GYfoB7P;rZIjW$eg!7pagy5<3``02x39ccWhh@I~j0fUTtvRT6TO}tW^zY zB#x@H&yiFMI7jqBmu4Vytoa_Y&eq85ui3sIjRV=R3@#<_F7v~}IU@2XC>{rsI|s)S z^O!7}_4mbC6E5Pqx-M9y|#swibpV_>l8y=5xP`mQT z3lKrKpG!e-o%7e=LGhFR`-U&8B3>HFfvsWJ07PDx%GjI)=xKs6i8}MXNu?ytc8mLg z)IDqS8kDk3gBfK0PFt6|EZqQK>rl*>DJKD6@0K=r@*&#rk&t_&ul>q@5=T6lWri}@2e`^n2ob23a0!(97;&PUyX)zq!q(Hx_l_q zUdO$xb0cz$IHGjRqAaaep>M-ns2B{% z5BK@#O@lsONN(WXHep5^jB3I}mk2IKn>U7=W~s}uT+p@ioPVXuHn#G2Uw0QdF8eTE zl1A=5MF#2hf`HTDuzBjUor#NDApe-T=ze=oh#MQxkgd`ar_8NG>zq`?*)t!UASM1uagPmF( zKQ^0WQM^rR$L#L$K=U=F0RN&9!Ni1by(Xq;;VYo7(VkmK$qNMH*J2dqtv8WJBkk?V z)wFMQLBx6-?$SrcOJ?1D;YE@~$U{Gt7&F*8xV_2qtP%)9JjWz>1Vft?Y8jdCBbU;z zP&C)NR45}=eiVUgIvzc*P0cexx%p@V=O|hewL?lK<8YGoqj$%^yFRL&J@$p;2Mt8h z1$2jnxhSQx^FVoF5^Sog*odBP)Zu7{=vAI?aauP$hXE`3Jz;T9FWXiC@$C|?WbhOv zF7}CZ{pwX0wf$+VAQ^p;EJ7U8eYX7hl~35_dVOV-^}tW>)m}Wu40S6ihap%(b?Dip zKeLG#y(WnUt#Vsr?&%ckMzUATwiUEODv1v*pz%<;OId-GV1uCta?}?MWo zL+Q@tsLi#zB~x{AdKGBYE^)k661UbfTuwdW5_3I5IT88~gXkADWqdLuWa5#3k{eG) zR1EUluQA%Xktb@i5A^E*Zyx8AMLHT!i28EIS<0T zT{XS<>)C5WXry5lt&z{U{4}BXp+C8il7LPu;7|<_R`UU|M5?Z(Sn{s3JC-R0sQVV8 z@a=eiSsVE+z!4oC*MW{VLoSkgh%RKy#+`7fOd1-1##e3m=Tw7OafWbYDFdSJN#hi} zkwx_a_l8UN=jqL{UAt}I1%gV(>lb3&W1V3o<7k@|R+M5)#YYVPc=&9b6Epq{nO z&rT`E)uSKViyr06AJK=zh^Hl?X< zM?#+B$8eI^20+Cp94;$AC`~=LITt!|gJ31F5uL$YFyY&g678yfy@U*p^|W4~pzbfV z1!1!SRj)a$LuJgbqfZQnKI5_XZUW$%Ev&GprpD<3)-K&6dI`V#Rv^_$4<<}2r-srf zfjxUC5vGZNozE%_{_B1o51>*)S4Uc%AmB(GBMzt5>o&4ZY7ZIJ{+{h@EWNlydAx+4 zl&0bY5Mpx~rQ_eSgijjj9}F3#K+uK5V>(5Ea3lhGwtFq$VbZZ2fRSZ}6ATH7N{K92 z2XTzD-jo}>Bv}cEkdw<7m;S8T-pAqeZoZ<}e0x1WV4jTgM2U^_y^InOuFhTGofuge zo`YJD`-^$sYug18q@dUN?$*XG5cD56I!3REflXXGPUZ_$Qu=4NpTJL4ziqZw!BVe& z`5Kn&&CY)C>YwduHvIy@l!3F zqU~JotK&QBc@;aKHnhM_>IqzL1IH#5o#fF)^kVRi5oC#+18>VjqMJYXEJ48+W^>rq z$@Qe6o_I3m*4T{2aQH6?*B)fNBjVFbS3Kt;rzva?Gy17JUvO-+bKVZ9dq9qvItH_t zQwR(8d6Jy#x1(e0OY}(2jR;dFA5KlAQ@`HK?)G}m@v-U{{}s#7@ELla;08XPc%1#n zVphkKFz*DzR`yV#$m@jbxD$%p$*uYYrE{_!#6T;Qn~+EgO8S2t@VhmdT`lfWrK79Ii_bpcz!1r zp{GT!q<^O$D!L!w)o?6WAM;|E|E~LcOv*QfxOsM2)`7Aa;}y-Vt*i8=0pQORTZsMEaEu%>-GWOrO6gwcII|u6*d5!bJ_{yu})Q zC)}PeZ$;4>mSsxuKG3(35)p4;v}v8v+(Jp20Il0H3#IeioJbAe22Y>jsUC>KY$<<) z282>jtN={?w7KPV~3%OUBj+>IPy{ajlntR~*|ZcT+`If1Kp zQhywpdfW<5*fwL;4Y#QaNrEe=WbTrUN}< zUJLE`6aCPwg-iw0R{lYPYbHV)*#iOmPe|yCNZ(ws79dSKHpEg5mzXn3V$~mfPG%mH zXkfjW6r`!L<&|azvN{iXn;ws1dVeZau5?N~z`%}Q`RdP>uuaw&r{r)%lB!5!pS5L5 z;z~DZ2h{8*)o3X6oP9Y$~0Ud)ff0-|paG8ignJ)5JXhLs=d3rdL zVVPLv1Q0OWJIuTYB>yj#_Rptauaa1h8OT}TN8`)zJRQchd|%) zc>_WFK+{O9i3ec&Z4guua(0AZaPW5b7%{Y76r= zwjecC17uK`LqGcdy*N17FtL?shr!>1c$NcOBjG86EgZNrrDdU{yJ0C_!6`yKe?eN< zoC3qkRpNjQV)52k2A71OPVnex;U@0JZXX*_Xj461`7b8B3kY-@k7y3U6hGLYYAt7);Aa zW-w_;Dq!_F8xPcD(>liyMyfIk?GN1yG1-CfB?pYe@P}02UMI|d03ksioWw!ia!=4Q zq@%zU_>dvTW8aO`JT}Z2$|V&jst7UG5~FPvy-|aW2v#e9OcE_Z%^2McM^5MpMn@u= zXD{4Mzp(Vs9ZIMwpXOYl$|sKR8wvx20#evC zZr}YT$1hFu7)JNCd=paosDeQwgiH+R8r^%aYs1M)7IO#LyG0{68qq4bpgujC zC-zFK^!i}Qu7|cK$;Q5EwG!P$?8tlez(?Q!%|oVLlO?ivicUV`R?>W+p@!S)X@QgB zvQEGO_k{oyQ7ekFOvo4oUYi5Nm_nNO)mq9NZq%U<5EY9<+p9XOqEuwPYfQ|1Z;rZs z{)o!)?_*v*Wwv~J=@`pw0GZO{UCHi$PPYJ%pcsM{Q(VkTtnNT&W|I+O>?@1YzDVx+ z9=zfsafYZW0wVu=K`q^q{Q@OZDbDUyX1i{C@$4xDa)oLP&SqFm{@85*Hr?R`O0qjH zPotNpNC|n%YyUHMBpi}u(d=~JmGim)hgA|sM2`q+1#q29w#WaA>&zy|!2LRbZn4DR z6y*^hF;G=a2u{%@LcTl(4F4z6txuLPKVd8_npR)z%}iu>90vB4WImSgJblsLCxFxb z7>CEo5DGMuzX#fyUvf8JE>y4;LK;zC9Qx;mtc@j!46PE-c3-g+Ff=a9!2QFu_bQ<1RI=bL&Eak0Ag zO+w!Rkx2yYp&L4KqM6OF0CMU}`vSn5^!1Zfr5DB8M=j&3kQ`Z>U-EQpYH-?=|$W=XW{Q&SNlD8zlfz4;l=?N~VyHgl7Gnz3sbDE|6% zU^Eq@PsS!Qx)Y@jk4(3y?ZJsnme6q-g@q)K!0f+&%+JLpd(Jt)(Wk_kxk{!w(rrS+ zh2z{L7ew-R5V?&COZm=Tz)mOmyp@o!kLhjpWf^KRu1=aMLAy>npJ`f~a`4%Cf(rN1 znP_&cia5|%U}qZ>?al=AsQCDsE!Zid`tgiD`p%;=2=G`+LINYZt1XAysp~Y>lsFs* z1vXN4+Qss7A8E10kk?`r3|y^WBA^J`o!7Fh=XzdceSo!S=QisYW~idm8`kdsuEyj; z9^xei#}Mf|y`?3M#Us;o8Y9Lo_TVSsH^#>Kq~aPb%BFPtg|)UADqLER&#wWxY-TbV z7Y0CI_leSu-@dFjfBqW%!V6A)8lDZDZ~SX??-!2d^EHViu#MvL>s>xn(BM&D@H^Z) zs5|sa1u^fN?)$``7e90tuXo3uNs=(lRw~fd#(wWI(|+)If{E1*yI@DtAVl6_#`^{w z5Mbyc*>e(s2uDLXDn(4 z(#W+jGpQtoJmTSi7K*ppZwOvx!Vl%#hvgw#Otlx&);tYMq11Y-rJQiXq6Kg@oTi8t zQVd!Kno<80LwkuA{X*Tn0Ru)q&Qb4;5*@H7!k{xoohFWMEZ_OHT(M=*rlqQ^3$sa9 z(JQKyH^o{5ta74b1)wz>(J%y6;$CE11cMyDu^>3iA;(N&Yzb}?8tyQ>Lsd;h68$wu= z4A~+<@wd{`IS~0Ug2cnIQEv+mR0I-4Zwc>Yu_2O})h~>9T$h{X~egHq{-;fxUwDJ5UvL<1`@#k&A`^h0Yh1mtLm12esiQ43LIMKoz7 znJAVKRqD9xu>3k#i!6`zdm){ELNW({0??qw+B04MG9d5!Fss;D7I#mV_ggLi4>h9+ zn8&OIwB?Z1me|VC=n0;77wJ?d!;b^W*w;(b42R4ay125Jx=t@AvG3xhE(qFbCzG$E zP6lpeqR}=|uED5W!QhYpz!eF>&kNu7d=_i*n6)Ge{#fUlsef}2I~N~hR`iPzmz6Ua zHuS9wi!=SrsOdl?K^vGH_8Vo%UqdQ*bmX&@cS#5A34|C#AQjB56j#aydOh;~zShNP zPmaNaGHmx2i6sD{K{6#var)B`M_ZWW^UvZ{I8;4KK7Oq(A;hB}OvMz%?u2C9h;>qF zWA;;VJXgu}55%!!uQj^?`sLFKx2$DNNjW>5UFPrgWmh z`>gN{vdWHDVOX`;*DJ3eDfgB7z;prv>mKaDbf;L+uZ#XWcv@4FuQ4xJCX$?fU9C1& z5SDBU&gX-%j|?K?xOe1J$T$~CENk5?SA(i!oD}G*YhM^W-JmdiHY)X=s#-vw zeGc@OJK#Y#h@@%pSb#*Q(sK1V&_h&Iff$!Jjy#l-Gd@G2!G|8pVCTwJKi87*g;>I+ zIlV#V!GdEm1tAq**r{7!!L&@cxlvLIZxV#<@OP>4=*Er;VvS}1G?TE!U}??>en%EV zfQW!$9IKFu=TS!TUL&`a?jRkj=#d;t`LWRH(mGhWqX?rUj4t1d_5u>aXBPy@!=*KZ z&CIL`zit(wJHN=(T+6QdWQ$>Xl5%5?z4C zDooTK$&ByVY4jX}>Pl+&<6RvY4G*_KZC?d9*-Iqt2JVhvYhE9SN;>Xfo9S%$#3eYR?Llth&6 z6T`Gvjh@@S<34Ik;s!cIeJR8ic){WrM{ffr3bB4f(#ST8lzx_H{npo=$07E_n+Gq; zcE7`&M`JSo-eg}oYiyF|upSN5-7~hw@O2&2VaaQX_1h|zDkkQILYWU)$*tV*G`38h z|J|}mD)1c_NJWd6sHNH>2(gzb`RE&(iSjC>e~dsG8xHF^EyW`ZuYp}X8R6PAvx97h z3dX9_B%Ue4?Q_$Qs(A%f3$e-=j0$pjUouLxi+yDYI|o_wM?W8`PgA-J~A~ubMX7x+20PS=a_#K zmezyR#WY6cYzc&T|FFkBGPVj~s$E@NQRgDu|L~^=qUeYGQyY&}&G;EkS+Iie~ePqD39Ke9MxJ zDKaNPEG_5R`b+r+qw2!s68nYbX2aPDhdP;B6WW-4n*zlE6msU{LB8KFl5g{dEiwAV za>udW@&2{$ej72(ZT0J0d@dG_L-&e~2D7}WiB8wPWr7!F2Tp$}optxTDvzFr<#93{~JeS!MjQ~1=3#oeThttW;yLX? z44)vUumQ^EG+`WP4~hxJ4Td~1k;_9N$Tv2t1BfY_9}FOxcQgr>U{UHWNwdg?3YYv%F-`CJBQYg|k0TfpKn(Z{;KwH%XwqoBf}<8RMB z{x0XG^r>~UP}^pJWw4B-5lP42^p@d`1O^{HjtU2bxi+2!8_qv4*&|y;&`6oTHzVgT zE-e0gyuu46a|9@#7~Hx^hGCEKQYt+N1ihpY=qBc>hnxqHQWkTKAK92Pn2@RP5M%`W zL|J|E_ZnU2Y3TPk>7a^7`if}X5v1fzMAk=Btlcl8-FDYNFtxVFR%M{>X!%qpf8H+( zo-tugU2@{Kj1DtK3$V{C&Es#h=D!-@I4p~`3G#-M2UFv2u4bjDrl%A4Dt)yI-VU9l zB_hxAC{lE1sNj4(7AQ5qore0Bq*n8{Oj-gddAN^7M~D1d3=dR0y_-#U6vW>ILOP1j z@j_{Q5$bk{pQ(x@PA65gB4{F{BD`a4;-aeJ6f`1^{yi}>4}JVhwgIc@1cIwk)s5cS zkl5kRO5)30L@f)Nk87;P*vln%DHNwwg7&Voy0f(WeR3!(yhjoVeTs=wGQXy>`2G^a zF#k>Kj7Q)y6?40iLTyY*#S}xjj@%%nmUj*x=Vw;j zv)%ot6N12IukLiA_RiIIaI7TZm}BZj9fcl)?~#7K3tJ((94Bi+7-}Ckd3I#<3x(Q` ze2}tQ<;Cm3YGG<+-8UQ#qr>zpg`(cpmATJ?u>-fU>@b2wMexZ!VDKedVzK6|xR2yf z`KL3_GpvSDbI=icd?g`EaT555PeZsPZIkxUr4JYUGe06gh{e-9p}Bfg+D#GqBz5i0 zM7J576N7#?a>)j6aKk#e$tv=WdeBU}S`;m{8Y9T&R z+rW;nOVLYUfASAZ)dYvvPnJT}+6hvA*v(C^BqIS{mIP!3i7YR@@qI`1sDO~+3~?^o z%R-zOx;JT90Bnv_stpjo0X6}!0F7r#54-&uuh!G)x;?yryh`GxUts8QZt&*P;cphe zWY8Z0w!vgS{22t~G6p0Shl^5B4xE`*_jc&`xa#rUfUt^*(iYGqDuUB4AW&nI{Npxa zb#H-A@!VBFD%ztGBh;kX1GmUr8pHg;K;$k001gKG9^^rLp)zhOx(G zTUj^C(JbeOoL|bPA_wgp9mds;=gZyXAy8SqmX%k42?S_i4ft0%IUG695gg82$WX65biG);p)--=0#QjTpco_lBMG}a|$aQP`t0->_<SBSdaL_hU-*i5o~ubnW1zVMdn0EpfR9sZgc>T^Do z>|0r|sd}88{3v-nu%ck^-DCUvbJ1m2OFFAXLdhG4Y{Su~pM0aH9%bvR5j|Rb6ULAL z$-bO_<061k)`=c_k{;vJM^#9^Bf&h2?Bn zVM(jL}6|D+x>8BWm zW{l(J^>@jW6}@Sc4{*R`k^~sX$m!mcd?ISZw{*3K7fYpq6a*pjiPKz5d?9@$xh!1& zucit8UBdpv&59v$L!PP0gm1>=pDA;^ zuhrty^Z&!yTZToshV8#14I&{a4N}q|U4nohf+C7T!yus2-Q7|Kok|(x(49j!NJ+Oy z4&aaj`+i*Sd+h)Iw2!@yV|`eQrOeFpJagaIeO>4IJL8V@!Kx45h#us0)_pfqzwxWX zJFU^hr+5BJ3gM_&qiZy@eY*0@?Z}PCyV9hXW2s~zOYz2}#BjXDz-Q}M3n1KV9F%THEZ=%EHA zlN_6ct$%N2(Or%vOm0e~uej1OFqkU0LSC2)@1S)Cv4QQ%%XQsZlHOdKiR;b z!$F&KGJG2Rzza-`VIN_^B++L3@8$uo*vHeFS)5fY5*8Md+h*sXu&v)BdL{(EBC9 z4Ln*#-FVzuONEP+`C?lS=H}BJ{G`5qPfP5suhr-BhFKSQ(Uo-2V?d-Mee)|b&YK<< zS$ioViziHx7Lx!@5--PSoX!8_(X@(pzKwiNQkeUnw!-7Lb_850p31iRc!F?0%U3@` zmy&pjiT#HNm89h!efO0RM+{7AczXF<`wa6a$f!-5UU?XD!C;|VuYdV7l=nC53yA;oVYqpKyDR?dP@_{w!joDrTsm$z=wDCx*%@Z6hjN*mY@o@)NnBsre_bp;VrK zTS2CIx|F2PGQ>v-wSRlLQN8Kwps|nd!IK@`JLj;`Q!#I=r*PXgPj-{(i(8{Bux{%R z+bIdp6IZ8S1JSaXbsD|5#~*)XUig04cAnyX6tqwA_relAX=Ml}^-q|$%NiIc{=PPH z^E4wlVL{JK;qj`uEo8+QGUZFuWEbJaLL34(mSiMXG*F52jrL+D_MMsUw6>{*#>1)PB zW^y!s7ADir#8*xlQKD2=?b2~(+teH>>YE^2D(inccC8Q{iJ^)uQX(6L*(@;IxaoDd zTrL*B54UO(^DcbJ-G8jLw{bF|SYb6P!@)2~>YsXybJTaIe6OrZ|C(#-M49BDbRLGI{z>S_Q)_MD5qp$165KDB)cD(h@P&Y#HR?z1gp?kVqYaXo)yShB| zLh=&76J5^nBy((w8%J5Xj%PLt8T{=T4t0y?bR^bDf_vI&X!y#=jW5iK=L{scz(9ug zMStPQt`vH8vbL&^(=vRr8*wPT`iq`xeTt5?(OslV@jRUFP{(a4Q$DS$+MHrb=ni2Q z&HN{`@un50?cE2XVF6>mR(}=Yuff7wYbTCMU8Iv-`zz1?tWCYhaNb#4ak9ZUXbDMI z*d&`X-{=uDw)(nP#$6IHez6g`&h~dV*m-+i&}rvGyK~{A(<3M3P9^ikFY6_S3Z{q| zz1aG%m8VjZOwxQ7T=+|v`8QJXHy`Y=gelObPnj)Ax);FFPlpV>(NhdGo#1(~uKbZo zLU>+RaSgZj9lR4@?;6N8bg?8Jx?pn|kA$o7 zOZY~@S>G`cnDP}5pR~l!>2s}BDm^x^eeaYM?0l>?ol>7S%XZr+m(2!9R(ccY6K%;x zgGu`GZTc79R0r_$@_V79@EtWso~JxEz%Kln(3e-Jq+TA=m(u9B{BhwH<;9BMqj1}= z;SKM_Q6~$XN1xxS7>bFAVjaZ1aI=H?V@7Kta_1U<6ea1genK~t4sg<85z~j6v+i89 z-4GtCOV6>v3kzy}k#S2Q_8F_f2rh|496{G0x~0~DZ1n!oGy3Dxy)Qxt3op9FgIIS3A>V{6yiHLJpI7j-1>dV*VRMZ@N7+`K z`6|`gYCF|@#wJ;SlBG%FW;XMJ&F|xf%Q1;7i1PHqP))NameIZ6c5d^TJZVDg>3a^v z)eGDfIqjFQH~?-TKdkw&R5jscDt%L7lTMM_o@q4F&L%zUV%b+ScM6DdJOw$AB$u>4 z@TJ=abFEF?{6ec7c^}eqz%6)g;p~ymGZuXwCPvGO_o+%R?o#T$^e@msK_!+NNPkxQWw@Z_B=B4H|N+!4P z)IGA2`D3Pi=?Yt*5j(+niE7HZ@E%NRjjaLxJ>I|^6|TB1F2^?)K&t4wKm)TMU?TS9 zH)z{#aj?1P(@yG3$=N@y)K!br)hbb*@3yVf4QfEU>0JVkmgZTqrrAQxd= zN6xyn>=ZpZ%wZ;E2PJt)=GOG#Zd&$3p`e&X&=F*u@VkT=vd&&n)= zhw|B@iF76GLa+Bo36%A4g$6jJHojzOQ;D%_U)LKrxK#w}si0TMoKe=&;&ur+XS;>= zJpEr=Hr4<98v!B+@Le*+tP@=~M>~vtP%737O^uq#LagQg3yahILbw9Pd%u7((iRNV zD}Yb96DV<+>;L>HC^_=IO~0&;^4096%2q!`P7 zTA9t9kMcNNVvzxkB&<`jtI!TGQ@2>~ zzw)&dkh=n|O^fx!0U+Cbd$?hhY6n_};IPWp^@w-{m^%BI{7%gN1JOi54l{k=Z!UD% z405#(OlE>CtO#-TAS~7kFzKBJ0FyU@4f{bdj|JlZFX(4yEMr=VfhSq(KjzHfHW0TzJxdZFV0GV}sD@rSOZNgsffndbSL4hLkIzZ2mO zfTo}iq;0c}*lNLR&KrZ3koj|^^r?jX{45w)uW!LO2RW*)qioK%GlM0}9;?zUs9_*`8-Za`Xp{;H|A zc9=zE*MSdsRqt6~*DwX190#n}D12S`?EPO=wp-WJebc@Ee22XM^$`PMewpP)lHK@i zv=Rh-KU*#xQ&@^oA-L`B;w}Tq4aWn_Cf}sX-GjZU!&oKDHzHJTc zmIuCZw8CvGWIbRwL^r}nC+YB+*u^Iw!PE>4r%|U2E0zf0#G3*3qs<9arkwXLptJg< zclY0yTvsd2t4<~hR?T=4O+q!HaSa}`VsgeUU1iLfQ@4GaE8iZC^98c~@y#3h?%!i4x zyzamUGs_Wj4?#N#CdtPbunL_x{r716;i+K#g8JYKI3$L&x?rkH-?~H*xTRz>TUECx z>C>>qqFTN*l}+DScK`RXbHkl4q?-HoIQ6@j zMb7@;?Tg4e%(_7s!_sL*v*pJL;cJ#eRS& zA)-~yXqo_Rg@_mbrk4Fccxw;LqyznVbn-qmjp$$2DYZdB;;}FVNJ&X42BNgW@Q@cj zp1(;T@KPOZSW7hc$H`D$Vl(4YW<3NBZCJA(M#T9ISrk~Vdi$vu!bk;y{oB%R^B!0z zfEX+*<=o!v_um-tU)>MM&Ln1CCymg+?qRh~Z3QGS)kIWxUqKMbh&C0V7*oo3*&LN` zcqM*Arbj5g)U@?_mg#7&y0|ymhSW;b_0MznhxcFQ18|2;Dzwyty(g?`yeiuc&p&=YimvOh_v?MRoV3O2T zcIpcsGjcka7MReBd{i-0o!dFJhawD2GwW` zzdBN+SkBOEGtUiptyT#gMwdK#x`29O)sfz&G!U|ywYQ*}z_&C-3OuZE$A31R)#?Mw z;A@ORrU5{X7J$qCQ!-mUf2eZu$6sLllf%?;w3 z1BQfQ0NYX3oSOjzW7`4d9&|+{pll?EgZe>B24HUGVr=%YEfwsWF;!n9?eAsNlQj{{ zfC^!}V+(B4Yf2DG&Mw39s!+zFmlF7KKVg76$&X?66fl&!`$UUbwz-s2>FsL1gr@;k zNFqFB3$O)#pJxl*uY)LxjesL^wV~SP*^#geVMPCJZrBV>R~rwBY^yIO6+j!Zp6 z=5ccC8+SwipM+)+>dbxw?WOGZU*0M-3t7tRp00!ijEm{ZOU!$iLyS%0TByK)AY5_b z|5iy68vv4;kJtlyl6wJP%uMz<_H`-!m*m9}?EvF2t%%RKdReFOmVoAvy!CB;4`-T3 zvP(IC<0`T6?ba993nb1rhra|HRI$T;AYON^80oWq0kkwX(CoEbr&h!=dt*mQumw~Q zox}u`cdsRp5@Er5z@;#E-I^G1-l_p>`Wz7nFbcTzNfrzI-*3NF>0O?98c^wP=sjX> zhAC67Bt<7j2hkBcL`9iGi=SaXoO}+f4Zd`3?|II|*xx(GwRp_{oXOVM*ErYhsga~L zE*a(%>6JZV;Q<0R>6sF`{S6hCPvP4x`@*rF>mFtGc2Ry40m&vG!I>==aR*j)b$RY> z-uVwd)6JC#xybZDd4YjRQO|01GdF{>uMr|y3H*T8tvsLTr!ibkXaPlDn4Zf@zycV$L?U8i9R&#?$gezq~UKE^(6e6L*Zl`Xmc=tBIe|WD( zDinT+czY44$J}g!MgVe3Z5p7rM6h+@Rvbu+`gWZg5~KtblBafs?yjbr4!Q;7!K zLtP#*FImy_X3}$l4|p1u+vUg2AwH|s-Nl-V-qBI2F4OP10gDqMt9zy)>~-{d&zNwb zRr0Cg5i9bFv{~hcGBMGECe_!PTJ9R;J`!(ywW2P92%>;Bp^aXSin;>*^+)o={ZOuk`o!lJiVt$LOz5GtH32B*|kk}4};CqB)g!dE9(x~LvrkoHY}NZTKdrnRQ_0iS4|hL0qJYyg(rLnC)!9bGVE#o`n)KAInaiaFg)=>w`3s@?Bhvbe=ATlz7v&Efcj_ga8 zThrM6A(?wZ>oYMNQn5%v$i!@5dD>Jq2;9^udSwJ&1!i=r-!Dw(d_j?dk&yvVrMMg{ zd&4S+8MHBt9cF6{yVl>DH)XTQ67osc#BnsUEW&JtdWET)`|h?polF6}l}FLt{c%tceh z>M~;7rY7>ubgVZnhomWz59iHxb;88oBcl6PB@xy*yhW>sU#NgmTTo-lT}8ih1 zKA%xjj0HKf9TNcS2$z$ew)Hb@AMvHRh%==oVK ztGJ#P7RYq1o3!h398SDsxyBq+-)M*HTUKB#2>X$LK&+>TtGjdoQ6)`nY=n^zMQ6gt zV%pQNv6-6-Q`=~b8gtXxwwjPYUT6A71F(+cbg4Q{qf~W{$8Mv@w`p5B zuIo9TPvC?jo+quka@}rf!S8$klgUH%>=E)nV_f`v?Mqv4U+_a7d%b;@gU{M*%8P8h zp1(^U9kx7d<~ax;$k*Vl`+2>t>m9cIQzFYb55D_i#9fd53tiSa9)ypljiOcQZC4X5 zweKzYbyTOf(cseaVWxu(FJ3Gu+q_GKAegLilDGBs8*i8%W>IQ{ z?};80Kd98%>hWcGm~-c*_1%TB$Xi@q?y)W_-4gqtmOjq(p;cviK-)&cYZu}o96v(B zIb&6gwLG6ouhDcqY3Qt(nRtJd&CWde%RYG_ZN8c}V2bbVwxAo@J?#(Xia}v!Od@_g z#cx^odYON;_iyTGLs%R6k&8u7brx1cfWAwtnXTOlf)jK+Xummqj;HKFe_!K-yiB6b zxWQ>*A1N76>;ZV$jz`7jAu<08zUgMN_SqJcMK5*-cKE*X(RJ)w4m#Kp_n2XJ@L4*C zo@-~SYi2FK(nvO6oole`zCp!yb7(RFIdh-5l7#NaQ?@)5sopWKiOuEHE3~i8>mc_25bTlg>ENz`P9#sM zko?uf;i3F$!FBnQpG{OaH*Vn~;!#b8pS&nq-#>e57X7<@z`-cwy7Um%o=Q{74JPDq zwAFH9`CxB>t;Ktm-CIO1HLRvKE!k0}d5Kgx2HWn8LQZB+*@~3aRZ|g;_a@r?lkU>;jmt8~zV>EYDXmvuYl+*%9ll zmY=bi^qIt2nq?o8F~hvF7g>?dVkMVW1|Gyx#Wk?&vlygDWk0OA@8JKeX35ypMd~eo z>GS=M19;>ZAkyvo9sXx=yOMmw+8)MgqI z8|J_RGmf7WzUwFvF;;j>CwX;hUGy4@c}C-DXyIakvcl~Kk-KKLJuisEFE^g(R~poGfO3zFbd*?o{-U$;~K zeOjeR9OW`=OsUvL%uUE#cV{+T-6P=B(?=SeF}E{i$1R?VIO%)1mau%GOb80MYc3 zMf@Yn51-3q^H_C&yIwXUVD|BMV~r?$b@Y3LDGWG!@8B~y1cWz(BlaDiRXGNKVBzh# z({LomfHbF&m%J1pP-+L>6js9Q?rLx{4eJU`@~2R)3U9~1L#V_{2ydwl-$y+Hbnc}t zMxrDp8baLeT#yCOv)CH!3lJLB#|z-NFGU!tPio@WLFL(X35wSf1U`8xbXfLugxKWa z!4U^05gTFzHFtbMWM!=<3LzDdTAka@pTiFEgKM;aO?-6;YW4W9)RN#P+##?hb!K9rgnwi~ zWAql80$Aiff>;%A$q3`C(Cu@)pa4xJ*1q;HiwPl0+7!wj&x#GD;)p|IazPja)6Hy7 zK}@n$Q%;&)-FIgEV}G)zOw2@9m%eN14hz?Z@FrvI*Xp{#xo7#vMOQ(tQ2 zCVU86w`c0^?NVb^YoJc2`lgiIMHS}NDINHiJc)x(ALf-qb^TjUOKM;!B`?j31adz8 zk-MQ(f_3C78tgBcM-IXgVr|XcLw>$9#k6NcVmiz}=Sfb87P>v(Sg8+pkd_docp|xpc;+ehjeLfWO%aewTkVyi!}A-HMBo zj1^=u57EEPx5^+$Eng@Fb8wLOtV*y&=@$s2OL0hQyAldg5z&`LaCg3aG3e;h1E(KU z43R}zw|jo!BZ18*t;v6FQd$8vzCW3Z7vmf-o_HI#Six@;w%6|7bvRVXzIT)x zoDhd5Tm4{v{i$=vCdi&?v^hEqb;+V`m}79?s!An2$2@c=SYPpN5qmfBXjdVV zCq>6_if^mrCSUp7F@aA*-%uo{o!(Lj^5;LeGTW3$38>T=7yvO-Lu!2u-7VMzHz%Ku- zsdGH&kF;?=`44LHYtL~H9An2_TcVh>36E%l`^L&xnj5ysTTf!x>^ve@Z^Lw@KG;XQZ8&Za^!({CxC+_$WMgbX6;`rvzc*p9;X zjOj|_A7+a%LSFMrn0~)UupD#PcDYZ!G0$?d1`Ix>+_fE?<+#a|kI5GGoqbm-JH z&F2Gl$bLppA+du}mFOq4jIqcB4E?Lx8-vdibTQ9e*`JcNP2);+`iJ(le(g0A47662)GcXSQQr|O)fCPB^G4Ds7rJqM?Rc^W zn6{4>9e58S2nthSKgq;Tp0P2ZQXcpy7x11Um15RHW!ZexxZa5)?s!3 zW(Cv8Q4pjS=XGdmXXC_CN&t6>>PeE4}t!M_7jMl?AN25c$L z@AF$-rThE5Lk)CLge|TaI%RA=qhMudwMs#gr}Lr*EKu^%9cLB>X!o%X}0Rtq#I*z8P*#7~?`Y3IV33Va;_9I>*WEM@&s#&|@}VQZ2S z49xOv2n=DOb0$Y-wMQeHEX`{8MwI#DEMlmJ^sNBdS#IPw-Ij3ZH6p`Vf7o45c}bd+ zVROb+*{9rVvxkPxep2qUV=zIUfVJat>VojswN!BR+%{r@W(9vNVHDi>|0LScxQYX7 z0wEbG?8c#iAUj_iiEtq4-HE2(mRJN&s~*Z)1>avj9dP6C4%<0+*(XSP5WL1q6m{`l z0q1Ho7N2ahL1$T-KoChap@}4=9^z>AQ&;fMOmbm39ik`07iMZzGCs_zCh%M}{G>1u zbKb(HmeV$+CZwQI&!iE&!iKTP5QR_;Tg9eWzaZ1Nb830+VQ-NI#5 zC{xc%?UZnEBQ!`z% z|9A=ntWa!D;q~7<0b$~xvk?Mw{?E_IdvX!{2>iF&;ooE=P}IVzmm&vX4QX2zBJP3H zEvQYu?4*tb=YBu+;{z@v(LaakwGBVKAD`JzCB3K{>4hHAV2)zJ2n3`FXvN{H!m^hN zfVgSLa83$AuG2puXp5eCRsQ7@Pl|1r34u&`1K@YYdcL{@1|AxS*|6MKG(IhNvvbF#<%hzVA z>gK~(Vapa$?9pZ~Ebs7xOE|N6QZOx6IXb$sH4^E{oH>O|iTuluV!aSY+*V`PTZbDc z>!1YhvaxczUm4F>-dM6bOmdVZ$``Q}KVI^oj8|HC)CxZ7+EZz5owvPM)W5s?!8$KU zNPyZ+)U|3lr;%dD^HaQ0sa3DQg~LeqXC*#Da5HtWZd~;VA#Ml~r`cAehyhnTF4W}O zeLyO@>I76CKD0m_#_O%H9Bs-4t{1O5yh_OYn!wA^?XQuRCC5)}jutGNwX~*f=P1&I z#%xaFk-hOkyyQ4`@7tT?SHo;2?wVI^aaz9M#UsB(jo3ZeT&G?Y5AN^8Uy5FEV$iTS zkLhIL?0QfdwHo^ylrNwNz-^)8-M)2R;n02`y>#HEX zrn_9C$}um~(Yf}_%_AmWZc21Ve`NL0kfyO-w+HbgoJ0K8Gu0(LvRY9QzqXLC{o*rj z?F{G6UcEq;wjK2$vJqomZ1B-)K*J#ZD%}pPI1hgcOS(CZox_4RCqUSfuu#5Zd z?aH>_enIz&qxZ$Z?sJWJ?j;@6atA*bS64gj_hgr^&|iTUy*lr;+|l}!0HaJ-y44Bj zk!4^)+jUcFm8`&^y7+1rAiGoY{{8xbESpJj*2HiKItqS()bI2E^9b++O{N6ux8a8y zLqj0WDt`OVWQjeHobWr`zVXokbX)&7T@mI;^nw=5eCNVzH9sOj+RD1W7z``B4hTCY zKva)Cf)s{$(=lX!M?zw9rPL`0of1wbYI)*UuHrf?uxxPhh0B@90#;pPv zCWZk*h;=XQ4>aKfGiT}YibWQuKtEGD0<3>gL136wsFfit4o*&KQqK81%~zLhU^+St znDu*X?%;G$4o23eO`G&pP%I%xrC7+^xz@Y^4Z*8t05|8V5)l2sODYxmQl<*2x&Q=4 zIg@J5sL8(>?IG`V_CP2sZvu+90Ga@~T_7=WJbnj&(eq7Lm)`Y2JLEeYl4R`Fla#=x zHwsSTWRH~SOAY@r0yGo>f&c9FXl`T|Wb^_Ng0I_XSyQuO zB<3Y=-IWA0yR`aOkbVampr5|4i?G8}X}O{uiOF*Zgs?#yv!)wS;05h>ZvF&uI%f?2 zf#ltvfqcs8>wnkH6MO^#zHEj4cpjZu3Rw_j;U0IN;R^I#1w15XY(%Z6%koN&!OVRM zXbg6MtjzIh8K4S=R~&0u{B~z+p&59b`3#t=&$NTHWF-*3%>5TSsZ>Z|#z5bOp)cJ9 zmtyE#DZiTVOf_G40SrdoLhDEZ2r>hYk{uLEu>bq`Gnug~ukd5Vp=y!X_=o&v>s5iC(W{cofz&J3pW4~{{jL60#IruG>16Oe! z{3m5Y2<&H(5*kse2pdAZ43hszwd>CBKBX;rl+7FV-$gjp`wF(If6tM|10aouF7*F1 zrB0V8lD}WmX1;Ad?T)-4^uMzsq1`Pai;L6EXA6n;7elnqtJyRsQPlr#N2+S|6+*du z5p1E*p9)}Nr>F-i_oTf~<_kt2%}tDx&3y&?5ONZl)2ED1J4xy(RM02Ue)VtCo>JYi z9lHxO`LBB2iqof(*lB8?7$WR@i;EM=w(7h8ee<~Af(2T;+vS8~5H_*K6c$aWQbXgHK=g}xl(Oy#>1uN#&I45~&Fz}%{^F8^ zGHdIvHot7j6~2}<3>#*wh7~r6ep@`nn5q?5p0P@ZCgGXQzWtX)_&>k)aU}c=Ilfpy z?)DO*wgrK=NsEZo2zD{P* zOth}yNSa9aeLT5bAh~{4#5^`r#Z<#B_}!twq7BuKF}X9bYgL|d*l)L)I@Q5yqM%9O zsK9|9?>>_LWcdr;1wD3rq+m}cO4$(?+LGfGEvF3A6hHTUYiUXM_{Or`nPGXxT`RV- zWTE!$GmMT~k33KPR(XYMrPg1Tr*WFo3(gehp3lho{SWCw_O*Eo-lt8`DBgp+s=N|c z;3U}IkJ9M62#u6G2SR)Y!(OcgF+^IufL+m!JR8DRTy46KE4R>_Y-ZIT6akm130m|^ z(J*@^bmI$-^6;kqN>;NgX3~L5ng^*e&u^X+s0-ZCxl$N~C(LibPs(Cz-C8qw7W{X9 zSZ?gtO*n9si@F;$Jk>^2g!*t+8K1~mY#h10+({~Xsnm2EKd@obi^sd_iS(YJPnI>l zu7Qs?_}={UMQL|4AZ%j?Qj^N4F^M)s=^`=+i6?^yf#$rz&7{7n*NHcta8u7*;4oT` zPZ0M7)AAe0+UDiQt(xid^LIAmElHbs=@&9-v-969D6tn8jo4PaMRDvL*4|b|l-GY2 ztzn}NbF(H(+Pm>+x{6+aB7U{hNw2(7TytoT-0vzmGgg6@-EcE?H-vF?>CE8k?8h0w zh2La)d3HUDt@PZ8(W$alWB=5!fqGvgA_`UtWvqX-_Wrgo&-r2!a*hD+)$M8DOKtQ=`JTF)0XAI*Z56DEW`?u<$OGTah-i^9Gy{h@V;MoJ@IXb z$T9=55R1Nf>Zb>(5ym*~E+|@gvBtx6vN)O0@OETVU#PP%N4YId)++aB_F6NObmD`9 z%S9Kjghy#|e#*Vx*F5*V#<;Tchhwm{QE`LtXd9@?XBgZ@%%t%+)LZ znjvLAj&R)!ClCF-*6oz{x-(h9?{Dx9q&9air0lQiSswo!KtSd>XI~2MM*rdjo=kLT zrUbG+Yt!Kq1jf5wNub)*I{a%pDkoUd6SE<)KPxl(V zX&-eE*s>vMA}!yA$wqm~TWrK=o3-fv5h=wfPF?D*)%)nnz$5bJdt}ilb z67MNqPd*N_9C~7S(djEnY9VrteUTgG{p-!h6XSIOH3@V9S*%oo`W4ch!kU?gak>lW zT;X%MjvI6n-+EbiwTnL{@aS|t`akPIFo8c*=cHoQmHJj*p)^zXak{VT>o$^cpe{y@ zcnnwZ=Lk?yn`z${B=iZ?@ywHKCHUu^&5QB}Yc6}_N1P~A z%v$sHM^qBl(?VUnNxjOHX0fy47Fk(Y=JW{(cOf;*GAK_jfS`ODlxS8EO`8$q4v0g7 zQVLd_#RuM~c^>=6Ztii0^{Y9CX{jYxsZfESD_DT+Isu})Y6wr{D+VfInd1dXFy^o+ zC`w##9|dI;6yCYJCk)EVf~Q}C&I1a$iK+Qcns*W@tM5tDteQl;=oxONNRyUf>=fw} z8imRZZrMv`<`n=|ZwF=ELr5@e^iS(74^VmiqZZE77D>}!{%8XPT(t%n{-D+0|B))^ z?f8$BVYatFzb&=-d){D{pZxOOxF#~fkfYOnIq~B^QZw%W!>zT9&sY{v zC4v-4CeKy!b0Clf!G(vAP#ltvI`^%Evb|!uTy!F=rF=-lj|z-~cfiydHiI5-7IreD8Da^z%z7?vJrbHfo@ z&<90>xz4H_U^gsr;@v|K~; zK#2JG@$Cta0N^?wd=7F$&w`IZl)%})6!Cs&Fa$X}E)1BK&Y|BZ@PhWxHuK(_XO?!; z(V*|~Z#GBDDE+gzcKtTJD5o4HPd4S&BKWOVkUF%BKMJVE^nmh3)R~u5AIDdR><|*)5qJXPDNkf+ZXM%>EJK`PM_jC|)mrDVj0$-mQF2=frKx+W@_XK) zorK8`MBExO9B)sH?yM-9nmx-JD*v(sWeZv$d%#pu?r=1yfrx#cNoDQyD$0p5LC~-w^pGC zPR$v}veM8X|Mb*n6?pe6 z0N<;n9Xe@&=b$!^mTVE+qbw+F`(MD^ByUA1(CXF8-h?9j;>@AL&d|!R1Q!NFd%J=-f!$+_!_(d$aa}JpZP+e6_9BH#GLhM z5`xRxY~T*%)?UBew+lqBs}gd>4DtGq@ZG=V+x(I$1Bhw=8hPbHIbt)^K3wre2a?5X z2N4VGhpzz;T&a=!+&HrhbehO*C3A%o&WePk`*vkLoB~e5LS{b823PH*3af;$rfP!w zZ@--G>S#ng;ePW}Blf4fFaM_S;Z|DU_-^`30{IP#6T1 zBHNdvi$Ck8x}2;Z1EZ03M~`6GeegXBk8(Sx0ioBmEh_zN`8m7ST!z7Fx08ye9c_0% zish~Fg*MqYpyXzjP@;331(InfbB1-hlO7!*_+_^W3{%DE6Cl<$Pr zIal&ugZPRecCy;x8pfv4Ce4#8$AF~#Kf4fz}`?ZZ6=GruCyK(~Fa*%4C( zl(oOWcYRZ06NJm}*s-kjB@GqY?%D;?mX*gftRpstHRZVIY@c@R(%y%Y*b&@bUy&@6V-|62E^OVw!~i+ zU=C-iaQ2(M`lr%QY}$GFj^Oew)@bVc(bvPoaKu1j8+)KVQ04CJnZ*XDTHhm;@B3+L zj%@$zw%>|hFY_BZC~sYVgJ=NfZ}}(EHTF(7XfH~I#;A$PW*(?$wt5j9f*UqV;>5r# z4Q0@zh^d&B0_o5g24K6FZ|(+=t>^cmed!6s|6u}m?E-tnDu?(ZJJ=5_ zYo{aaY!@+*JOl~9W0)1@L+!T3V{Nl5YafK)6gO+b5%he<-*zTja}W&T6_&krL3L}a`@KD%Zl zAUtT4df6FxqTF5*GQ9^Dg7y^$Ur8Xk^f6*0@(Jcy)6T=Haldx`_EN8W_8tXC1K7a2 z=qDVpRj(KyxxqdL;wR9PGiOgdOQ5H0wtNI4DW||kF@Ln8Ca^KM-vR2*f(lEf^`^S@7Vi_>Fb%+QjHZqo!GrEm&|e#b}q_jngiX zj5w&sXOrJFi+Zin1-U+s;}Yns#WoiydYgoY&33{dep-wR@Rb$O@9(RtJ{dOR_v^Ju zv%RBCYo5@__(>Li+F|=CQYc%ZE{E+;B=#WT*25$suU%;r@|Ilm=eP|W%A291al&kr zSuBN}1TUebBI1H&wKM=^7+!A^sgqCoREd-~70>mvANKpX_LZ_-1s%2vwB#A3$0Wg(_hr&!tQ&u3;eQS}3 zytTW#N$B23{FV(mc9vmY{L{c~pZ84X1M<44t3owE(0vu~pVf@@-Sw-}Ys}Dw0lHmp zAmRo17Xor{^!fKQHqicre!%+wCG-~Y>%=>DdQOg_9=(DTz;Gjk{nP&5PMGTR{nUTE zAl6NR3v@E57KRj@2U5|G?I*Xlkey+&CEQPZ>8sAUMA_f*{jb~jaYn`zkFE1gK1K(9 zG{WP(I2)}L+m|(S&LGDL7Ck=QVDP?lv8q)=4 zbNmyc-a8>=G^5rEk_cQy!3BEc(G1sDpYz}!dDR%ZXuY8imbPt(|2k~o;nF207}p*f zeTJTp=Balmi6^1WfUGg{MxHG zk4A~pq&tGMQy3>2We65Das^XjiLMdU_UJH6O| zA>TtYV|g1BX&ZNq>RFZsj>dN)b<)sR1jcXplGozc!jO)QK;4Il+A^E8KoPszu-+k# zfrf`TIJwcOIi7fP#Z8Ep2I+*eu+URJw&Zw~JNCb}pFI7h~CS3AW_ z<)hfSBXxL5R2CYwo9jx%{SyKVhMfpg-*^yDGGb?I|A1n0OcXk65`{|rV}4xa3(783>0Wi8Fr zbBKE@{)#(3hy!vu0cISRqS9sp165*yV(Jpidt*`>A{^1g^;-+-+wUN@j;XG*PC5VG zWTOi+IGF#f>P7R0`Bo4et}-9TtyD=A)K}uR(jSb-Ic|w8V-i_bpV)nx0x%nT(B!!C z6&J0?e2!;4`Lo=``tIg;U`OU6rV*%+97vNGq8`k6vx7%djaONq_xD|j*#ESM+h6~` z#b1MA@xO&G;{F%nmD9tG8DRLZ*_|!4%=x$2DN#BSY0^GP6CVKif<%zz`{EdsdZoZC z0G(Szt^fUH0&N$)H_R(gWVHOn{)2N+YwQ3wcqQQWOP3@0a&3WoxNZ(~xgm3q6+B6E zV=!ax&tqe3i7JQw5uWbtQp z;IN7SwDY^Sc>gWJ$R8GYp{V>cySG5Nz)O4HSEv zEF5_74r;(_OoMl43#KNeL)d*FF#Hv$b1R0RxGs5raOgX~0CPw?;0oT~2kDPRphRJ6 z0_FWS5G+=qR=Uo8wkC>pfK{d%giY4d#+hRN+ZeVW%eBOmDKdlnmj)A0{$Isic|4SD+b*Rn2_=-07E;+lmTZr$q7cfy4ra2Ol%*^sOO~iC5mB^0 z)=9<~jABsPS}}%%kjErjmMneeHRJug&+qqr|Gdv1@7JHrn7QY^uj{;y^E{99I3na= zQhv0nEZ_E?Z1uERVB;U-6vz}TK(rhAqbQ?YOvxT4c9U3bWijdQ)`fdn<@38@X2%K#7b`6mSH~7i4$BFe8kO7SjNVGAtaZ zGCteU@Ofwt(3Hpaor7eylY}4e0)LwlB$57MFVEUT7M^+&TX9)8ai5M_?YRZxaUQTx zN`2|omjZ>lm`@nf;|x!!IYXfk#=*em#p)bn$DYuGs%#4f5Q@gWF9rpBAsjlDIC`<8)+NXr?W!L2j~`x5Js&XZr}+7*f2(SvbcLSVRDW{kNLsN_1369B>|4M^b`9baU?$wq+WL5)+j{|!Qfi8 zCFie06cDwR_ms&2A1CF_h6}$i+DA9=LS^H?nLk}oec?N4AaP9VWLISVnf##$L9HPW z%BCSt47x829cHid+2RNJ=p_gIClv&-ilFJ}V-WrR;R*T^)4Z=onec_M@!9(&VVpwn zq${#MtHy5^#6-$p?`vPnM@5MSnl+tyv4+YtB zdX`4GvW?>e;tPYDXu=A@eIP58f+FKTfkwL`IsPHWY7%JJVu)p9UX@P4pwt;*OG&qY zMjW;y(4e5l#6ZG=723*@A94-cs&A%bk`Y;6QBp$oj!8_b%TGoS)u-3utMKEt{u#X%|_~@?$#!j0+b0Vp(I| zrqlZcoYjLcm=;P)*)X&;mVTNAjHm6d9J!oQ?eCFzVJr6cn`85!)+Tbe(20IwQJf$f z*4A9GYH3++RPl7JJ@ZlpBIL5m-!l3fVyiEhC8kQI#Ws)E|6n%7E+(Axntp!Lb#=N@ zBctNSrc0N;yw@L{+lmF{x6!^m#KZKOJD?)=!@R}kd-mrd?3U8H@(E^g8EMsM?e4tT zcpfx#9!aIX(Q}JO>cmZ@fMd-@p~x}l)Vb!QEKOQ=`Kq2XNum}pQaVSq*1qgf zBkWvOM8YOHpsqFQS_;B&O8ZKeGqvvcCh0@-BvwPTJ?0q2u%OMV^pOS}RP_Y|r;>=v zy9%L8)v@G%6x$;I#brFEYJCDCq<(i#_(|2Fy~Cu9?q%%D|VD_>o?TeM%RMktCjH zOOgStE+*q{hbAF>$i_+w`bZoL8zz)PZV}~~fd5)qGF+rvTxO`6g!ED6;>gSM&iXo!j#$B*M~zr+xw6P+y&1Ku z&Dlo|xUFZupP;44c0|p$xmZX~O>me)v-R50v}shYFp6EksQ_W7gpuL7nX6_2FV|Pd zh>iM`kt8VtrPP_?JI_3}DDXGke?45Wt9pBW`Gq%yWo30Afw!d0$Z^5d0(4fJ&c4SBEGv3t~WI-2~S zV|>r#Vu_-HPliX<&U#T zx>;X1|JFmBArbICF}BAHN83hj8|w6PgHDw}#^SSI##UZ(@m@oGjMOvDWvZLugAeIDi1m&^c_l`e zkqg);6+3YysbnsUD#5J&!>I9{48bOmG^4iUu!@r2MQ2v{#l9s?ZSXwpb|Y2N^7WgP z{Vw8$DdSIrCi>HolLz`R^>Oph-wO^LuP$uKR+o2MurylW99W0gE6h=9L?|(`d+c?MF8Lw(s6hRx3cCX)0=h)Lw3YB& zY5hp<5uV=7K5~=6rBiP<(%{kPlOy`oW$LFqH}e)oO7=tW9LW76@a!cYtVLOF0gLE@ z`Hp>BD_ql!OH#U2sQspuX1~G{DCm*;kjjQ<<-t_)3;C!OCc!8dD^KOqK?Ek|%K4|! z{XhDkdr*!C0O(%ceJ*|p{E;(+nYVpcoMzO41aQK|f_obo$rA*C6c3hl#zjj0LJCRB zzS&!39l8U$-1jX2?vp1RYyiy~ZzvX(A_C9{6#%_2_ZjNJ&v-=DRTM0P1P)p>Q((rWxqEV?yP_1z{7MQyeuE9zE&w?EH<;xz z@rfkT-6#zIy*xAWI0u_1m<6RfHyw8{ufd3bC{hnpo&#DAcXR>}_XSlL8|+gWauETw zfU-1cTk?(8A+RgK-v+j$hZW#8#`_bp2&{KaU2NPDXw{gwBeWVSja@v--Cz2ULmn2? zV~Xv8O=5vYItGF|J3s--$^6kt0#buY+6+3UTajo55`|C-Uk=IC3?)Ow%z+4hw?Mg4 zB?@gOq=&J67VY-G00!nmL)TOfyv0Ux@oGy_EYWexC$~?|^c9z_SIk#go zP-S;*mlQ^|d?e0*3=F48@-HITx$T13inf4UFW&R}&10e?c*N&fP{El)`KsJu`0H0v zuYc?&aj#?}CA=va%Jh{NL?)_Ut`nIf-vqfS@}SW81*~cU$oqt5o2U*72sO{?B%4UR zwTi~?(iSk6bfV})aZz@Jb%3x=Io$U)q)bq*vS*UH4fWpLKNUFvPmAHhbrW(6&CT-p zRs>9TeVG_i8s2P}yw~8fuK?wmtDd9}Kk6|xRztF8@yykL_gIP8K>I4MHPl@WeMqBq3Yk<*91Wbm+}&-5jO)86@AB;4 z+H@Xpe-FkEpgMFM(ZV(rkQ8uEDE0wwYI*;mA};!W{02iFGsd&j2iA$O3GE;{_ph;JGkjl9)>&q0so@Q7hvXcR|GjS6?7wLu{Bw(^p zwxhf$FaugS8X=-W8`diHv^%Rd_BWF`Ji2wEe>JfCNSr_GN)(T`WNWBtOEqx5Bl(S; z^i(F14nMJP`O~twphCb;~b{=SzBg`GJ~jVz3vvGG$NDZisMcvB+O3 zGUh&cw!4<}_Tod<;fpak`hPOCn4tj?qM7LNzZ`N;MNL39<&JXu80g7i;4v+!uarhj zAHR*9fbEP!Vrgh?AQECG5NlCLD?QD^<+(_J4lNasCDTQn7%%9MmBC+iKrnvX{650G zDhRJO{Z`i-m9_~kjaZCj7KmT8JTl42hL-QEH9Dvp099HMh$ouAzU38ys2MYRg|yBC z^^Jk5y9cO{3{dU?Q}Y}ew6}b1y$Jde0ril;hs)m&Z+u{oER|}wLe8Xi8Q=dUe0zl! z&^I~Q^!uP?930OOUC}h0#W$qfR!1fu@7)&v@>%0{M(F{qw zF`)Zc0=>Hz4i`tnD`6*vF16lOL)1uI-mxSi93*rUk)f?tDO-2W{?F6A#>I*u?i7INHx))Q-M5KZOL2M0w{F_Z$J?CeIvP zHB$Tea1p$hG#oh?(6IWzJ`Nw{23D)jG@y|h@Hu#x2KAURow>_vHu?!AkQ|BgkXvgY zCB9F8eaatR80#eDRfCzlXwnl2Sq?aYt2;hJ|F=ymH|XONQ`C&7r&>C=Lv7$T^7l&1 z%=A=Mjk1wo`bqMgxc6^bhgmlNZO%QC7Zc>7tsm)F;^qc-uObW~8?=La<5nMvO%*gv z=q!ZjfQ_Yr9?@8>pmRpAk;~%Tgba2MQU>I?0jhfhzzqCZ0cM{Zib zZ*9KpD4I>Cgx=b_Yzw8E-%&{aXNvj^_JZnWPa*{D&J{jHI}|`r;#}?bV)^xY^`9Tj zDQzf*J?v3uZd|=S^Cz{!p1#vf^?%0w4A$2!IEqq!G?2(?L-ZQ4f6;PRZT9#3hO*sc zNihdd`B;;0SMe+cpGWGCJ2**Bs{6!tI|gbKt@TnqLL9;E+KW0Tck+vftR^A@1a0ST zOHkga?%OrN;n=-@oX}7op@=#1;L727M9yt0Wvvn$06|AL4A^FBRqb{<)Vgl9Va_WK zi^UMawhs&J7F}L^UtyVFv(3lHlVEGvr_4Zey=SLi;0wpCxo#k>3U#tqw(DzLUc?AD zDY8`p0-zKic^Rmf{lYsNGz@Rm>PJqclOS|R)>4>{L}N)xU1#_3mIHZVcHvuI(olud zN<`3w-8YcG04t>n%5z`(uB=&a^Lu$o;Y5cha^poWForUHTd6DWe-%FDvIqr3l4N3E znW?~rfTai$WvmK1=MO4o{XoO|b zVXQgtii(SXS#hE)%m^%%Q<3-#dAG%KAnMNmXhOn&?yxV*(Al152o?X2PnE(JgB)?e zr-8(xf7r>rp?^CK6vVvd#`^*w-q0YeQXrfdh8bldjPbe+S!4szfHWt|0pr7E@Qh^? z%CABEklTDf7|!rX|DeB~KJLP1dSkrOzxPvokvvrEXo`d!**L8`fl~wism`LJ%05{DiaYCIHxOXcyaUFMGq1+*G^&7k(UKZubf~rvrKq1;bcThZ3hNKW-1SK7z7gSXNfJSol{pK|w(C2Xl63?P;Ay zF6~nwUQ);dd?FTG+*1u?Re_)oiekSvP&3*=))4~VYyp(;WT=3WF!k|5<-knXUpn(l z6^X2Zh}5`T#7{WS{GDf!updBI#sm_S`wbHS_t7l*FHMvOB*8{#RNwfn^Qrm1@;~+{ z6_fuuumEeT=Z+B>xe0RH>MbeJy$0xEP=K9*Fi0*FaW*W0 z&#)K+{QY^#aQk+^@yqe)`lJ9Lsn2q9^uSvB6onJ0wDm4a^^O15vJSri5?eofqEjz` zzQv$NCo}q^cx#KRXYTA2^2@Sf(91k=kcK^ejBk=I?~L7-{jFmV8p@OBRgNLaQQx}Y zP{`02PysImVc4E2l&{H1WHT{ryA7KAK=$>hEs!ks>=snx_x;TYbU&YV$*&*QxVx#- zBOe;;O0g}55n@w*d@crjSWyR2Z7T^dA3KgVm!fxL+|F&J9Xk z3uqIO;YMNwRn=3iY6#oUFE7mg@C6c+LvxL));s+*jh?aQpq{P2vgSb^x^sY^G`qRcTT)M%{&j<13J&SndZs8|kHNd8; zz9ZTPuM{>5Hmw(m6>4j&DExma#??t*9oQ!=Wi3Z(8+7wlWa6586RZwk+@F{Myk@vFz<3)KX3eZ#Nz|{oWm~X z5Qq%qCy8h}WUNNyemUnKo%)#cXg8}Tv>)(1zGLoumWC3?H_bO{-=8Pnz0ht=LHQX2 z*42z0Xeh~^eE(RZCXEdy<>-t~ewryWvN0s`NLxAu-83eN35 z-{wV7Ky-y=J5B-sFWvTRN8cg{<-UVn5OCoheu5TC9pcm-hV*^uD*qJ7d&D;G8MBT# z8jk>9z;^q;V{zjU-6gIB7KOV6#l|8YQBWjY_7*aSWseJmk~g+--t#9FV?8 zr#c%5sxp_@e?k)Z=be!MpA7JSW0?PMROR%vR)sU1`6P7;-if&<-}5Sc^pKD)=g=Ov z^1t}KPwO{OOn=B2%#!62|58mg41U1ER-Wun@8Rnl_x{x*KH?zMAoZ$7P7Pe|(2MQI zZ#>^xm{}NHdcF4D#jMSHCX2VTjX18nc=}e#;McEnDTRS~LoFMJtrPY{#?MD*F!3Gy z?WwoVRaN7;`x*P`=N7{S2OyiYHcmHtim@O@%5Gv_7UufeP}^KR&K$epq0;RNJMH(I zfl9a$NY#4x)kZb^fa;NywOr%HMW30$oYV-FR-TE1?Y86dZJ5FZ<^@L16~Fcm;)oDB zSNmh}o_BGNd%;7)GbOjgPuReyW2g?_o|HVRA!XQJ>Ou`1{gR2Gi|bo4HQZSn4F1*a zgzhM9^yT0Be6D=fo&=c`#OScURHN5lO zy(Q9j6FYuJmMxvrIcrB-q#V|Pg=%wkh?mxy3%uaK)S7bOOz`%-g3bxA+;qlwN9S=Q z*1R)pmZiGwMbl!iiNbkowp`&hWytHV&hi#-U5*kqW+zmp%O&P2UwR|>x?uA@){S2F z%$2z=IN+6!C&FjY%U|XoT}4T9#tyU#^%7nF41oZjH_=vNI z64_KuIB;o=q|HMy00Us%tfZPRqq`Cmrh@yG7nGxSsr{>DB2lx-p-Xm~GR&ne ZukUueL()G@&{zfk4D^lligcVJ{s#pYLXrRg diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 969e44b244..4e9c50637e 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -14,15 +14,13 @@ search.appverid: - MET150 ms.topic: conceptual ms.date: 07/12/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows subscription activation -Applies to: - -- Windows 10 -- Windows 11 - The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you're subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition. If you have devices that are licensed for earlier versions of Windows Professional, Microsoft 365 Business Premium provides an upgrade to Windows Pro edition, which is the prerequisite for deploying [Windows Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business). @@ -100,7 +98,7 @@ The following list illustrates how deploying Windows client has evolved with eac > The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems). > [!IMPORTANT] -> Currently, subscription activation is only available on commercial tenants. It's currently not available on US GCC, GCC High, or DoD tenants. +> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements: From 66b289785e5efd5fdf4ce80a45764f0104c330be Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 28 Sep 2022 14:07:29 -0700 Subject: [PATCH 19/27] revise from review --- .../deployment/deploy-enterprise-licenses.md | 47 +++++++++---------- .../windows-10-subscription-activation.md | 2 +- 2 files changed, 24 insertions(+), 25 deletions(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index d5c1ba6dad..c7ecb79d21 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -18,23 +18,12 @@ appliesto: This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). -> [!NOTE] -> These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro. -> -> - Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA). -> - Enterprise E3 in CSP. -> - Automatic, non-KMS activation also requires a device with a firmware-embedded activation key. -> - Subscription activation requires Enterprise _per user_ licensing. It doesn't work with _per device_ licensing. +These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro: -## Firmware-embedded activation key - -To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt: - -```PowerShell -(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey -``` - -If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. +- Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA). +- Enterprise E3 in CSP. +- Automatic, non-KMS activation also requires a device with a firmware-embedded activation key. +- Subscription activation requires Enterprise _per user_ licensing. It doesn't work with _per device_ licensing. ## Enable subscription activation with an existing EA @@ -71,7 +60,14 @@ If you need to update contact information and resend the activation email, use t 1. Update the contact information, then select **Update Contact Details**. This action will trigger a new email. -## Active Directory synchronization with Azure AD +## Preparing for deployment: reviewing requirements + +- Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro +- Azure AD-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. + +For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this article. + +### Active Directory synchronization with Azure AD If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Azure AD. An example of a cloud service is Windows Enterprise E3 or E5. @@ -86,13 +82,6 @@ For more information about integrating on-premises AD DS domains with Azure AD, - [What is hybrid identity with Azure Active Directory?](/azure/active-directory/hybrid/whatis-hybrid-identity) - [Azure AD Connect and Azure AD Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap) -## Preparing for deployment: reviewing requirements - -- Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro -- Azure AD-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. - -For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this article. - ## Assigning licenses to users After you've ordered the Windows subscription (Windows 10 Business, E3 or E5), you'll receive an email with guidance on how to use Windows as an online service: @@ -258,6 +247,16 @@ Devices must also be joined to Azure AD, or hybrid domain joined with Azure AD C Use the following procedures to review whether a particular device meets these requirements. +#### Firmware-embedded activation key + +To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt: + +```PowerShell +(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey +``` + +If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. + #### Determine if a device is Azure AD-joined 1. Open a command prompt and enter `dsregcmd /status`. diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 4e9c50637e..e59eefbb34 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -216,7 +216,7 @@ $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( If your organization has an Enterprise Agreement (EA) or Software Assurance (SA): -- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enabling-subscription-activation-with-an-existing-ea). +- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). - The license administrator can assign seats to Azure AD users with the same process that's used for Microsoft 365 Apps. From 281c8014c139aaecb1b8cfdbc5745ead8ae122f1 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:22:10 -0500 Subject: [PATCH 20/27] Apply suggestions from code review --- windows/deployment/deploy-enterprise-licenses.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index c7ecb79d21..f06c1107d1 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -213,7 +213,7 @@ The following image illustrates a device in a healthy state, where Windows 10 Pr Figure 10 illustrates a device on which the Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active. -:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that isn't activated but the subscription is active"::: +:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that isn't activated but the subscription is active."::: Figure 10: Windows 10 Pro, version 1703 edition not activated in Settings. @@ -223,7 +223,7 @@ It displays the following error: "We can't activate Windows on this device right Figure 11 illustrates a device on which the Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. -:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's activated but the subscription isn't active"::: +:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's activated but the subscription isn't active."::: Figure 11: Windows 10 Enterprise subscription lapsed or removed in Settings. @@ -233,7 +233,7 @@ It displays the following error: "Windows 10 Enterprise subscription is not vali Figure 12 illustrates a device on which the Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed. -:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's not activated and the subscription isn't active"::: +:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's not activated and the subscription isn't active."::: Figure 12: Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings. From d5c489b33139c3ba32240bd7325d69d567f8ee20 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 3 Oct 2022 12:52:10 -0400 Subject: [PATCH 21/27] migration details added --- .../hello-hybrid-cloud-kerberos-trust.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 7e64879acd..a527856529 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -231,6 +231,24 @@ After a successful MFA, the provisioning flow asks the user to create and valida Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity. +## Migrate to cloud Kerberos trust + +If you deployed WHFB using the **key trust** deployment model and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps: + +1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) +1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails + +There is no migration path from certificate trust deployment to cloud Kerberos trust deployment. You will need to clean up existing deployments and redeploy by following these steps: + +1. Disable the certificate trust policy +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) +1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context +1. Reboot or sign out and sign back in +1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint) + > [!NOTE] + > For hybrid Azure AD joined devices, sign in with new credential with line of sight to a DC + ## Troubleshooting If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps: From 8fffa31475c4f74e4a633018cba86a275b9b4038 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 3 Oct 2022 13:52:05 -0400 Subject: [PATCH 22/27] updates --- .../hello-hybrid-cloud-kerberos-trust.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index a527856529..7d8fde93c4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -231,23 +231,29 @@ After a successful MFA, the provisioning flow asks the user to create and valida Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity. -## Migrate to cloud Kerberos trust +## Migrate from key trust deployment model to cloud Kerberos trust -If you deployed WHFB using the **key trust** deployment model and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps: +If you deployed WHFB using the **key trust** deployment model, and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps: 1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) 1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails -There is no migration path from certificate trust deployment to cloud Kerberos trust deployment. You will need to clean up existing deployments and redeploy by following these steps: +## Migrate from certificate trust deployment model to cloud Kerberos trust + +> [!IMPORTANT] +> There is no direct migration path from certificate trust deployment to cloud Kerberos trust deployment. + +If you have deployed WHFB using a **certificate trust** deployment model, and want to use **cloud Kerberos trust**, you will need to clean up the existing deployments and redeploy by following these steps: 1. Disable the certificate trust policy 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) 1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context 1. Reboot or sign out and sign back in 1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint) - > [!NOTE] - > For hybrid Azure AD joined devices, sign in with new credential with line of sight to a DC + +> [!NOTE] +> For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC ## Troubleshooting From cd91384d768924fd386756378d9086a90746e78c Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 3 Oct 2022 13:58:49 -0400 Subject: [PATCH 23/27] updates --- .../hello-for-business/hello-hybrid-cloud-kerberos-trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 7d8fde93c4..b953d1d21e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -253,7 +253,7 @@ If you have deployed WHFB using a **certificate trust** deployment model, and wa 1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint) > [!NOTE] -> For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC +> For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC. ## Troubleshooting From d05c3d058bcd5eae5a5fd6f4e5805ba94f66cce6 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 3 Oct 2022 11:35:56 -0700 Subject: [PATCH 24/27] Update citool-commands.md --- .../windows-defender-application-control/citool-commands.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md index 0ce1cdebb9..fa19bafcc1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -13,7 +13,7 @@ ms.custom: template-how-to # Manage Windows Defender Application Control (WDAC) Policies with CI Tool CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. -This article will describe how to use CI Tool to update and manage policies. CI Tool will be included in box as part of Windows in the January lifecycle update and will be able to be interacted with in the command line. +This article will describe how to use CI Tool to update and manage policies. CI Tool is currently included in box in Windows 11 22H2. ## Policy Commands From 22c922368f1855c9a625c59c4257ec4830cf6200 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 3 Oct 2022 15:18:49 -0400 Subject: [PATCH 25/27] Update understanding-wdac-policy-settings.md --- .../understanding-wdac-policy-settings.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index f53094948b..c34e12aad8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -2,7 +2,6 @@ title: Understanding Windows Defender Application Control (WDAC) secure settings description: Learn about secure settings in Windows Defender Application Control. ms.prod: windows-client -ms.technology: itpro-security ms.localizationpriority: medium ms.collection: M365-security-compliance author: jgeurten From 6bd03639dffe3486af77a0a2787313d837dad889 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 3 Oct 2022 15:22:21 -0400 Subject: [PATCH 26/27] Update citool-commands.md --- .../citool-commands.md | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md index fa19bafcc1..5a2d7b7e72 100644 --- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -12,27 +12,26 @@ ms.custom: template-how-to # Manage Windows Defender Application Control (WDAC) Policies with CI Tool -CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. -This article will describe how to use CI Tool to update and manage policies. CI Tool is currently included in box in Windows 11 22H2. +CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CI Tool to update and manage policies. CI Tool is currently included in Windows 11, version 22H2. ## Policy Commands | Command | Description | Alias | |--------|---------|---------| -| --update-policy | Add or update a policy on the current system | -up | -| --remove-policy | Remove a policy indicated by PolicyGUID from the system | -rp | +| --update-policy `` | Add or update a policy on the current system | -up | +| --remove-policy `` | Remove a policy indicated by PolicyGUID from the system | -rp | | --list-policies | Dump information about all policies on the system, whether they are active or not | -lp | ## Token Commands | Command | Description | Alias | |--------|---------|---------| -| --add-token <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at | -| --remove-token | Remove a Token indicated by ID from the system. | -rt | +| --add-token `` <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at | +| --remove-token `` | Remove a Token indicated by ID from the system. | -rt | | --list-tokens | Dump information about all tokens on the system | -lt | ->[!NOTE] ->Regarding --add-token, if is specified, a pre-existing token with should not exist. +> [!NOTE] +> Regarding --add-token, if `` is specified, a pre-existing token with `` should not exist. ## Miscellaneous Commands @@ -49,16 +48,18 @@ This article will describe how to use CI Tool to update and manage policies. CI ```powershell PS C:\Users\ CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" Operation Successful - Press Enter to Continue + Press Enter to Continue ``` 2. Refresh the WDAC policies + ```powershell PS C:\Users\ CITool --refresh Operation Successful ``` 3. Remove a specific WDAC policy by its policy ID + ```powershell PS C:\Users\ CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" Operation Successful @@ -66,9 +67,10 @@ This article will describe how to use CI Tool to update and manage policies. CI ``` 4. Display the help menu + ```powershell PS C:\Users\ CITool -h - + ----------------------------- Policy Commands --------------------------------- --update-policy /Path/To/Policy/File Add or update a policy on the current system @@ -100,4 +102,4 @@ This article will describe how to use CI Tool to update and manage policies. CI --help Display this message aliases: -h - ``` \ No newline at end of file + ``` From 6404eaa028e9ed7db6036fb82264b2a54e97f3c3 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 3 Oct 2022 15:27:00 -0400 Subject: [PATCH 27/27] Update understanding-wdac-policy-settings.md --- .../understanding-wdac-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index c34e12aad8..2f9f3c81b4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -9,7 +9,7 @@ ms.reviewer: vinpa ms.author: jogeurte manager: aaroncz ms.date: 10/11/2021 -ms.technology: m365-security +ms.technology: itpro-security --- # Understanding WDAC Policy Settings